OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Re: Alert: W32.NewApt.Worm b

Re: Alert: W32.NewApt.Worm being sent to NTBugtraq subscribers

Subject: Re: Alert: W32.NewApt.Worm being sent to NTBugtraq subscribers
From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Dec 16 1999 - 15:35:51 CST

-----BEGIN PGP SIGNED MESSAGE-----

This message is off-topic for NTBugtraq and replies to it will not be
posted to the list.

Editor's prerogative...nuff said.

Update.

1. I'm fairly certain I have identified the email address which
caused the worm messages to be sent. I saw a reply from the domain
postmaster to someone else indicating he didn't seem to know the
source. Hopefully with my additional information he can nail it down
and stop any more from being sent.

2. I have been informed that messages from several security-related
lists are being responded to, not just NTBugtraq messages. Further
indication, I hope, that this isn't a targeted attack but simply a
worm gone amuk.

2. After a message from Kjell Wooding, listing the strings from the
worm, it was interesting to note that several of the AV Vendor's
descriptions of the worm include an incorrect name for one of the
possible executables sent. Namely, they say a file called
cheeseburst.exe may be there when it should be chestburst.exe.

3. Some also provide an incorrect reg.path in their advisories. The
correct key which the worm affects should be;

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
                                 \CurrentVersion\Run

<rant>
This leads me to the rather disturbing conclusion that the
descriptions offered up by various AV Vendors *are not* necessarily
based on their own research. It would appear that some of them are
simply copying information from other AV Vendors (or some other
common research source) and formatting them to suit their taste.

Not only would this be a violation of copyright (I would think), but
it also means these Vendors may or may not know how to detect a given
virus/worm/trojan. No doubt they will all argue vehemently this is
not the case, but today's demonstration that some copy other's
descriptions cannot help but reinforce such suspicions.

Its my understanding that the past couple of weeks have been
extremely heavy for AV Vendors, with very many new
viruses/trojans/worms being released. Could it be that when put under
pressure like this some AV Vendors don't have sufficient resources to
do a complete job themselves? What's going to happen over the next
few weeks when many anticipate more concerted efforts to attack
networks?

I personally think that attacks carried out over Y2K are far more
likely to end up in prosecution than at any other time, simply due to
the fact that networks will be so heavily scrutinized that operating
covertly will be next to impossible.

That said, we certainly don't need any more false sense of security
caused by incomplete or down-right incorrect information supplied,
supposedly, as "qualified research".

AV Vendors, tell us what you do know first hand, and point a finger
at your source for anything you couldn't verify or discover yourself.
You may think you'd be giving your competitor some advantage.
Personally, I for one would find it not only refreshing, but
down-right reassuring to see such honesty in your reporting.

Of course this is just my opinion, take it for what its worth, reply
to me personally and not the list.
</rant>

Cheers,
Russ - NTBugtraq Editor
http://ntbugtraq.ntadvice.com

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOFlcHhBh2Kw/l7p5AQE5TgP/TuWLQ3BEj8Bz4LisnleDEQ45QeiRV+ML
MgATa97Ip20eomwNmR/MvZICpS23nZ4v+NFioSzt4dqs1jaRrxilRvF5DCOJeRGY
wRsqPG26jFV/PizajsoEPhIbv7Zw+bOagiozbXLwSy+JVIMYZaOHZJtN2M4HG5Mb
lFh8/Eii+IQ=
=hCl1
-----END PGP SIGNATURE-----

This archive was generated by hypermail 2b27 : Thu Dec 16 1999 - 15:37:30 CST