Re: Nimda?

[Silviu Cojocaru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tuesday, September 25, 2001 at 7:00:33 PM ,
Roelof Otten wrote about "Nimda?":

> Since it's coming from dialup11.assist.ro it
> seems likely that it's gone wrong there or at
> Silviu's.

Sorry for the confusion this has caused, actually
nothing happened here either. That e-mail was
created on September 21st, and I meant to send it
that very day (of course). Some problems came up,
and I got back to my computer on the 25th. I
forgot about this mail being in the send queue so
it got sent.

Once again, sorry for the confusion.

- --
Earth first!  We'll strip-mine the other planets later.
__
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE7sfxv8WBGNj3ut+0RAuivAJ921BoypLupD81zpgMUfxaMVB0L6ACfSkUi
3QTfxjycBOGnpx2vbCimH9U=
=4yOa
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[David van Zuijlekom]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Dierk,

On Tuesday, September 25, 2001 at 18:48:39 +0200, Dierk Haasis [DH]
wrote concerning 'Nimda?':

DH> What happened here? I've seen the message some days ago. And here
DH> it comes again ...

I didn't receive this message until today.

- --
Best regards,
 David

** D)inner not ready:  (A)bort (R)etry (P)izza **

[TB! 1.54 Beta/9] [Windows NT 5.0 Build 2195 Service Pack 2]
 [Running on a Celeron 633@874 256 Mb RAM]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt Build 06
Comment: PGPKeys: mailto:[EMAIL PROTECTED]?subject=send_PGP_key

iQA/AwUBO7C4n1K9yf5+yp9NEQKrqgCg3XiHDNCBmhPbJvgqR1UfhCEALdsAniRK
Jsos9bt8ZfRc+rF473A/TNFO
=p9Wn
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Marck D Pearlstone]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Dierk,

On 25 September 2001 at  18:48:39 +0200 (which was 17:48 where I live)
Dierk Haasis wrote to Silviu Cojocaru and made these points:

>> Received: from relay.assist.ro ([194.102.130.2] helo=users.assist.ro)
>> by home.worldless.net with esmtp (Exim 3.33 #2001)
>> id 15lsIT-vw-00
>> for [EMAIL PROTECTED]; Tue, 25 Sep 2001 20:30:50 +0700

DH> Where has it gone awry, at Silviu's or at DUTAINT?

According to the line above, Silviu's.

