If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Worm.Automat.AHB appears on a newsgroup and NAV does NOT detect it!
This is getting really nasty. Some asshole just cross-posted the HTML bogus
Microsoft security update WITH the Worm.Automat.AHB infection attachment. Norton Antivirus DOES NOT DETECT this when download the post from a usenet newsgroup. Neither does Outlook Newsreader. You can open the post AND you can open the infection attachment. I opened the post, and then saved the attachment to disk rather than executing it (which I assume I could have.) Only when the save to disk began did Norton Antivirus detect the infection and delete it from the folder I saved to (that's the option I've selecected.) Here's the header from the cross-posted infected message: Path: newsspool1.news.atl.earthlink.net!stamper.news.atl .earthlink.net!elnk-atl-nf 1!newsfeed.earthlink.net!news-xfer1.atl.newshosting.com!63.218.45.11.MISMATC H!newshosting.com!news-xfer2.atl.newshosting.com!diablo.voicenet.com!prox ad. net!213.253.16.105.MISMATCH!mephistopheles.news.cl ara.net!news.clara.net!new s-hub.cableinet.net!blueyonder!internal-news-hub.cableinet.net!news-binary.b lueyonder.co.uk.POSTED!53ab2750!not-for-mail FROM: "ian graham" NEWSGROUPS: alt.comp.mail.qmail,alt.comp.malaysia,alt.comp.per iphs.cdr,alt.comp.periphs. mainboard.abit,alt.comp.periphs.mainboard.elitegro up,alt.comp.periphs.mainbo ard.epox,alt.comp.periphs.mainboard.msi-microstar,alt.comp.periphs.mainboard ..shuttle,alt.comp.periphs.videocards.ati SUBJECT: Use pack from the M$ Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="krxrbfnq" Lines: 2173 Message-ID: Date: Fri, 19 Sep 2003 21:54:01 GMT NNTP-Posting-Host: 82.41.133.74 X-Complaints-To: X-Trace: news-binary.blueyonder.co.uk 1064008441 82.41.133.74 (Fri, 19 Sep 2003 21:54:01 GMT) NNTP-Posting-Date: Fri, 19 Sep 2003 21:54:01 GMT Organization: blueyonder (post doesn't reflect views of blueyonder) Xref: news.earthlink.net alt.comp.mail.qmail:7294 alt.comp.malaysia:17764 alt.comp.periphs.cdr:403261 alt.comp.periphs.mainboard.abit:567447 alt.comp.periphs.mainboard.elitegroup:37357 alt.comp.periphs.mainboard.epox:44167 alt.comp.periphs.mainboard.msi-microstar:62085 alt.comp.periphs.mainboard.shuttle:29999 alt.comp.periphs.videocards.ati:145422 X-Received-Date: Fri, 19 Sep 2003 14:54:09 PDT (newsspool1.news.atl.earthlink.net) Phil Weldon, |
#2
|
|||
|
|||
On Sat, 20 Sep 2003 01:08:58 GMT, "Phil Weldon"
wrote: This is getting really nasty. Some asshole just cross-posted the HTML bogus Microsoft security update WITH the Worm.Automat.AHB infection attachment. Norton Antivirus DOES NOT DETECT this when download the post from a usenet newsgroup. Neither does Outlook Newsreader. You can open the post AND you can open the infection attachment. Uh, I have NAV set to check every 5 minutes for updates. I have lost count of how many Worm-attacks I've had, but they have all been blocked. At least I believe so, since my system is running just fine. And to respond to another post of yours, I trust Symantec in a way that I do NOT trust MS. |
#3
|
|||
|
|||
Checking 'Live Update' every five minutes won't do anything but insure that
you get virus definitions that are no more than a few days old. If you want the newest virus definitions you must use 'Manual Update'. If you read the help files and manual for Symantec/Norton Antivirus you see this explanation. Prior to 19SEP03 Norton Antivirus 'Live Update' maintained NAV protection DID NOT identify and remove Worm.Automat.AHB. Microsoft Outlook with SP3 DID protect protect against Worm.Automat.AHB. You were not protected against this worm. Trust who you will, but please use all available anti-virus and worm proceedures, and don't risk