Great Circle Associates List-Managers
(May 2003)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: OUCH!!
From: "Brian Zaleski" <ZaleskiDC @ calchiro . com>
Date: Sat, 24 May 2003 12:34:51 -0700
To: <list-managers @ greatcircle . com>
Importance: Normal
In-reply-to: <200305241110.h4OBAlwk003489@mail.rev.net>

> On 23 May 2003 at 19:34, Brian Zaleski wrote:
>
> > With an attachment called errors.zlb
>
> 'zlb' is one of the quarantine-extensions that ZoneAlarm's MailSafe uses
> right?

It is associated with ZoneAlarmPro, however I didn't see that file type in
types to quarantine. My gut is that it may actually be TARGETING people
using ZoneAlarm.

> My windows scripting host script-reading skills are pretty minimal..
> could you provide a short synopsis of what this script was trying to do?

The first three quarters were compiled, so even though I'm good, I can't
read that. :)

It looks like basically what it's doing is to copy whatever the compiled
object in the script onto the hard drive. After that, it's anyone's guess.

The main reason that I partition all of my discs and put the OS on the on a
drive other than the C: drive is to prevent this kind of attack, even if it
slips through.

> As a side note, I've heard about this particular virus-trap several times
> [although I don't think I, personally, have received one]: an apparently
> 100% legit-looking (but fake) NDR with the "message" being bounced
> included as an attachment..

Yes, it was an amazing bit of social engineering. It would have been better
if they used an actual Yahoo! bounce message, but it was definitely good.
The headers even indicated that it came from Yahoo!.

> What's unfortunate is that that's what I use for rejects of submissions
> to the newsgroup I moderate -- because of the limitations of the tool I
> happen to use to do the moderation, having the reject message carry the
> original submission as an attachment is really the only good choice.  It
> hadn't occurred to me until I started hearing about the NDR-borne-viruses
> that I was encouraging my submittors into potentially dangerous email
> habits...

Exactly. It continues to amaze me at the number of people who don't use
anti-virus software in the first place. However, if this one was actually
targeting ZoneAlarm users, that would be a really nasty...

Brian



References:
  • Re: OUCH!!
    From: "Bernie Cosell" <bernie@fantasyfarm.com>
Indexed By Date Previous: Re: OUCH!!
From: "Bernie Cosell" <bernie@fantasyfarm.com>
Next: Spam blacklist
From: Bob Bish <bobbish@earthlink.net>
Indexed By Thread Previous: Re: OUCH!!
From: "Bernie Cosell" <bernie@fantasyfarm.com>
Next: Spam blacklist
From: Bob Bish <bobbish@earthlink.net>

Google
 
Search Internet Search www.greatcircle.com