- --
Cheers -- .\\arck D. Pearlstone -- List moderator and fellow end user
 ~~~
\ BrainStorm - free thinking - www: http://www.brainstormsw.com /
 \ PGP Key ID: 0x929DCDA0  |  www: http://www.silverstones.com /
.
TB! v1.54 Beta/9-14F4B4B2 on Windows NT 5.0.2195 Service Pack 2
.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: GPG Sealed for freshness

iD8DBQE7sLuLOeQkq5KdzaARAtKLAJsEmaGBMAE5vsehJO63jwwjHr6mPwCdF5ct
1bXunIyzQTVUb1o/6wAbi4s=
=Uu/7
-END PGP SIGNATURE-



-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Roelof Otten]

Hallo Dierk,

>> Received: from relay.assist.ro ([194.102.130.2] helo=users.assist.ro)
>> by home.worldless.net with esmtp (Exim 3.33 #2001)
>> id 15lsIT-vw-00
>> for [EMAIL PROTECTED]; Tue, 25 Sep 2001 20:30:50 +0700
>> Received: from dialup11.assist.ro (dialup11.assist.ro [194.102.130.43])
>> by users.assist.ro (8.11.1/8.9.3) with ESMTP id f8PDcoU00923
>> for <[EMAIL PROTECTED]>; Tue, 25 Sep 2001 16:38:51 +0300

DH> What happened here? I've seen the message some days ago. And here it
DH> comes again ...

DH> Where has it gone awry, at Silviu's or at DUTAINT?

Since it's coming from dialup11.assist.ro it seems likely that it's
gone wrong there or at Silviu's.


-- 
Groetjes, Roelof


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Dierk Haasis]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Silviu!

On Friday, September 21, 2001 at 1:29:18 PM you wrote:

> Return-Path: <[EMAIL PROTECTED]>
> X-Flags: 
> Delivered-To: GMX delivery to [EMAIL PROTECTED]
> Received: (qmail 23097 invoked by uid 0); 25 Sep 2001 13:39:29 -
> Received: from home.worldless.net (203.130.233.9)
>   by mx0.gmx.net (mx003-rz3) with SMTP; 25 Sep 2001 13:39:29 -
> Received: from localhost ([127.0.0.1] helo=thebat.dutaint.com)
> by home.worldless.net with esmtp (Exim 3.33 #2001)
> id 15lsIW-w2-00; Tue, 25 Sep 2001 20:30:52 +0700
> Received: from relay.assist.ro ([194.102.130.2] helo=users.assist.ro)
> by home.worldless.net with esmtp (Exim 3.33 #2001)
> id 15lsIT-vw-00
> for [EMAIL PROTECTED]; Tue, 25 Sep 2001 20:30:50 +0700
> Received: from dialup11.assist.ro (dialup11.assist.ro [194.102.130.43])
> by users.assist.ro (8.11.1/8.9.3) with ESMTP id f8PDcoU00923
> for <[EMAIL PROTECTED]>; Tue, 25 Sep 2001 16:38:51 +0300
> Date: Fri, 21 Sep 2001 14:29:18 +0300
> From: Silviu Cojocaru <[EMAIL PROTECTED]>
> X-Mailer: The Bat! (v1.54 Beta/8) Personal
> Organization: S.C. Cezarom S.R.L.
> X-Priority: 3 (Normal)
> Message-ID: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Nimda?
> In-Reply-To: <[EMAIL PROTECTED]>
> References: <[EMAIL PROTECTED]>
>  <[EMAIL PROTECTED]>
>  <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Precedence: bulk
> Reply-To: [EMAIL PROTECTED]
> List-help: <mailto:[EMAIL PROTECTED]?Subject=help>
> List-unsubscribe: <mailto:[EMAIL PROTECTED]>
> X-ID: The Bat! Advance Technical Discussion List 
> Mailing-List: contact [EMAIL PROTECTED]
> X-Modified-Forwards: 1A.inbox

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1

> Wednesday, September 19, 2001 at 2:29:05 PM ,
> Marck D Pearlstone wrote about "Nimda?":

>> I think that was a linguistic confusion - protected: yes it is,
>> vulnerable: no it is not.

> Hah right on Marck :)

What happened here? I've seen the message some days ago. And here it
comes again ...

Where has it gone awry, at Silviu's or at DUTAINT?

- --
Dierk Haasis
http://www.Write4U.de

PGP keys available: mailto:[EMAIL PROTECTED]?Subject=SendMyPGPkeys

The Bat 1.54 Beta/9 on Windows 95 4.0 1212 C

When you realize you've made a mistake, take immediate steps to
correct it.

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt
Comment: Privacy is the core element to Freedom!

iQA/AwUBO7CnWfTo1oA8g8dLEQKTxQCcDcTYr+Rk6PtNP1Bjbsq8t7ds1PMAniWG
CzoUTbv/AAME/xnjLVo3XLyj
=NVeS
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Silviu Cojocaru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wednesday, September 19, 2001 at 2:29:05 PM ,
