Tracking down the author of the Melissa virus
Richard M. Smith
I've be doing some research on the Web to try to track down
on the author of the Melissa macro virus. Here is what I
found so far.
The earliest reference I found to the virus is this posting
on 3/26 by "Sky Roket"
Path: newsflash!news-peer1.tiac.net!news-feed1.tiac.net!newshub.northeast.verio.net!
cpk-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.cwix.com!152.163.199.19!
portc03.blue.aol.com!audrey01.news.aol.com!not-for-mail
From: skyr...@aol.com (Sky Roket)
Newsgroups: alt.sex
Subject: Passcode List 3-26-99
Lines: 283
NNTP-Posting-Host: ladder05.news.aol.com
X-Admin: ne...@aol.com
Date: 26 Mar 1999 12:15:53 GMT
Organization: AOL http://www.aol.com
Message-ID: <19990326071553...@ng-cg1.aol.com>
Xref: newsflash alt.sex:1680745
_=_
_=_ Part 001 of 001 of file list.zip
_=_
This message contains a zip file with the now famous list.doc
file in it. The file is infected with the Melissa virus.
The first reports of the Melissa virus in the wild started
showing up 8 to 12 hours later.
Dr. Solomon's newsgroup virus scanner found the first infected message
a few days later on 3/27:
http://x5.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=459557018&CONTEXT=922562568.1032257544&hitnum=0
I did some "dumpster diving" in the list.doc file and found
the following revision log in the file:
3360:07 00 FF FF 06 00 00 00 0B 00 4A 00 6F 00 68 00 ........|..J.o.h.
3370:6E 00 20 00 48 00 6F 00 6C 00 6D 00 65 00 73 00 n. .H.o.|l.m.e.s.
3380:19 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 ..C.:.\.|W.I.N.D.
3390:4F 00 57 00 53 00 5C 00 44 00 65 00 73 00 6B 00 O.W.S.\.|D.e.s.k.
33A0:74 00 6F 00 70 00 5C 00 50 00 30 00 2E 00 64 00 t.o.p.\.|P.0...d.
33B0:6F 00 63 00 0B 00 4A 00 6F 00 68 00 6E 00 20 00 o.c...J.|o.h.n. .
33C0:48 00 6F 00 6C 00 6D 00 65 00 73 00 1F 00 43 00 H.o.l.m.|e.s...C.
33D0:3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 :.\.W.I.|N.D.O.W.
33E0:53 00 5C 00 44 00 65 00 73 00 6B 00 74 00 6F 00 S.\.D.e.|s.k.t.o.
33F0:70 00 5C 00 4C 00 69 00 73 00 74 00 30 00 38 00 p.\.L.i.|s.t.0.8.
3400:31 00 39 00 2E 00 64 00 6F 00 63 00 03 00 48 00 1.9...d.|o.c...H.
3410:69 00 6D 00 1B 00 43 00 3A 00 5C 00 57 00 49 00 i.m...C.|:.\.W.I.
3420:4E 00 44 00 4F 00 57 00 53 00 5C 00 44 00 65 00 N.D.O.W.|S.\.D.e.
3430:73 00 6B 00 74 00 6F 00 70 00 5C 00 6C 00 69 00 s.k.t.o.|p.\.l.i.
3440:73 00 74 00 2E 00 64 00 6F 00 63 00 FF 40 01 80 s.t...d.|o.c..@..
Looks like "Mr. Holmes" is running Windows 95 or 98. I wonder who
"Him" is? Also, the file has been named "p0.doc", "List0819.doc",
and finally "list.doc".
I have another copy of the "list.doc" file from 2 days later which contains
another entry in the revision log. My guess is that this new entry is for
someone who was infected by the virus. I looks like the Word revision log
can be used to trace how this virus moves around the Internet. Neat!
Also I found this GUID in the file:
4BC0:5F 50 49 44 5F 47 55 49 44 00 02 00 00 00 E4 04 _PID_GUI|D.......
4BD0:00 00 41 00 00 00 4E 00 00 00 7B 00 35 00 37 00 ..A...N.|..{.5.7.
4BE0:32 00 38 00 35 00 38 00 45 00 41 00 2D 00 33 00 2.8.5.8.|E.A.-.3.
4BF0:36 00 44 00 44 00 2D 00 31 00 31 00 44 00 32 00 6.D.D.-.|1.1.D.2.
4C00:2D 00 38 00 38 00 35 00 46 00 2D 00 30 00 30 00 -.8.8.5.|F.-.0.0.
4C10:34 00 30 00 33 00 33 00 45 00 30 00 30 00 37 00 4.0.3.3.|E.0.0.7.
4C20:38 00 45 00 7D 00 00 00 00 00 00 00 00 00 00 00 8.E.}...|........
It looks like the MAC address of the computer of the author of the
document is:
00-40-33-E0-07-8E
This same MAC address appears in the GUID assigned to the VBA macro:
8230:47 00 7B 00 33 00 44 00 34 00 35 00 39 00 39 00 G.{.3.D.|4.5.9.9.
