IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Windows vX.X Forum / Bitten by Bugbear
Post #54,856
by Silverlock
10/4/02 10:40:19 AM
Reply
New Bitten by Bugbear
Going to be a busy day. Shared/network printers across the company are getting hit spitting out garbage print jobs. Only found 3 infected systems so far, one in UK, one in Canada and one in New York. The printers are scattered all over.

This is one nasty virus.
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
Post #54,910
by deSitter
Picture of deSitter
10/4/02 12:55:48 PM
Reply
New What's Its Vector?
-drl
Post #54,917
by Silverlock
10/4/02 1:56:46 PM
Reply
New Original infection from email, natch.
One of the little critter's tricks is to search out shared printers and print out it's compiled code. About 500 pages of printout with one or two lines of garbage on an otherwise blank page.
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
Post #54,918
by Silverlock
10/4/02 1:59:21 PM
Reply
New Link to writeup
[link|http://vil.nai.com/vil/content/v_99728.htm|URL]
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
Post #54,938
by deSitter
Picture of deSitter
10/4/02 4:04:38 PM
Reply
New Thanks - my users have been warned
..and the manure sock awaits the non-compliant.
-drl
Post #54,941
by Silverlock
10/4/02 4:20:22 PM
Reply
New CNN is running a story on it now
Their advice? Update your antivirus software and SPEND MORE MONEY to upgrade to the newest version of outlook.

Friggin [link|http://www.cnn.com/2002/TECH/internet/10/04/virus.bugbear/index.html|clueless].
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
Post #54,954
by andread
10/4/02 8:03:03 PM
Reply
New clueless?
Outlook XP has more protection than earlier versions
that's just a fact whether you like it or not

A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
Post #54,959
by Steve Lowe
10/4/02 8:42:27 PM
Reply
New yes, clueless.
Lookout XP might offer more protection than previous versions, but in this case, so what? This virus doesn't depend on Lookout or Lookout's insecurities, it depends on users opening it, which will happen with any MUA. If one person on the LAN opens it, the rest are likely screwed, too.

It spoofs the from address and varies the subject line. Like it or not, users will click away at the thing, warned or not. The best wat to stop it is to prevent it from getting to users' MUAs by scanning for viruses at the server, or by flatly denying anything even remotely executable in via email.

1) This virus propogates itself by using it's own SMTP engine, doesn't need Lookout at all to spread.

2) It also opens up its own remote access server on port 36794 and starts a keylogger. No way for Lookout to prevent that.

3) It scans for network shares and propogates itself over the LAN. No way to prevent that with Lookout, either.

4) It's scans for shared printers and prints 500+ page dumps. Again, no protection there that Lookout can offer.

So, there's no logical reason to pay M$ for another upgrade to help prevent this virus as it doesn't exploit any Lookout weaknesses.

This virus also brings up another that I yell at people for a lot. Never, never, never run a Doze machine directly connected to the Internet, especially on a broadband connection. Even with 'personal firewall' software installed, you're still very vulnerable as this latest crop of virii is known to kill or maim these products, rendering them at best, ineffective.
-----
Steve
Post #54,977
by deSitter
Picture of deSitter
10/4/02 10:56:25 PM
Reply
New Lookout - ROFL
-drl
Post #55,013
by pwhysall
Picture of pwhysall
10/5/02 1:17:19 AM
Reply
New Re: clueless?
Yeah, but it's still a bag of shit.

I mean, this is 2002 and MS' premier email program doesn't thread message properly? WTF is up with that?

Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
Post #55,012
by pwhysall
Picture of pwhysall
10/5/02 1:15:30 AM
Reply
New For McAfee users:
Your minimum DAT version is 4226.

Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
     Bitten by Bugbear - (Silverlock) - (10) - Oct. 4, 2002, 10:40:19 AM EDT
         What's Its Vector? -NT - (deSitter) - (8) - Oct. 4, 2002, 12:55:48 PM EDT
             Original infection from email, natch. - (Silverlock) - Oct. 4, 2002, 01:56:46 PM EDT
             Link to writeup - (Silverlock) - (6) - Oct. 4, 2002, 01:59:21 PM EDT
                 Thanks - my users have been warned - (deSitter) - (5) - Oct. 4, 2002, 04:04:38 PM EDT
                     CNN is running a story on it now - (Silverlock) - (4) - Oct. 4, 2002, 04:20:22 PM EDT
                         clueless? - (andread) - (3) - Oct. 4, 2002, 08:03:03 PM EDT
                             yes, clueless. - (Steve Lowe) - (1) - Oct. 4, 2002, 08:42:27 PM EDT
                                 Lookout - ROFL -NT - (deSitter) - Oct. 4, 2002, 10:56:25 PM EDT
                             Re: clueless? - (pwhysall) - Oct. 5, 2002, 01:17:19 AM EDT
         For McAfee users: - (pwhysall) - Oct. 5, 2002, 01:15:30 AM EDT

There are plenty of wrong people who just don't rate correction.
50 ms