Marck D Pearlstone wrote about "Nimda?":

> I think that was a linguistic confusion - protected: yes it is,
> vulnerable: no it is not.

Hah right on Marck :)

- --
"This is Microsoft technical support.  How may I misinform you?"
__
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE7qySP8WBGNj3ut+0RAsTIAKDBF3iGiTKybY8jzOEcQ/ETEYdMJACfeK93
vcZV6MNYBQjrcWneLDbFP1E=
=BdBD
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Silviu Cojocaru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wednesday, September 19, 2001 at 2:25:06 PM ,
Douglas Hinds wrote about "Nimda?":

> I assume that none of these are virus related. Is that assumption
> valid?

Yep. It should. Some old dos programs/games used readme.exe's to
make reading of their help files easier since one may have had or
or may not have had a shell program (like NC) equipped with a
viewer .

- --
Monkeynoodle: It's what's for dinner!
__
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE7qyQ78WBGNj3ut+0RAt9JAJ4umriW0Vq6PANBp3Cgw3eo0sHJRACg1R3z
oaxt1feOBGjtq2zNpO+T93c=
=jxss
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Peter Palmreuther]

Hello Dwight,

On Wednesday, September 19, 2001 at 8:59:41 PM you wrote (at least in part):

DAC> both that signature and yours show up as invalid here

OK ... one nice aspect on S/MIME is: you sometimes get a reason why the
cert/sig is invalid, is _anybody_ able to copy/paste this reason???

I got _all_ S/MIME-sigs shown valid ...

To see the reason why it's shown invalid "double click" the icon "Invalid
Signature" and press the "View" button lower left in the opening window.

The "Invalidity reason" is shown than in the second line after this text:
"S/MIME Certificate Information"

Thx Pit

-- 
Regards
Peter Palmreuthermailto:[EMAIL PROTECTED]
(The Bat! v1.54 Beta/9 on Windows NT 5.0 Build 2195 Service Pack 2)

Beyond good and evil lies North Dakota.


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Dierk Haasis]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Douglas!

On Wednesday, September 19, 2001 at 10:49:33 PM you wrote:

> I found 3 readme.exe files on my system, from 1994 & 1996, 2 are 8
> kb & seem to mouse related, the other (the oldest) is 169 kb & is in
> the operating system's main directory.

> I assume that none of these are virus related. Is that assumption
> valid?

IME one can't rely on dates, there are a lot of ways to manipulate
them, some of them bugs in Win9x itself.

The question is, why should there be an executable Readme?

I use two things before discarding or deleting files I don't know of.
First I run a virus check with the newest definitions (F-Secure). If
that doesn't come up with anything I look at the file in a hex editor,
searching for telltale readable "code" in the ASCII portion.

This way I found the last big threat - this malware bringing with it
its own SMTP server - because I saw a call for the DUN.

When this doesn't bring up anything, I move the file to another hard
drive into a directory designated for superfluous/deletable files.
After a few days or weeks without trouble I delete these files.

Hope that helps.




- --
Dierk Haasis
http://www.Write4U.de

PGP keys available: mailto:[EMAIL PROTECTED]?Subject=SendMyPGPkeys

The Bat 1.54 Beta/9 on Windows 95 4.0 1212 C

Sonar no cuesta nada (Träumen kostet nichts.).

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt
Comment: Privacy is the core element to Freedom!

iQA/AwUBO6mTifTo1oA8g8dLEQKCMwCgw5RY3fkSgpQgikWdC5eeTd6TAbYAoLTR
a9qVYK3003POk+LkVciwV8rp
=RgLW
-END PGP SIGNATURE-


--
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re[2]: Nimda?

[Jernej Simončič]

Hello Douglas,

19. september 2001, 22:49:33, you wrote:

DH> I found 3 readme.exe files on my system, from 1994 & 1996, 2 are 8
DH> kb & seem to mouse related, the other (the oldest) is 169 kb & is in
DH> the operating system's main directory.