8240:36 00 32 00 2D 00 45 00 31 00 42 00 34 00 2D 00 6.2.-.E.|1.B.4.-.
8250:31 00 31 00 44 00 32 00 2D 00 39 00 45 00 42 00 1.1.D.2.|-.9.E.B.
8260:41 00 2D 00 30 00 30 00 34 00 30 00 33 00 33 00 A.-.0.0.|4.0.3.3.
8270:45 00 30 00 30 00 37 00 38 00 45 00 7D 00 23 00 E.0.0.7.|8.E.}.#.
The Ethernet card was manufactured by:
00-40-43 Addtron Technology Co., Ltd
If anyone else finds anything interesting about this document or the
macro virus, please let me know.
Richard M. Smith
smi...@tiac.net
Dmitry Gryaznov
Huh? Why "a few days"? The ZIP file with that infected LIST.DOC was posted to
alt.sex on 26 March 1999 at 12:15:53 GMT, that is 26 March 1999 04:15:53 PST.
Dr Solomon's Virus Patrol posted its warning on 27 March 1999 01:36:11 GMT,
that is 26 March 1999 17:36:11 PST. In other words, it's a few *hours* later,
not *days*.
> I did some "dumpster diving" in the list.doc file and found
> the following revision log in the file:
>
> 3360:07 00 FF FF 06 00 00 00 0B 00 4A 00 6F 00 68 00 ........|..J.o.h.
> 3370:6E 00 20 00 48 00 6F 00 6C 00 6D 00 65 00 73 00 n. .H.o.|l.m.e.s.
> 3380:19 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 ..C.:.\.|W.I.N.D.
> 3390:4F 00 57 00 53 00 5C 00 44 00 65 00 73 00 6B 00 O.W.S.\.|D.e.s.k.
> 33A0:74 00 6F 00 70 00 5C 00 50 00 30 00 2E 00 64 00 t.o.p.\.|P.0...d.
> 33B0:6F 00 63 00 0B 00 4A 00 6F 00 68 00 6E 00 20 00 o.c...J.|o.h.n. .
> 33C0:48 00 6F 00 6C 00 6D 00 65 00 73 00 1F 00 43 00 H.o.l.m.|e.s...C.
> 33D0:3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 :.\.W.I.|N.D.O.W.
> 33E0:53 00 5C 00 44 00 65 00 73 00 6B 00 74 00 6F 00 S.\.D.e.|s.k.t.o.
> 33F0:70 00 5C 00 4C 00 69 00 73 00 74 00 30 00 38 00 p.\.L.i.|s.t.0.8.
> 3400:31 00 39 00 2E 00 64 00 6F 00 63 00 03 00 48 00 1.9...d.|o.c...H.
> 3410:69 00 6D 00 1B 00 43 00 3A 00 5C 00 57 00 49 00 i.m...C.|:.\.W.I.
> 3420:4E 00 44 00 4F 00 57 00 53 00 5C 00 44 00 65 00 N.D.O.W.|S.\.D.e.
> 3430:73 00 6B 00 74 00 6F 00 70 00 5C 00 6C 00 69 00 s.k.t.o.|p.\.l.i.
> 3440:73 00 74 00 2E 00 64 00 6F 00 63 00 FF 40 01 80 s.t...d.|o.c..@..
>
> Looks like "Mr. Holmes" is running Windows 95 or 98. I wonder who
As I've been informed, John Holmes was a popular porno star. Died some
time ago. No wonder his name was used by whoever compiled the list
of porno sites.
> "Him" is? Also, the file has been named "p0.doc", "List0819.doc",
> and finally "list.doc".
Which says that whoever that "John Holmes" might be it was not him
who infected the file and then posted it.
According to Dr Solomon's Virus Patrol logs, the same AOL account -
skyr...@aol.com - was used for similar purpose in December 1997.
That is, to distribute through Usenet a document (another list of sites)
infected with then new W97M/Blee.B virus. A search through Dejanews on
Usenet postings from skyr...@aol.com shows that there were some postings
to a number of newsgroups (cracks and sex related) from that account
in late December 1997 and then nothing till yesterday, 26 March 1999.
Over a year of silence broken only to spread another virus.
--
Sincerely,
Dmitry O. Gryaznov
Patrick Nolan, VSA
the profile is accurate, shouldn't take too long to locate him, that is if
anyone is looking for him.
--
Regards,
Patrick Nolan
Virus Support Analyst
AVERT, a division of NAI Labs
Main Page: http://www.nai.com
AVERT: http://www.avertlabs.com
Richard M. Smith wrote in message <36FD69A9...@tiac.net>...
>Hello,
>
>I've be doing some research on the Web to try to track down
>on the author of the Melissa macro virus. Here is what I
>found so far.
>
>The earliest reference I found to the virus is this posting
>on 3/26 by "Sky Roket"
>
>Path:
newsflash!news-peer1.tiac.net!news-feed1.tiac.net!newshub.northeast.verio.ne
t!
