PIUG Members,
Apparently, I got the flu at a real bad time. After logging on finally
after a few days of being sick, I had hundreds of alerts from many of your
company's email systems that your company had detected virus infected
messages. From the fact that about 2 dozen separate company scanning
software programs have all claimed that the message was infected, as well as
the scanning in my Hotmail account, I think that these are true incidents of
viruses (technically worms).
The first was:
"Kitahori, Kazumi" <Kazumi.Kitahori@derwent.co.jp>
Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.CO
date Dec. 1, 2000
Infected attachment - KEEEGED.JPG.vbs
As far as I can tell, Henny Smeding then became infected from the first
message above and then I think that the virus itself sent another infected
response to PIUG-L. I believe that Henny did not send this response - I
think that's just how the virus works - sendin infected emails out using the
person's name without their intending to do so. This message appeared as:
Henny Smeding <H.Smeding@direct-patent.nl>
Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.CO
date Dec. 1, 2000
Infected attachment - IOMEPIL.GIF.vbs
As to the first person who sent the original message - I am not convinced
that this is actaully a person working at Derwent. I could not find their
name subscribed to PIUG-L or PIUG-l-digest. I alos could not remove them
from membership in PIUG-L or PIUG-L-digest (since they were not subscribed)
The IP of the host where the message originated does appear to check out as
(der-jpn-msg-01.derwent.co.jp [204.242.135.53]) but I find it hard to
believe that someone from Derwent would actually send the types of messages
sent by this person (3 non-infected, short or blank messages plus the 1
infected one). The message, if indeed is a forged message is done by a very
sophisticated hacker. I don't think I should necessarily spell out my
speculation as to how the person accomplished getting this message onto
PIUG-L but this appears to go beyond simplistic hacking.
Hopefully nobody besides Henny Smeding has been (or has the potential) to be
infected. I think that in order to be infected, you need to have
Microsoft's Windows scripting host (or Internet Explorer 5.0 or higher). I
am not sure how easy it is to even activate the virus unless you read email
using Microsoft Outlook or another system using Internet Explorer 5.0 and I
would think that Notes users should be safe as well all all of you whose
email systems either cleaned the infected attachment or entirely blocked
these infected messages.
I will contact Derwent to both see if Kazumi Kitahori is an employee of
Derwent. After finding out this I will contact the company that runs the
list (TECC) as well as our Derwent sponsor/contact for TECC.
I am not sure what exactly to say to anyone besides Henny who became
infected except that the policy has long been that attachments are not
allowed on PIUG-L. You should certainly contact your local computer support
staff and let them know that you have been infected. Indications of
infection are given on Mcaffe'e web site
(http://vil.mcafee.com/dispVirus.asp?virus_k=98617&)
I will see if we can have some scanning software added as part of the
maintenance of PIUG-L as there are not too many other options at this point.
I see no way to shut down the list from configuring the files that run the
software - actions that I can do. Even if Tecc could shut down the list, it
is hard to contact them if this happens on a weekend. I also removed Henny
Smeding from this list for now.
For now, please be aware that no attachments are allowed on PIUG-L or
PIUG-L-digest. If you receive a message from the list that does have an
attachment it should be deleted rather than read just on the basis of being
an "illegal" message. Certainly any message with an attachment having a
".vbs" extension should be suspect as possibly containing malicious code. I
hope this all makes sense and I didn't make too many typos - It's a bit late
and I really was not prepared to deal with this sort of thing tonight.
William M. Murray
PIUG Sysop
Information Scientist CR&D - CIS
E.I. DuPont de Nemours & CO.
Wilmington, DE 19880
(302) 992-2672
William.M.Murray@USA.dupont.com
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
This archive was generated by hypermail 2b29 : Fri Aug 10 2001 - 15:59:10 EDT