From: Russ [Russ.Cooper@RC.ON.CA]
Sent: Wednesday, November 10, 1999 9:07 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Alert: A couple of virus notes

-----BEGIN PGP SIGNED MESSAGE-----

CNN today was running the story about the BubbleBoy virus.
Unfortunately, most of the time they were getting the story wrong (to
be expected really, they are so clueless on air about computer
security stuff its ridiculous).

Some hoopla has been made about BubbleBoy because "you don't have to
open it for it to work". What you do have to do is view it in the
preview pane (if you have one). Just in case anyone reading this
doesn't already know, enabling the preview pane is no different than
opening an email. If an email-borne virus is going to invoke upon
opening, it will invoke upon viewing in the preview pane too. Richard
Smith and Georgi Guninski (amongst others) have been telling the
stories of this sort of problem for well over a year now.

Data Fellows are claiming its "the very first worm that is able to
infect without opening the attachment."

McAfee Online claim "VBS/Bubbleboy infects PCs as soon as the
transmitting email message is opened. This is a VERY significant
innovation!"

Neither Trend Micro nor Symantec are over-hyping this thing (which,
btw, doesn't affect NT)

Now I don't mean to rag on these folks, but the MIME NAME exploit
discovered by the University of Oulu researchers (and first reported
on NTBugtraq 7/27/98, <http://ntbugtraq.ntadvice.com/mimename.asp>)
was, IMNSHO, the first worm that was able to infect without opening
the attachment.

Since then, there have been many VBS-based worms and issues based on
embedded jscript or html that have the same effect as BubbleBoy (get
invoked if viewed from the preview pane or opened). From what I've
seen, BubbleBoy is nothing new.

On another front, Dublin Wicklow Mountain Rescue (???) reported
another virus to NTBugtraq on Tuesday. Named "FunLove" by NAI's AVERT
group, a description of which can be found at
<http://vil.nai.com/vil/vpe10419.asp>.

According to Dublin Wicklow Mountain Rescue;

>symptoms are that any exe that is run causes a service called flc to
be
>created and an .exe called flcss.exe to be created in winnt\system32.
>this services is the started and appears to be a network process as
the
>services database is locked out during the process start.
>
>the process can been seen in task manager and stopped, but next time
an
>.exe is launched, the process is re-started.
>
>the affected server then causes significant amounts of network
traffic
>accross mulitple ip segments.

Disclaimer:

NTBugtraq is not an anti-virus forum. I occasionally put through
messages about viruses that have either been misrepresented in the
press, or affect NT and are not widely known. Such messages are not
intended to spur discussion, there are other forums for that.

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQCVAwUBOColOxBh2Kw/l7p5AQHMZgP8CDPsm+DR7m6+xDlbkSwkKUvLVei2qKkc
07cbgLTfFuby+G2QJJffxIFpe2+dVyKT6w8uXOhbRuiNDHLYrMsAEqxVcGPh7r60
ohJD3C0Oa22E+yIUhJjUpA6X2ywHSyl903HT66dGlDZaNGieMRyORJxK1OCKQbEO
mIQuvmXHFBA=
=MNIC
-----END PGP SIGNATURE-----