>cpk-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.cwix.com!152.163.199.19!
>portc03.blue.aol.com!audrey01.news.aol.com!not-for-mail
>From: skyr...@aol.com (Sky Roket)
>Newsgroups: alt.sex
>Subject: Passcode List 3-26-99
>Lines: 283
>NNTP-Posting-Host: ladder05.news.aol.com
>X-Admin: ne...@aol.com
>Date: 26 Mar 1999 12:15:53 GMT
>Organization: AOL http://www.aol.com
>Message-ID: <19990326071553...@ng-cg1.aol.com>
>Xref: newsflash alt.sex:1680745
>
>_=_
>_=_ Part 001 of 001 of file list.zip
>_=_
>
[cut][cut]
Dmitry Gryaznov
>
> Dmitry Gryaznov wrote:
>
> > According to Dr Solomon's Virus Patrol logs, the same AOL account -
> > skyr...@aol.com - was used for similar purpose in December 1997.
> > That is, to distribute through Usenet a document (another list of sites)
> > infected with then new W97M/Blee.B virus.
>
Nothing of the kind Melissa does.
> Do you have a copy of the file, BTW? Might be interesting to
> compare GUIDs.
I did. They are different.
> Also, why didn't AOL shutdown the account back in 1997?
Why would they?
Anthony Simek
profile of an ISP is just plain old wrong. This is likely not a virus
creator.
THINK BEFORE YOU POST!
<fred_...@my-dejanews.com> wrote in message
news:7dkepj$aa3$1...@nnrp1.dejanews.com...
> Sorry I didn't quote anything but I went onto my AOL screen name
(Standz6270)
> and looked up Sky Roket's member profile just for the heck of it. I don't
know
> if it has anything to do with anything but this is what I found
>
> Member Name: SCOTT STEINMETZ-
> Location: Lynnwood WA-
> Birthdate: 2-25-62
> Sex: Male
> Marital Status: Married
> Hobbies: Historical Gamming, Miniature Gamming, and of coarse computers
> Computers: AST Pentium
> Occupation: Civil engineer
> Personal Quote: Be happy in all you do
>
> I doubt any of this matters but I figured I might as well post it just in
> case. Good luck all!
>
> Sincerely,
> Brian
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
fred_...@my-dejanews.com
Richard M. Smith
> According to Dr Solomon's Virus Patrol logs, the same AOL account -
> skyr...@aol.com - was used for similar purpose in December 1997.
> That is, to distribute through Usenet a document (another list of sites)
> infected with then new W97M/Blee.B virus.
Interesting. What sorts of things did the Blee.B virus do?
Do you have a copy of the file, BTW? Might be interesting to
compare GUIDs.
Also, why didn't AOL shutdown the account back in 1997?
Richard
TWB
kid.
On Sat, 27 Mar 1999 23:58:16 -0700, "Anthony Simek"
<asime...@email.msn.com> wrote:
>This is totally unethical. Posting information from someone's online
>profile of an ISP is just plain old wrong. This is likely not a virus
>creator.
>
>THINK BEFORE YOU POST!
>
><fred_...@my-dejanews.com> wrote in message
>news:7dkepj$aa3$1...@nnrp1.dejanews.com...
Julian Haley
user voluntarily posted in his profile
where is the breech of ethics?
THINK BEFORE YOU BERATE!
Anthony Simek <asime...@email.msn.com> wrote in message
news:#MAzImOe#GA.212@upnetnews05...
Bobo
<jhaley@*nononospam*scandura.net> said:
>Unethical? This is the PUBLIC information accessible by anyone which the
>user voluntarily posted in his profile
>
>where is the breech of ethics?
I was hoping someone would point this out.
Look, if you put up an online profile, you must expect that other people will
see it.
If you don't have an unlisted number, did you know that millions of people,
the whole world really, can find out your phone number and call you? Wow!
Posting of public information, especially information you specifically make
public *yourself*, is neither illegal nor unethical.
On the other hand, if someone hacked into a site, grabbed your Social Security
Number, then posted that on Usenet...well, that would be wrong.
Richard M. Smith
> The Author is probably gonna turn out to be this guy's 10 year old
> kid.
Yep. Or the online profile is a fake. Or the Email address in
the newsgroup posting is fake. Or the account was stolen
by an outsider. Lot's of possibilities here.
The original newsgroup message which contained the Melissa virus does
appear to have come from an AOL newsserver. Does
anyone know with AOL if it is possible to use an arbritatry
"From" address when posting a newsgroup message?
Richard
Anthony Simek
reaction if I posted information about yourself under the guise of mob
mentality.....
THINK BEFORE YOU POST!
Lord Natas <Use-Author-Address-Header@[127.1]> wrote in message
news:1999032815092...@anon.efga.org...
> On Sat, 27 Mar 1999 18:28:41 -0500 "Richard M. Smith" <smi...@tiac.net>
wrote:
>
> >Hello,
> >
> >I've be doing some research on the Web to try to track down
> >on the author of the Melissa macro virus. Here is what I
> >found so far.
