|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Virus Alert: ""NewLove"" Worm (fwd)
From: Darren Nickerson (darren
dazza.org)Date: Thu May 18 2000 - 23:14:07 CDT
- Next message: Len Conrad: "Re: regexp filter won't filter: c'mon people!"
- Previous message: Barton Hodges: "Re: virtual domains without specifying users?"
- Next in thread: Dan Hollis: "Re: Virus Alert: ""NewLove"" Worm (fwd)"
- Reply: Dan Hollis: "Re: Virus Alert: ""NewLove"" Worm (fwd)"
- Reply: Ole Michaelsen: "Re: Virus Alert: ""NewLove"" Worm (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Folks,
Sounds like they finally got it right . . . the .vbs virus has finally come of
age. Has anyone seen this in the wild yet? Am I correct in assuming that since
header checks are now (as we knew they would eventually be) rather useless,
that there's no clear way of employing postfix alone to combat this
homewrecker?
Would anyone care to offer an exec. summary of their favourite CONTENT scanning
option from amongst those discussed here recently? Pointers to how-to docs
would also come in handy!
Thanks, and good luck.
-Darren
attached mail follows:
There's a new virus in town, and it makes ILOVEYOU look like a genuine mash note. Where ILOVEYOU erased .jpg files and hid .mp3 files, the newest variant (named VBS.NewLove.A) will delete all files on your computer not in use and replace them with copies of itself. Where ILOVEYOU was instantly recognizable to anyone who knew about it, this new worm changes both the subject line of the email sent and the name of the attachment.
So what does it have in common with ILOVEYOU? It preys on the exact same vulnerabilities, and only Windows users who have Outlook can be infected. The worm is a Visual Basic file that perpetuates itself through the Outlook address book. Therefore, preventing infection is similar to ILOVEYOU.
****Prevention****
Immediately back up your entire system. If you become infected, restoring your entire system from backup is the only cure.
If you receive any emails with FW: in the subject lines, do not open any attachments.
Do not open any email attachments that end in .vbs. In fact, never open .vbs attachments. As a stopgap measure, install VBProtect , a utility that will warn you before you attempt to open any VBS attachment:
http://2.digital.cnet.com/cgi-bin2/flo?x=dAouAgEuhhwBABKum
To prevent further infection, download the latest definition sets for your antivirus software. Norton AntiVirus users, click here:
http://2.digital.cnet.com/cgi-bin2/flo?x=dAouAgEuhhwBABBuw
****How the VBS.NewLove.A Worm works****
When the worm infects your system, it deletes all files not in use and creates copies of itself in their place. A file named report.doc will be replaced with a copy of the virus named report.doc.vbs.
The worm sends copies of itself to everyone in your Outlook address book. It chooses a random file and uses that name for the attachment and email subject. For example, if it chooses song.mp3, it will send an email titled "FW: song.mp3" with an attachment named song.mp3.vbs.
For a complete technical description of the virus, check out Symantec's virus description page, here:
http://2.digital.cnet.com/cgi-bin2/flo?x=dAouAgEuhhwBABmun
- Next message: Len Conrad: "Re: regexp filter won't filter: c'mon people!"
- Previous message: Barton Hodges: "Re: virtual domains without specifying users?"
- Next in thread: Dan Hollis: "Re: Virus Alert: ""NewLove"" Worm (fwd)"
- Reply: Dan Hollis: "Re: Virus Alert: ""NewLove"" Worm (fwd)"
- Reply: Ole Michaelsen: "Re: Virus Alert: ""NewLove"" Worm (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]