IP: Re New virus information

[Dave Farber <farber@cis.upenn.edu>]

>X-Sender: >X-Sender: brett@localhost
>X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
>Date: Mon, 19 Jun 2000 18:56:08 -0600
>To: farber@cis.upenn.edu, ip-sub-1@majordomo.pobox.com
>From: Brett Glass <brett@lariat.org>
>Subject: Re: IP: New virus information
>
>Dave:
>
>Here is the notice we're sending to all of our community network's
>members about the "Life Stages" Trojan horse. It has a lot of
>useful info that others can use.
>
>--Brett
>
>----------
>
>LARIAT Members and Friends:
>
>The LARIAT server has intercepted several copies of the "Life Stages" Trojan
>horse.
>
>What It Is
>
>The "Life Stages" Trojan horse program spreads itself via e-mail, via Internet
>Relay Chat (IRC), via the ICQ instant messaging program, and by copying itself
>to the hard drives of machines which share their files in a peer-to-peer
>network. (Microsoft Windows' file sharing is particularly susceptible to this
>method of propagation.)
>
>This Trojan horse only affects computers running Windows 95, Windows 98,
>Windows 2000, or Windows NT. (If you have a Mac or are running OS/2 or UNIX,
>your computer won't be infected.) It's a nasty bug which mails MANY copies of
>itself from your machine (all under your name!) to everyone in your Outlook or
>Outlook Express address book.  It's also difficult to remove, because it
>modifies a database called the Windows Registry extensively and tosses
>Regedit, a Windows utility that lets you undo these modifications, into the
>"Recycle Bin.". (Until someone develops an automatic removal utility, you'll
>need to recover Regedit before you can get the bug out of your system.)
>
>If you do not use Microsoft Outlook or Outlook Express, you won't spread the
>bug via e-mail but your computer can still be infected by it.  If you use mIRC
>or PIRCH, two programs that do Internet Relay Chat, you can both get and
>spread the bug through them. The bug can also spread itself via ICQ, an
>instant messaging program. And if you're using Microsoft's peer-to-peer
>networking (that is, if you're sharing disks via the "Network Neighborhood"
>icon in Windows), you may be able to get and spread the bug that way too.
>
>LARIAT's Filter: A Partial Defense
>
>LARIAT's server has already been set up with a special, customized filter
>which catches suspicious attachments. (This is the same filter which sometimes
>puts the word "DEFANGED" into the names of e-mail attachments to protect you.)
>Our filter recognized the "Life Stages" Trojan horse as hostile and caught it
>before it reached a single one of our members.
>
>However, if you receive mail by any other means -- say, via Juno, or Hotmail,
>or an account at the University -- the LARIAT server won't get a chance to
>filter that mail. So, watch out for e-mail with an attachment whose name
>begins with "LIFE_STAGES". (The booby-trapped mail can have many possible
>subject lines -- they're generated at random from a list of words programmed
>into the Trojan -- so don't rely on the subject to determine if the mail is
>safe.) If you see such a message, for Heaven's sake do not open the
>attachment.
>
>We also cannot prevent you from receiving the Trojan horse program via IRC or
>an instant message, so if you receive it that way make sure not to run it.
>
>If you inadvertently run the Trojan horse program, your computer will display
>a file containing a rather bad joke about dating at different ages. While the
>file is being displayed, your computer will be infected and will begin to send
>a barrage of e-mail containing copies of the Trojan horse. Every copy will
>have your return address on it and will look as if it is a message from you.
>
>If You're Infected
>
>If it's too late and you've already been bitten by this bug, take your system
>offline IMMEDIATELY. Go to an UNINFECTED computer and print out the removal
>instructions at
>
>http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html
>
>Be warned that this Trojan horse was designed to be tricky to remove. It makes
>three copies of itself on the system, and if any one of them is not removed it
>re-creates the others. If you're not sure how to follow the removal
>instructions (they're a bit technical), get someone who understands how to
>edit the Windows Registry to help you.
>
>Finally, as always, be wary of attachments to e-mail and keep your virus
>scanner up to date.
>
>Thank you!
>
>Brett Glass, Chairman and System Administrator
>
>
>P.S. -- Special Instructions for McAfee ViruScan users
>
>McAfee's virus scanner has special difficulty with this bug because ViruScan
>doesn't normally scan files in your "Recycle Bin" (the \RECYCLED\ directory).
>The author of the Trojan, knowing this, wrote it to store its files in that
>directory. So, if you use McAfee, you will need to remove this directory from
>the scanner's "Exclude" list as well as updating your pattern files.
>
>I recommend selecting the "SuperDAT update" from their update page rather than
>clicking the "Update" button on the software's control panel, because this
>provides a more complete upgrade. To get the "SuperDAT update," go to
>
>http://www.nai.com/asp_set/download/dats/find.asp
>
>on the McAfee Web site. After you've downloaded and run the update program, be
>sure to double-click on the tiny "shield icon" in the system tray, press the
>button marked Properties, select the tab marked Exclusion, and remove
>\RECYCLED\ from the list of excluded directories. (McAfee should have made
>this happen automatically, but they didn't.)
>
>Finally, if you've set McAfee's scanner to scan only executable files (this
>speeds up the system immensely if you're doing on-the-fly scanning), add
>the extension SHS to the list of executable extensions. For some reason,
>updating McAfee's virus scanning engine does not update this list
>automatically, and so a lot of extensions (not just SHS) are missing from
>many users' machines. McAfee should really provide a comprehensive list
>of what needs to be here (based on their pattern files) and update it
>when they update their scanner; it's rather scary that they don't.