>
> <snip>
>
> So, another stalker? It is always a sad thing to see when
> people have absolutely nothing else to do with their time.
>
> And people ask me why I use anonymous remailers...
>
> "Whoever fights monsters should see to it that in the process he does not
> become a monster. And when you look long into an abyss. The abyss also
looks
> into you" -Nietzsche
>
> Look down on me, you will see a fool
> Look up at me, you will see your lord
> Look straight at me, you will see yourself. -Charles Manson
>
>
Anthony Simek
You are quite correct that it is public information. You have changed my
mind about posting publicly available information.
By 1984, Scandura had grown to be ranked the fifth largest producer of
conveyor belts in the United States. The following year, the company
acquired the conveyor belting business of Uniroyal comprising two plants:
one in Port Clinton and the other in Bracebridge, Ontario.
So, how's the plant old chum? I feel like I know all about you....
Julian Haley <jhaley@*nononospam*scandura.net> wrote in message
news:bxmL2.3011$F91.1...@news1.mco...
> Unethical? This is the PUBLIC information accessible by anyone which the
> user voluntarily posted in his profile
>
> where is the breech of ethics?
>
>
>
Sherry
from your scree...@aol.com. Possibly you can use a third-party e-mail
program, dunno - never tried it.
But if this person had a vendetta against someone, then he/she certainly
could use sky roket's AOL address in his e-mailer so everyone would
think it came from sky roket. I use a different domain for my newsgroup
postings than for my e-mail just to keep spamming away from my "good"
address 8-)
However, it is possible that sky roket is *really* dumb - who would post
a virus and leave a trail to himself???? Criminals have been known to
do that!
Sherry
Bill Arnold
> So, another stalker? It is always a sad thing to see when
> people have absolutely nothing else to do with their time.
>
> And people ask me why I use anonymous remailers...
called in to work a
50 hour weekend securing mail systems etc. He has *my* sympathy,
entirely; the twit who
released W97M/Melissa should be prosecuted. And if convicted, maybe not
jailed, but
definitely at least ordered to do community service.
(I do not feel the same way about some other viruses; the premeditated
scale of
spread of this one is the issue.)
-Bill Arnold
Richard M. Smith
> However, it is possible that sky roket is *really* dumb - who would post
> a virus and leave a trail to himself???? Criminals have been known to
> do that!
BTW, "Mr. Skyroket" pulled similar stunts back in Dec. 1997 with
at least three other Word macro viruses:
http://x6.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=311346692&CONTEXT=922643094.712507465&hitnum=38
http://x6.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=310059412&CONTEXT=922643094.712507465&hitnum=37
http://x6.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=311142132&CONTEXT=922643094.712507465&hitnum=36
From the last link, it looks like the AOL profile hasn't changed since Dec. 1997.
I'm a bit surprised that AOL didn't yank his account at the time.
I'm even more surprised that he is still using the account.
Richard
Julian Haley
but things are not always as they seem.... i don't work for Scandura..
btw... How's the weather in Arizona? :)
Julian
Anthony Simek <asime...@email.msn.com> wrote in message
news:#ekwQvTe#GA....@upnetnews02.moswest.msn.net...
Pierre Vandevenne
>released W97M/Melissa should be prosecuted. And if convicted, maybe not
>jailed, but definitely at least ordered to do community service.
Community service is an appropriate sentence, yes. One should be extremely
careful though. Misidentifications are possible, as well as exploitation by
a-v companies, for marketing purposes. It happened in the past, when Mr Pile
was prosecuted : a lot of resources were dedicated to the search for people
who had suffered damage... for a virus/kit that wasn't widespread at all to
say the least... The whole story was highly publicized and served a-v
companies well, giving them a "crime fighter" aura...
>(I do not feel the same way about some other viruses; the premeditated
>scale of
>spread of this one is the issue.)
It should also be remembered that the design of the Word document is not
sensible from a security point of view, that the scale of the spread has a lot
to do with its quasi monopolistic hold on the market, a monopoly that owes a
lot to what appears to be considered by the US government as unfair business
practices. Then of course, people shouldn't be downloading attachements from
alt.sex during their working hours. They shouldn't want to steal their access
to these sites either btw, as it is pure and simple theft. ( I know this point
is going to be a bit controversial, but heck, those guy pay taxes, work with
credit card companies, have legitimate businesses, payb banddwidth, license
software and represent a very sizeable part of the e-business nowadays )
The first thing to worry about would be forcing the design into a sensible
one. Until this is done, user education would seem to be the best policy.
Pierre
---
Pierre Vandevenne
www.datarescue.com, home of the IDA Pro Disassembler
Version 3.84 released - Pentium III, Hitachi SH-4, Atmel AVR
Folding, Improved analysis, FLIRT and FLAIR, & much more...
Standz6270
>user voluntarily posted in his profile
>
>where is the breech of ethics?