DH> I assume that none of these are virus related. Is that assumption
DH> valid?

Yes, a lot of old programs had their documentation in README.EXE, to
make it easier (or harder?) for user to browse it...

-- 
Jernej Simoncic, [EMAIL PROTECTED]
http://www2.arnes.si/~sopjsimo/
ICQ: 26266467

It won't work.
  -- Jenkinson's Law


--
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Brian Clark]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Alexander,

@ 6:09:32 PM on 9/19/01, Alexander Leschinsky wrote:

AL> Hello Brian,

AL>On Wed, 19 Sep 2001 10:40:25 -0400 (19.09.2001 20:40 my local time)
AL>you wrote about "Nimda?"
AL>at least in part:

BC>> Aside, almost every S/MIME signed email I've ever received displayed
BC>> as being Invalid, including yours. :-(
AL> But you can open cert and see - "why?" More often reason - broken
AL> certs-chain

 that's quite hard to read, Alexander. ;-)

But yes, I see this:

"The issuer of this S/MIME certificate chain was not found"

As I said, I know next to nothing about S/MIME. :-\

- --
 -Brian Clark | PGP is spoken here: 0xE4D0C7C8
 [SB! 1.53s/iKey1000, Windows 98 (SE) 4.10 Build  A]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt (Build 05)
Comment: This space for rent.

iQA/AwUBO6kjnbWi5fvk0MfIEQKj6QCfW/2tIf+ckhd7LKYz8jZWiV6wlygAn3iu
3Ko9bxeC2xUd6jNIVJqA3aCz
=zmlX
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re[2]: Nimda?

[Alexander Leschinsky]

Hello Brian,

   On Wed, 19 Sep 2001 10:40:25 -0400 (19.09.2001 20:40 my local time)
   you wrote about "Nimda?"
   at least in part:

BC> Aside, almost every S/MIME signed email I've ever received displayed
BC> as being Invalid, including yours. :-(
But you can open cert and see - "why?" More often reason - broken
certs-chain
-- 
Best regards,
 Alexander Leschinsky


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Douglas Hinds]

Hello Silviu & others on this TB! list & following this thread,

Wednesday, September 19, 2001,  you stated regarding Nimda?:

>> is the bat vulnerable to this worm?

SC> yes it is. though the wrom use e-mail and the subjects vary the
SC> file that it attaches is called readme.exe. TB! won't let you
SC> run it and also it will show you the extension.

I found 3 readme.exe files on my system, from 1994 & 1996, 2 are 8
kb & seem to mouse related, the other (the oldest) is 169 kb & is in
the operating system's main directory.

I assume that none of these are virus related. Is that assumption
valid?

Thanks in advance.

Douglas



-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Dwight A Corrin]

On Wednesday, September 19, 2001, 12:45:57 PM, Gerry Doyon wrote:

>>> that's strange. Both Gerry's and Leif's S/MIME sigs appear "valid"
>>> here. How about mine?

BC>> It's Invalid as well..

> Well, it seems that there might be a bug in your version of The Bat
> Brian. :-(

> Using 

both that signature and yours show up as invalid here

-- 
Dwight A. Corrin
P O Box 47828
Wichita KS 67201-7828
316.263.9706  fax 316.263.6385
mailto:[EMAIL PROTECTED]
Using The Bat! 1.54 Beta/9 on Windows 98 version 4,90


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: invalid S/MIME sigs (was: Nimda?)

[Brian Clark]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Peter,

@ 2:22:50 PM on 9/19/2001, Peter Meyns wrote:

> this should only happen, when something of the content has been
> altered. Have you checked the PGP sigs as well? Here they all are
> good. Should we move to TBOT? Or perhaps to PGP-Basics-OT, as this
> is more about signatures than about TB!... ;-)

Ah, :-) I tend to think it's directly related to TB! and/or SB! or
something I've done in my configuration. *I* doubt this would be
off-topic for tbtech@, but, of course, I could be wrong.

As far as altered content, etc., I use PGP daily, and all of the
signature checks turn out just fine. :-\ There's definitely something
going on with the S/MIME internals of my copy of SB!.

- --
 -Brian Clark | PGP is spoken here: 0xE4D0C7C8