an infection in your system that becomes a problem for all of us just because you don't like Microsoft. It's not smart and we shouldn't all have to pay for your attitude. Symantec and Microsoft both are in business to make money... THAT you can trust, and that there are no guarantees other than your own dilligence in protecting your system using all available means. I don't mean to be harsh, but unprotected systems are a problem for all of us. Do your part. Phil Weldon, "Winey" wrote in message ... On Sat, 20 Sep 2003 01:08:58 GMT, "Phil Weldon" wrote: This is getting really nasty. Some asshole just cross-posted the HTML bogus Microsoft security update WITH the Worm.Automat.AHB infection attachment. Norton Antivirus DOES NOT DETECT this when download the post from a usenet newsgroup. Neither does Outlook Newsreader. You can open the post AND you can open the infection attachment. Uh, I have NAV set to check every 5 minutes for updates. I have lost count of how many Worm-attacks I've had, but they have all been blocked. At least I believe so, since my system is running just fine. And to respond to another post of yours, I trust Symantec in a way that I do NOT trust MS. |
#4
|
|||
|
|||
Phil Weldon wrote: This is getting really nasty. ... and continues to get nastier. Some asshole just cross-posted the HTML bogus Microsoft security update WITH the Worm.Automat.AHB infection attachment. There have been several more - could be the worm, not the asshole - but thankfully usenet isn't getting hammered like email. Millions of netizens are stuck with 5 or 10 meg mailboxes. At ~150K each, it only takes 35 or 70 worm mails - which is about the hourly rate in my case. Many users don't have access to server-side mail processing rules, or know how to define them if they do, and even then the faked bounce messages are difficult to filter. I hesitate to guess how many valid email accounts are currently rejecting mail because they've been DOSed by this worm, and it's still going strong. This is probably the most insidious attack ever perpetrated on the net. Norton Antivirus DOES NOT DETECT this when download the post from a usenet newsgroup. Neither does Outlook Newsreader. You can open the post AND you can open the infection attachment. I opened the post, and then saved the attachment to disk rather than executing it (which I assume I could have.) Only when the save to disk began did Norton Antivirus detect the infection and delete it from the folder I saved to (that's the option I've selecected.) Here's the header from the cross-posted infected message: Path: newsspool1.news.atl.earthlink.net!stamper.news.atl .earthlink.net!elnk-atl-nf 1!newsfeed.earthlink.net!news-xfer1.atl.newshosting.com!63.218.45.11.MISMATC H!newshosting.com!news-xfer2.atl.newshosting.com!diablo.voicenet.com!prox ad. net!213.253.16.105.MISMATCH!mephistopheles.news.cl ara.net!news.clara.net!new s-hub.cableinet.net!blueyonder!internal-news-hub.cableinet.net!news-binary.b lueyonder.co.uk.POSTED!53ab2750!not-for-mail FROM: "ian graham" NEWSGROUPS: alt.comp.mail.qmail,alt.comp.malaysia,alt.comp.per iphs.cdr,alt.comp.periphs. mainboard.abit,alt.comp.periphs.mainboard.elitegro up,alt.comp.periphs.mainbo ard.epox,alt.comp.periphs.mainboard.msi-microstar,alt.comp.periphs.mainboard .shuttle,alt.comp.periphs.videocards.ati SUBJECT: Use pack from the M$ Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="krxrbfnq" Lines: 2173 Message-ID: Date: Fri, 19 Sep 2003 21:54:01 GMT NNTP-Posting-Host: 82.41.133.74 X-Complaints-To: X-Trace: news-binary.blueyonder.co.uk 1064008441 82.41.133.74 (Fri, 19 Sep 2003 21:54:01 GMT) NNTP-Posting-Date: Fri, 19 Sep 2003 21:54:01 GMT Organization: blueyonder (post doesn't reflect views of blueyonder) Xref: news.earthlink.net alt.comp.mail.qmail:7294 alt.comp.malaysia:17764 alt.comp.periphs.cdr:403261 alt.comp.periphs.mainboard.abit:567447 alt.comp.periphs.mainboard.elitegroup:37357 alt.comp.periphs.mainboard.epox:44167 alt.comp.periphs.mainboard.msi-microstar:62085 alt.comp.periphs.mainboard.shuttle:29999 alt.comp.periphs.videocards.ati:145422 X-Received-Date: Fri, 19 Sep 2003 14:54:09 PDT (newsspool1.news.atl.earthlink.net) Phil Weldon, |