>
>
>
>THINK BEFORE YOU BERATE!
>
That's exactly what I'm saying. It's on AOL all you have to do is go on and
search the member profiles and it's there. So what if I posted it? If he didn't
want anyone to ever know about himself then why would it be there?
Bill Arnold
> Community service is an appropriate sentence, yes. One should be extremely
> careful though. Misidentifications are possible, as well as exploitation by
> a-v companies, for marketing purposes. It happened in the past, when Mr Pile
> was prosecuted : a lot of resources were dedicated to the search for people
> who had suffered damage... for a virus/kit that wasn't widespread at all to
> say the least... The whole story was highly publicized and served a-v
> companies well, giving them a "crime fighter" aura...
overreaction. W97M/Melissa is another story. It and its variants will be cause
a lot of genuine monetary damages. Hopefully no human injuries but you never
know.
>
> It should also be remembered that the design of the Word document is not
> sensible from a security point of view, that the scale of the spread has a lot
play with the registry, do bulk email, or for that matter do anything they
want that a program can do,
within whatever access controls are applied, which is none for Windows 9X.
> to do with its quasi monopolistic hold on the market, a monopoly that owes a
> lot to what appears to be considered by the US government as unfair business
every new problem an "exploit" when in fact the serious problems are mostly due
to applications that are far too powerful, and linkages between these applications.
> practices. Then of course, people shouldn't be downloading attachements from
> alt.sex during their working hours. They shouldn't want to steal their access
> to these sites either btw, as it is pure and simple theft. ( I know this point
> is going to be a bit controversial, but heck, those guy pay taxes, work with
> credit card companies, have legitimate businesses, payb banddwidth, license
> software and represent a very sizeable part of the e-business nowadays )
>
> The first thing to worry about would be forcing the design into a sensible
> one. Until this is done, user education would seem to be the best policy.
very little real effect. Combination of user education and technical measures
is a better defense. I hope Microsoft learned a lesson, though there is a
disquieting quote from them in the today's New York Times:
"Officials from Microsoft say they were not certain of the magnitude of the
virus and emphasized that it could easily be disarmed. Adam Sohn, a company
spokesman, said, 'If folks are careful about what runs on their machine,
they'll always be fine'."
This from a company that was undergoing email server meltdown at the time.
Maybe Adam Sohn doesn't do email.
-Bill Arnold
Jeffrey A. Setaro
> Pierre Vandevenne wrote:
> > Community service is an appropriate sentence, yes. One should be extremely
> > careful though. Misidentifications are possible, as well as exploitation by
> > a-v companies, for marketing purposes. It happened in the past, when Mr Pile
> > was prosecuted : a lot of resources were dedicated to the search for people
> > who had suffered damage... for a virus/kit that wasn't widespread at all to
> > say the least... The whole story was highly publicized and served a-v
> > companies well, giving them a "crime fighter" aura...
>
> Yes, true in Pile's case. I've always thought that that case was an serious
> overreaction. W97M/Melissa is another story. It and its variants will be cause
> a lot of genuine monetary damages. Hopefully no human injuries but you never
> know.
To late... I had a client that got so frustrated with the stupidity of
his users that he broke his foot while kicking a trash can.
--
Cheers-
Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99
Bill Arnold
> > a lot of genuine monetary damages. Hopefully no human injuries but you never
> > know.
>
> To late... I had a client that got so frustrated with the stupidity of
> his users that he broke his foot while kicking a trash can.
As Bruce Lee said, "Trash cans don't hit back."
-Bill Arnold
Anthony Simek
You likely work for scandura,
Domain Name: SCANDURA.NET
Administrative Contact:
Haley, Julian (JH12060) webm...@SCANDURA.CA
704-334-5353 x419 (FAX) 704-334-1733
Technical Contact, Zone Contact:
Domain Administrator (DA91-ORG) doma...@STAFF.INTERLOG.COM
416-920-2655 Ext. 2242
Fax- 416-975-9639
Billing Contact:
Haley, Julian (JH12060) webm...@SCANDURA.CA
704-334-5353 x419 (FAX) 704-334-1733
Oh and the weather's great!
Tony
Julian Haley <jhaley@*nononospam*scandura.net> wrote in message
news:cEuL2.3419$F91.1...@news1.mco...
> lol
>
> but things are not always as they seem.... i don't work for Scandura..
>
> btw... How's the weather in Arizona? :)
>
> Julian
>
> Anthony Simek <asime...@email.msn.com> wrote in message
> news:#ekwQvTe#GA....@upnetnews02.moswest.msn.net...
> > Julian,
> >
> > You are quite correct that it is public information. You have changed
my
> > mind about posting publicly available information.
> >
> > By 1984, Scandura had grown to be ranked the fifth largest producer of
> > conveyor belts in the United States. The following year, the company
> > acquired the conveyor belting business of Uniroyal comprising two
plants:
> > one in Port Clinton and the other in Bracebridge, Ontario.
> >
> > So, how's the plant old chum? I feel like I know all about you....