 [SB! 1.53s/iKey1000, Windows 98 (SE) 4.10 Build  A]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt (Build 05)
Comment: This space for rent.

iQA/AwUBO6jmY7Wi5fvk0MfIEQLyXACguBgDF3ZnSeio+v0pCF7trkVT6GwAni0H
9KLW5kCv1vHzjt7KKtf+Yjbs
=SXb9
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

invalid S/MIME sigs (was: Nimda?)

[Peter Meyns]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 19 Sep 2001 13:32:52 -0400GMT (which was 19:32 +0200GMT
where I live), Brian Clark wrote this about "Nimda?":

>> that's strange. Both Gerry's and Leif's S/MIME sigs appear "valid" here.
>> How about mine?

BC> It's Invalid as well..

Hi Brian,

this should only happen, when something of the content has been altered.
Have you checked the PGP sigs as well? Here they all are good.
Should we move to TBOT? Or perhaps to PGP-Basics-OT, as this is more about
signatures than about TB!... ;-)

Cheers
Peter

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt Build 06
Comment: PGP-signed for better authentication :o)
Comment: Key available at http://www.meynsweb.com/public-key.txt
Comment: Key-ID:0xE10774CE
Comment: Have a lot of fun! :-)

iQA/AwUBO6jUYwM2UgbhB3TOEQICswCgirS2mVG0GotM0dd7So5OyOtTn0AAnjUi
AOygyxmLNRmKFjl7hCP4hjlG
=UoEk
-END PGP SIGNATURE-

 S/MIME Cryptographic Signature

Re: Nimda?

[Gerry Doyon]

Hello Brian,


>> that's strange. Both Gerry's and Leif's S/MIME sigs appear "valid" here.
>> How about mine?

BC> It's Invalid as well..

Well, it seems that there might be a bug in your version of The Bat
Brian. :-(

Using The Bat! v1.53t on Windows NT 5.0 Build 2195
Service Pack 2

Bet regards,
  Gerry

 S/MIME Cryptographic Signature

Re: Nimda?

[Brian Clark]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Peter,

@ 1:19:51 PM on 9/19/2001, Peter Meyns wrote:

> that's strange. Both Gerry's and Leif's S/MIME sigs appear "valid" here.
> How about mine?

It's Invalid as well..

- --
 -Brian Clark | PGP is spoken here: 0xE4D0C7C8
 [SB! 1.53s/iKey1000, Windows 98 (SE) 4.10 Build  A]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt (Build 05)
Comment: This space for rent.

iQA/AwUBO6jWxLWi5fvk0MfIEQJg4gCePq+FYSjN+ez5yzeHi4k1hUFqlW4AoLx3
/d5NxouNjvePZts8jf1M3xxi
=5d/2
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Peter Meyns]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 19 Sep 2001 11:29:28 -0400GMT (which was 17:29 +0200GMT where I live),
Brian Clark wrote this about "Nimda?":

BC>>> Aside, almost every S/MIME signed email I've ever received
BC>>> displayed as being Invalid, including yours. :-(

>> His S/MIME certificate show as completely valid on my version of
>> TB!.

BC> Yours also shows as Invalid.

Hello Brian,

that's strange. Both Gerry's and Leif's S/MIME sigs appear "valid" here.
How about mine?

Cheers
Peter

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt Build 06
Comment: PGP-signed for better authentication :o)
Comment: Key available at http://www.meynsweb.com/public-key.txt
Comment: Key-ID:0xE10774CE
Comment: Have a lot of fun! :-)

iQA/AwUBO6jFlgM2UgbhB3TOEQJszQCgyQ2EKWTPfX8ZAj+DozQxF/zlgTgAoN9T
iaKuIGJiDRhdodZMRPqcHtTX
=xksi
-END PGP SIGNATURE-

 S/MIME Cryptographic Signature

Re: Nimda?

[Marck D Pearlstone]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Silviu,

On 19 September 2001 at  17:26:05 +0300 (which was 15:26 where I live)
Silviu Cojocaru wrote to [EMAIL PROTECTED] and made these
points:

>> is the bat vulnerable to this worm?

SC> yes it is.

I think that was a linguistic confusion - protected: yes it is,
vulnerable: no it is not.

- --
Cheers -- .\\arck D. Pearlstone -- List moderator and fellow end user
 ~~~
\ BrainStorm - free thinking - www: http://www.brainstormsw.com /
 \ PGP Key ID: 0x929DCDA0  |  www: http://www.silverstones.com /
.
TB! v1.54 Beta/9-14F4B4B2 on Windows NT 5.0.2195 Service Pack 2
.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: GPG Sealed for freshness