#5
|
|||
|
|||
Yeah, like the "Day of the Triffids"; if you're blind to the problem it's
hard to protect yourself. "Triffid" wrote in message .. . Phil Weldon wrote: This is getting really nasty. .. and continues to get nastier. Some asshole just cross-posted the HTML bogus Microsoft security update WITH the Worm.Automat.AHB infection attachment. There have been several more - could be the worm, not the asshole - but thankfully usenet isn't getting hammered like email. Millions of netizens are stuck with 5 or 10 meg mailboxes. At ~150K each, it only takes 35 or 70 worm mails - which is about the hourly rate in my case. Many users don't have access to server-side mail processing rules, or know how to define them if they do, and even then the faked bounce messages are difficult to filter. I hesitate to guess how many valid email accounts are currently rejecting mail because they've been DOSed by this worm, and it's still going strong. This is probably the most insidious attack ever perpetrated on the net. |
#6
|
|||
|
|||
Norton Antivirus, even with the latest definition updates, DOES NOT detect
or remove the Worm.Automat.AHB infection attachment from a newsgroup post. If you try to open the atachment, it will detect the worm and stop the attachment from executing, but the infected file stays on your storage device. This is with Norton SystemWorks 2003 and Outlook Newsreader (which is just Outlook Express Newsreader with a different name), Windows 2000 Professional with all the updates and patches, Outlook Express with all the updates and patches, Internet Explorer with all the updates and patches, and Outlook 2000 with SP3. Phil Weldon, |
#8
|
|||
|
|||
Triffid wrote in message news:
This is probably the most insidious attack ever perpetrated on the net. Nah, that would be Verisign. |
#9
|
|||
|
|||
On Sat, 20 Sep 2003 01:08:58 +0000, Phil Weldon while doing time wrote:
This is getting really nasty. Some asshole just cross-posted the HTML bogus Microsoft security update WITH the Worm.Automat.AHB infection attachment. FROM: "ian NEWSGROUPS: alt.comp.mail.qmail,alt.comp.malaysia,alt.comp.per iphs.cdr,alt.comp.periphs. mainboard.abit,alt.comp.periphs.mainboard.elitegro up,alt.comp.periphs.mainbo ard.epox,alt.comp.periphs.mainboard.msi-microstar,alt.comp.periphs.mainboard .shuttle,alt.comp.periphs.videocards.ati SUBJECT: Use pack from the M$ Appreciate the warning but next time just post the worm/virus Subject line so we can filter as needed. |
#10
|
|||
|
|||
jaster wrote:
On Sat, 20 Sep 2003 01:08:58 +0000, Phil Weldon while doing time wrote: This is getting really nasty. Some asshole just cross-posted the HTML bogus Microsoft security update WITH the Worm.Automat.AHB infection attachment. FROM: "ian NEWSGROUPS: alt.comp.mail.qmail,alt.comp.malaysia,alt.comp.p eriphs.cdr,alt.comp.periphs. mainboard.abit,alt.comp.periphs.mainboard.eliteg roup,alt.comp.periphs.mainbo ard.epox,alt.comp.periphs.mainboard.msi-microstar,alt.comp.periphs.mainboard .shuttle,alt.comp.periphs.videocards.ati SUBJECT: Use pack from the M$ Appreciate the warning but next time just post the worm/virus Subject line so we can filter as needed. The subject line changes, as does the file name, each time the worm sends it out. |
|
Thread Tools | |
Display Modes | |
|
|