> >
> > Julian Haley <jhaley@*nononospam*scandura.net> wrote in message
> > news:bxmL2.3011$F91.1...@news1.mco...
> > > Unethical? This is the PUBLIC information accessible by anyone which
the
> > > user voluntarily posted in his profile
> > >
> > > where is the breech of ethics?
> > >
> > >
> > >
> > > THINK BEFORE YOU BERATE!
> > >
> > >
Anthony Simek
bicker with Julian Haley who thinks it's appropriate to post online
"profile" details and suggest that this be the virus author.
It is ultimately irresponsible to publish information in this newsgroup
about someone with the obvious slant of revenge, payback, etc.
This persons profile that was listed is likely not a virus writer, and by
publishing this persons account details, you only seek to have a probably
innocent person harrased.
Your position is indefensible unless you really think that you are the
protector of the internet world by simply revealing data available in public
databases...
I won't conclude with asking you to think before you post Julian. There is
simply no point. Consider yourself added to the plonk list.
Richard M. Smith <smi...@tiac.net> wrote in message
news:36FD69A9...@tiac.net...
> Hello,
>
> I've be doing some research on the Web to try to track down
> on the author of the Melissa macro virus. Here is what I
> found so far.
>
> The earliest reference I found to the virus is this posting
> on 3/26 by "Sky Roket"
>
> Path:
newsflash!news-peer1.tiac.net!news-feed1.tiac.net!newshub.northeast.verio.ne
t!
>
cpk-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.cwix.com!152.163.199.19!
> portc03.blue.aol.com!audrey01.news.aol.com!not-for-mail
> From: skyr...@aol.com (Sky Roket)
> Newsgroups: alt.sex
> Subject: Passcode List 3-26-99
> Lines: 283
> NNTP-Posting-Host: ladder05.news.aol.com
> X-Admin: ne...@aol.com
> Date: 26 Mar 1999 12:15:53 GMT
> Organization: AOL http://www.aol.com
> Message-ID: <19990326071553...@ng-cg1.aol.com>
> Xref: newsflash alt.sex:1680745
>
> _=_
> _=_ Part 001 of 001 of file list.zip
> _=_
>
> This message contains a zip file with the now famous list.doc
> file in it. The file is infected with the Melissa virus.
>
> The first reports of the Melissa virus in the wild started
> showing up 8 to 12 hours later.
>
> Dr. Solomon's newsgroup virus scanner found the first infected message
> a few days later on 3/27:
>
>
http://x5.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=459557018&CONTEXT=922562568.1
032257544&hitnum=0
>
> I did some "dumpster diving" in the list.doc file and found
> the following revision log in the file:
>
> 3360:07 00 FF FF 06 00 00 00 0B 00 4A 00 6F 00 68 00 ........|..J.o.h.
> 3370:6E 00 20 00 48 00 6F 00 6C 00 6D 00 65 00 73 00 n. .H.o.|l.m.e.s.
> 3380:19 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 ..C.:.\.|W.I.N.D.
> 3390:4F 00 57 00 53 00 5C 00 44 00 65 00 73 00 6B 00 O.W.S.\.|D.e.s.k.
> 33A0:74 00 6F 00 70 00 5C 00 50 00 30 00 2E 00 64 00 t.o.p.\.|P.0...d.
> 33B0:6F 00 63 00 0B 00 4A 00 6F 00 68 00 6E 00 20 00 o.c...J.|o.h.n. .
> 33C0:48 00 6F 00 6C 00 6D 00 65 00 73 00 1F 00 43 00 H.o.l.m.|e.s...C.
> 33D0:3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 :.\.W.I.|N.D.O.W.
> 33E0:53 00 5C 00 44 00 65 00 73 00 6B 00 74 00 6F 00 S.\.D.e.|s.k.t.o.
> 33F0:70 00 5C 00 4C 00 69 00 73 00 74 00 30 00 38 00 p.\.L.i.|s.t.0.8.
> 3400:31 00 39 00 2E 00 64 00 6F 00 63 00 03 00 48 00 1.9...d.|o.c...H.
> 3410:69 00 6D 00 1B 00 43 00 3A 00 5C 00 57 00 49 00 i.m...C.|:.\.W.I.
> 3420:4E 00 44 00 4F 00 57 00 53 00 5C 00 44 00 65 00 N.D.O.W.|S.\.D.e.
> 3430:73 00 6B 00 74 00 6F 00 70 00 5C 00 6C 00 69 00 s.k.t.o.|p.\.l.i.
> 3440:73 00 74 00 2E 00 64 00 6F 00 63 00 FF 40 01 80 s.t...d.|o.c..@..
>
> Looks like "Mr. Holmes" is running Windows 95 or 98. I wonder who
> "Him" is? Also, the file has been named "p0.doc", "List0819.doc",
> and finally "list.doc".
>
> I have another copy of the "list.doc" file from 2 days later which
contains
> another entry in the revision log. My guess is that this new entry is for
> someone who was infected by the virus. I looks like the Word revision log
> can be used to trace how this virus moves around the Internet. Neat!