iD4DBQE7qMcIOeQkq5KdzaARAl7OAKDfC87bMP1L6V7VR1ET/sJPbrTxWQCY4T+t
ugAcQxHhV6kuXo0a55dQ2Q==
=oeqU
-END PGP SIGNATURE-



-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Silviu Cojocaru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tuesday, September 18, 2001 at 5:24:55 PM ,
Screwyluie wrote about "Nimda?":

> is the bat vulnerable to this worm?

yes it is. though the wrom use e-mail and the subjects vary the
file that it attaches is called readme.exe. TB! won't let you
run it and also it will show you the extension.

- --
A thirty-two bit extension and graphical shell to a sixteen-bit patch
:to an eight-bit operating system originally coded for a four-bit
microprocessor which was written by a two-bit company that can't
stand one bit of competition.
(Hackers' Jargon file ver. 4.3.1)
__
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE7qKr+8WBGNj3ut+0RAsz3AKCf//of17hSZLPtMM6lUmw9SVfXmACgrg8Q
K4smyzwtF3JyrtjekR4jE8c=
=1rou
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Silviu Cojocaru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wednesday, September 19, 2001 at 5:27:06 PM ,
Leif Gregory wrote about "Nimda?":

> Further, the worm affects only IIS 4.0 and IIS 5.0 and
> exploits a hole called web server folder traversal.

Well it affects network performance too. I've seen reports of
servers running apache that were near DoS status.

- --
Nice little planet you've got there.
Shame if anything were to happen to it.
__
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE7qKuk8WBGNj3ut+0RAvkeAJ0WV8LMIMKR9qvHOJgbgwQglsrCsQCfVSy7
f7xHlla/jHsdspi7xYzIpas=
=5DwQ
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Brian Clark]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Gerry,

@ 10:51:58 AM on 9/19/2001, Gerry Doyon wrote:

BC>> Aside, almost every S/MIME signed email I've ever received
BC>> displayed as being Invalid, including yours. :-(

> His S/MIME certificate show as completely valid on my version of
> TB!.

Yours also shows as Invalid.

- --
 -Brian Clark | PGP is spoken here: 0xE4D0C7C8
 [SB! 1.53s/iKey1000, Windows 98 (SE) 4.10 Build  A]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt (Build 05)
Comment: This space for rent.

iQA/AwUBO6i52LWi5fvk0MfIEQKHRgCg6eyU538LTsjeu1BMuOUzzRyzWYoAoOTL
0xNanyu/mKk3DVbRNgU4Wd+m
=RWNB
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re[2]: Nimda?

[Jernej Simončič]

Hello Gerry,

19. september 2001, 16:51:58, you wrote:

GD> Hello Brian,

BC>> Aside, almost every S/MIME signed email I've ever received displayed
BC>> as being Invalid, including yours. :-(

GD> His S/MIME certificate show as completely valid on my version of TB!.

So does yours :)

-- 
Jernej Simoncic, [EMAIL PROTECTED]
http://www2.arnes.si/~sopjsimo/
ICQ: 26266467

There's always one more bug.
  -- Lubarsky's Law of Cybernetic Entomology


--
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Gerry Doyon]

Hello Brian,

BC> Aside, almost every S/MIME signed email I've ever received displayed
BC> as being Invalid, including yours. :-(

His S/MIME certificate show as completely valid on my version of TB!.

Using The Bat! v1.53t on Windows NT 5.0 Build 2195
Service Pack 2

Best regards,

Gerry Doyon

 S/MIME Cryptographic Signature

Re: Nimda?

[Brian Clark]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Leif,

@ 6:30:25 PM on 9/18/2001, Leif Gregory wrote:

> Actually though... An apology to the list. I had forgotten to turn
> off the S/MIME signing in conjunction with my PGP signing.

Aside, almost every S/MIME signed email I've ever received displayed
as being Invalid, including yours. :-(

I know very little about S/MIME, so I have no idea why this is
happening.