>
> Also I found this GUID in the file:
>
> 4BC0:5F 50 49 44 5F 47 55 49 44 00 02 00 00 00 E4 04 _PID_GUI|D.......
> 4BD0:00 00 41 00 00 00 4E 00 00 00 7B 00 35 00 37 00 ..A...N.|..{.5.7.
> 4BE0:32 00 38 00 35 00 38 00 45 00 41 00 2D 00 33 00 2.8.5.8.|E.A.-.3.
> 4BF0:36 00 44 00 44 00 2D 00 31 00 31 00 44 00 32 00 6.D.D.-.|1.1.D.2.
> 4C00:2D 00 38 00 38 00 35 00 46 00 2D 00 30 00 30 00 -.8.8.5.|F.-.0.0.
> 4C10:34 00 30 00 33 00 33 00 45 00 30 00 30 00 37 00 4.0.3.3.|E.0.0.7.
> 4C20:38 00 45 00 7D 00 00 00 00 00 00 00 00 00 00 00 8.E.}...|........
>
> It looks like the MAC address of the computer of the author of the
> document is:
>
> 00-40-33-E0-07-8E
>
> This same MAC address appears in the GUID assigned to the VBA macro:
>
> 8230:47 00 7B 00 33 00 44 00 34 00 35 00 39 00 39 00 G.{.3.D.|4.5.9.9.
> 8240:36 00 32 00 2D 00 45 00 31 00 42 00 34 00 2D 00 6.2.-.E.|1.B.4.-.
> 8250:31 00 31 00 44 00 32 00 2D 00 39 00 45 00 42 00 1.1.D.2.|-.9.E.B.
> 8260:41 00 2D 00 30 00 30 00 34 00 30 00 33 00 33 00 A.-.0.0.|4.0.3.3.
> 8270:45 00 30 00 30 00 37 00 38 00 45 00 7D 00 23 00 E.0.0.7.|8.E.}.#.
>
Jeffrey A. Setaro
> Jeffrey A. Setaro wrote:
> > > a lot of genuine monetary damages. Hopefully no human injuries but you never
> > > know.
> >
> > To late... I had a client that got so frustrated with the stupidity of
> > his users that he broke his foot while kicking a trash can.
> Were you able to suppress a laugh? :-)
Almost... But not quite.
> As Bruce Lee said, "Trash cans don't hit back."
>
Trash cans may not hit back but when they're filled with twenty or so
pounds of trash they don't move either. :-)
Pierre Vandevenne
>To late... I had a client that got so frustrated with the stupidity of
>his users that he broke his foot while kicking a trash can.
I doubt this is legal anyway - Apple owns the trash can(TM) concept.
Patricia A. Shaffer
wrote:
Well, then you have to wonder if anyone bothered to report it back then,
or now ... if not, AOL can't do anything. So, just for the heck of it,
I'm sending a copy of this posting to them. Someone keeping an eye on
that account?
--
Patricia
Proud Citizen of the Commonwealth of Virginia
"Anti-spammers are the immune system of the Internet." CDR M. Dobson
"The issue is consent, not content." Crosscut
"Opt-out is cave-in." me
Help Outlaw UCE! http://www.cauce.org
Standz6270
>bicker with Julian Haley who thinks it's appropriate to post online
>"profile" details and suggest that this be the virus author.
It was just a small theory. The name Sky Ro...@aol.com had been used before.
>It is ultimately irresponsible to publish information in this newsgroup
>about someone with the obvious slant of revenge, payback, etc.
Where did you get that?
>This persons profile that was listed is likely not a virus writer, and by
>publishing this persons account details, you only seek to have a probably
>innocent person harrased.
If that isn't the person who wrote it, the person that used his account name
was seeking to have an innocent person harasssed, not us.
>Your position is indefensible unless you really think that you are the
>protector of the internet world by simply revealing data available in public
>databases...
Who the Hell are you to say that? Who gives you the right to say that we're
wrong and you're not? We're using our opinions and our judgement just the same
way as you are! You think those things were unethical but plenty of others
don't. You think that those reasons are why the profile was posted, you're
wrong. Are you me? Are you Julian? No, I don't think you are. Therefore you
don't have the slighest idea what either of us are thinking. So you can just
butt out!
>I won't conclude with asking you to think before you post Julian. There is
>simply no point. Consider yourself added to the plonk list.
I consider that to be childish. But hey, it's just my opinion.
Richard M. Smith
> And people ask me why I use anonymous remailers...
I don't recommend them. They have a security hole in them that
can reveal your identity if someone wants to go through the
trouble.
Speaking of revealing identities, certain virus writers probably
want to install this Office 97 patch:
http://officeupdate.microsoft.com/nonIE4/DownloadDetails/oleupdnonie4.htm
Richard
pcg...@the-answer.com
fred_...@my-dejanews.com wrote:
> Sorry I didn't quote anything but I went onto my AOL screen name (Standz6270)
> and looked up Sky Roket's member profile just for the heck of it. I don't know
> if it has anything to do with anything but this is what I found
>
>
> Sincerely,
> Brian
>
People who read and post in alt.fan.cocksucking should be more careful about
posting public information Brian!