- --
 -Brian Clark | PGP is spoken here: 0xE4D0C7C8
 [SB! 1.53s/iKey1000, Windows 98 (SE) 4.10 Build  A]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt (Build 05)
Comment: This space for rent.

iQA/AwUBO6iuWbWi5fvk0MfIEQJ9lQCfXWCuGi7/AoFhf9y/98Ehbs5EOqUAniUz
Wr0+XgiZWnZ5JROoa7rqCqaz
=PttC
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Leif Gregory]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Mbone,

On Tue, 18 Sep 2001 at 17:10:38 [GMT -0500], you wrote:
Mgcu> Leif Gregory shows a "valid Signature" as an attachment in my
Mgcu> reader..how do you do this? You're not on my public key rings
Mgcu> for PGP 6x or GnuPg

It's an S/MIME certificate. The key is included in the signing
certificate. For example, double-clicking the valid signature will let
you view the certificate. Right clicking it will allow you to import
my certificate (because the key is built in). It's built upon x.509.

Now, once you've imported my certificate, you can encrypt a message to
me using that.

If you're interested in obtaining your own e-mail certificates free of
charge (from Thawte), please view the how-to by Ulrich Peters at:



Actually though... An apology to the list. I had forgotten to turn off
the S/MIME signing in conjunction with my PGP signing.


Cheers,
Leif Gregory

- --
List Moderator (and fellow registered end-user)
PCWize Editor  /  ICQ 216395  /  PGP Key ID 0x7CD4926F
Web Site 
TB FAQ   
Using The Bat! 1.54 Beta/8 under Windows 98 4.10 Build  A
on a Pentium III 500 MHz notebook with 256MB.

Tagline of the day:
A better way to DoubleSpace your disk:  DEL C:\WINDOWS\*.*

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBO6fLB48+1rl81JJvEQJArwCeORjJ8ZZDvaK5YYyxBzD4AcAyJKQAoLO2
lyvAQObqVYIn5DXjdqoPxCD7
=hwdm
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re[2]: Nimda?

[Mbone]

Leif Gregory shows a "valid Signature" as an attachment in my
reader..how do you do this? You're not on my public key rings for PGP
6x or GnuPg

Just curious,

C.K.


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Leif Gregory]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Screwyluie,

On Tue, 18 Sep 2001 at 14:17:55 [GMT -0700], you wrote:
S> these aren't the kinda people who use outlook express and they
S> never miss a patch... so it's a little more sneaky then one might
S> think

They musta missed this one. The malformed MIME header patch has been
available for a few months from Microsoft.

But to alleviate your fears, TB doesn't run anything unless you
explicitly tell it to do so. The fact that it is MIME munged to appear
as a WAV and not the readme.exe it really is, has little affect on TB. TB
doesn't run anything without your asking it to. This is one of the
biggest reasons we long time TB users have fought against the
inclusion of a full HTML rendering engine in TB.

Further, the worm affects only IIS 4.0 and IIS 5.0 and exploits a hole
called web server folder traversal. However, user PCs are a launching
pad for the worm via the oft used sending it to everyone in the
address book gig. Unpatched user PCs can also become "infected" by
visiting a web site running IIS that is infected, because IE will
download the worm from that web site.

The patch for IIS is:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp

To patch IE
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp

However, these are preemptive patches. If you're already infected,
you'll need to wait for a fix to be released.



Cheers,
Leif Gregory

- --
List Moderator (and fellow registered end-user)
PCWize Editor  /  ICQ 216395  /  PGP Key ID 0x7CD4926F
Web Site 
TB FAQ   
Using The Bat! 1.54 Beta/8 under Windows 98 4.10 Build  A
on a Pentium III 500 MHz notebook with 256MB.

Tagline of the day:
IQ = dx / (1 + dx), where x = age.

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBO6fBiI8+1rl81JJvEQIJIgCgj3iZRjQ2cdENjFubi4VdVdp4QZkAoNYy
iVd2YbbG9vld3nLGc/QEg7Zk
=G7f2
-END PGP SIGNATURE-

 S/MIME Cryptographic Signature

Re: Nimda?

[David van Zuijlekom]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Screwyluie,

On Tuesday, September 18, 2001 at 14:17:55 -0700, Screwyluie [S] wrote
concerning 'Nimda?':

MDP>> Then TB is immune. It not only doesn't execute attachments in
MDP>> that way, it also tells you either not to or to use extreme
MDP>> caution.

S> true however this program uses a malformed header making windows
S> believe it's a wav file and that it should be executed as such...

But that's just the point. TB! won't execute the attachment unless you
give him the order to do so. If you don't execute the attachment by
hand nothing happens.

S> I see no reason why TB! would be susceptible to it but I thought
S> I'd ask because this one is particularly nasty, and I'm getting
S> reports from my linux group that their win2k servers they admin are
S> being attacked hardcore

S> these aren't the kinda people who use outlook express and they
S> never miss a patch... so it's a little more sneaky then one might
S> think

Then there are two possibilities:
1. They executed the files by hand.
2. They use a OL/OE-like email-clients that executes attachments
   automagically.

- --
Best regards,
 David

** I'm fascinated by the way memory diffuses fact. **

[TB! 1.54 Beta/8] [Windows NT 5.0 Build 2195 Service Pack 2]
 [Running on a Celeron 633@874 256 Mb RAM]

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8ckt Build 06
Comment: PGPKeys: mailto:[EMAIL PROTECTED]?subject=send_PGP_key

iQA/AwUBO6euyFK9yf5+yp9NEQJZqACfYyghuvfeWAJYb/mmp5yVW/AHGwgAnj25
Eab5FZaXEQ4cEY98hQ/R/t4w
=gM9n
-END PGP SIGNATURE-


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re[2]: Nimda?

[Screwyluie]

MDP> Then TB is immune. It not only doesn't execute attachments in that
MDP> way, it also tells you either not to or to use extreme caution.

true however this program uses a malformed header making windows
believe it's a wav file and that it should be executed as such...

I see no reason why TB! would be susceptible to it but I thought I'd
ask because this one is particularly nasty, and I'm getting reports
from my linux group that their win2k servers they admin are being
attacked hardcore

these aren't the kinda people who use outlook express and they never
miss a patch... so it's a little more sneaky then one might think

-- 
The first place to look for information is in the section of the manual where you 
least expect to find it.
-- 
Using The Bat! v1.54 Beta/8
System: AMD K6-2 500; 384mb Ram
OS: Windows XP Professional
-- 
Until Next Time,
  Screwyluie  [EMAIL PROTECTED]


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Re: Nimda?

[Marck D Pearlstone]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Screwyluie,

On 18 September 2001 at  13:38:37 -0700 (which was 21:38 where I live)
Screwyluie wrote to TBTECH and made these points:

S> and is executed by simply looking at it in a preview pane, you
S> don't even have to open it really...

Then TB is immune. It not only doesn't execute attachments in that
way, it also tells you either not to or to use extreme caution.

- --
Cheers -- .\\arck D. Pearlstone -- List moderator and fellow end user
 ~~~
\ BrainStorm - free thinking - www: http://www.brainstormsw.com /
 \ PGP Key ID: 0x929DCDA0  |  www: http://www.silverstones.com /
.
SB! v1.53s/iKey1000- on Windows NT 5.0.2195 Service Pack 2
.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (MingW32)
Comment: GPG Sealed for freshness

iD8DBQE7p7MpOeQkq5KdzaARAkc+AJsGgydSuVIYq4PNdPPEET0yRZQ5gACg5gYC
FCPfAeRyA6P2Xp7gLFTiFyQ=
=Jd2L
-END PGP SIGNATURE-



-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]

Nimda?

[Screwyluie]

sorry if there's a thread on this already I'm just now subscribing to
this list...

but what do we know about this nimda worm that is just now rearing
it's head?
is the bat vulnerable to this worm?

do we know what it does exactly?
I know it perpetuates itself over networks and via email, ftp, etc and
often comes in the form of "Readme.exe" and "Readme.eml" attachments
and is executed by simply looking at it in a preview pane, you don't
even have to open it really...

here's a url with good information if this is news to everyone
http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert

-- 
Nuptial love maketh mankind, friendly love perfecteth it; but wanton love corrupteth 
and embaseth it. - Francis Bacon
-- 
Using The Bat! v1.54 Beta/8
System: AMD K6-2 500; 384mb Ram
OS: Windows XP Professional
-- 
Until Next Time,
  Screwyluie  [EMAIL PROTECTED]


-- 
__
Archives   : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]