I suspect that Sky Roket may have just been a compromised account that the
virus author borrows from time to time. Since the latest posting have now
disappeared from Dejanews (I assume they have been cancelled) I can't say
more about their authorship. However it would appear that the December 1997
postings reveal a very similar modus operandi - a list of passwords to adult
sites. It might be interesting to check for other messages with a similar
subject.
By the way Brian, did you ever get the password crack for the Playboy site you
were looking for? :-) Since you installed IE5 since then,I wasn't able to tell
by looking on your computer. <g,d&r>
Finally, while Dr Solomon's usenet postings of virus alerts are useful, this
incident reveals that it only scans for known viruses - the alert mentioned
on 27 March, was in fact in response to a copy posted at 8:20pm EST on 26th
March, when it was already the 27th in England! The warning was published at
1.34am GMT - just 14 minutes later if I have the time zones right. The
scanner only picked up the posting after Melissa was added to their virus
list. I can't help but feel that if Alan Solomon still ran the company, it
would be detecting ANY suspicious macro found in newsgroup attachments and
might have stopped this outbreak before it started. But of course then NAI
wouldn't have a rush of new orders for their Exchange Server virus scanner!
Paul
Susan Lesch
gwe...@ualberta.ca (George Wenzel) wrote:
> The information is in the public domain; no breach of trust
> has occurred.
[snip]
> If I post some information to this newsgroup, and somebody re-posts it to
> another newsgroup, or a web page, or puts it in a magazine, they have not
> violated my privacy in any way; they have just redistributed information
[snip]
Perhaps not one's _privacy_ (because I could, for example, verbally
relate to my neighbor what a Usenet post of yours said), but, in most
countries, one's copyright may have been violated. I frown on copying
text and republishing it on the Internet or WWW without permission of
the author, except within fair use guidelines. Though I am not a
lawyer, I researched and wrote a 1994 article: "Your Work On TV? A View
From The USA" <http://db.tidbits.com/getbits.acgi?tbart=01948>; (it has
a few bloopers, one being the number of countries who had agreed to the
Berne Convention). Text on AOL message boards _was_ public domain in
1994. I am no longer an AOL member so I cannot double-check for you,
but I do know that AOL terms of service changed: Text posted to AOL,
including message boards and chat rooms, is the copyrighted property of
(1) AOL, _and_ (2) the author.
--
Susan Lesch
http://www.macvirus.com/
cj...@my-dejanews.com
pcg...@the-answer.com wrote:
> Finally, while Dr Solomon's usenet postings of virus alerts are useful, this
> incident reveals that it only scans for known viruses - the alert mentioned
> on 27 March, was in fact in response to a copy posted at 8:20pm EST on 26th
> March, when it was already the 27th in England! The warning was published at
> 1.34am GMT - just 14 minutes later if I have the time zones right. The
> scanner only picked up the posting after Melissa was added to their virus
> list. I can't help but feel that if Alan Solomon still ran the company, it
> would be detecting ANY suspicious macro found in newsgroup attachments and
> might have stopped this outbreak before it started. But of course then NAI
> wouldn't have a rush of new orders for their Exchange Server virus scanner!
Of course the warning was sent only after the detection was encoded. How else
would the warning know the name of the virus?
But the process does pull down all attachments to see if there are any
macros, and thus any potential for it to be a virus. Then the macros are
tested to see if they're viral...
Jimmy
kurt wismer
> On Sat, 27 Mar 1999 18:28:41 -0500 "Richard M. Smith" <smi...@tiac.net> wrote:
>
> >Hello,
> >
> >I've be doing some research on the Web to try to track down
> >on the author of the Melissa macro virus. Here is what I
> >found so far.
>
> <snip>
>
> So, another stalker? It is always a sad thing to see when
> people have absolutely nothing else to do with their time.
>
> And people ask me why I use anonymous remailers...
>
> "Whoever fights monsters should see to it that in the process he does not
> become a monster. And when you look long into an abyss. The abyss also looks
> into you" -Nietzsche
>
> Look down on me, you will see a fool
> Look up at me, you will see your lord
> Look straight at me, you will see yourself. -Charles Manson
uh huh... good work... quote not one but 2 people who went completely
insane...
--
"when the truth walks away everybody stays
cause the truth about the world is that crime does pay
so if you walk away who is going to stay
cause i'd like to make the world be a better place"
Dmitry Gryaznov
>
> In article <7dp01l$2l6$1...@nnrp1.dejanews.com>,
> cj...@my-dejanews.com wrote:
> >
> > Of course the warning was sent only after the detection was encoded. How else
> > would the warning know the name of the virus?
> >
> > But the process does pull down all attachments to see if there are any
> > macros, and thus any potential for it to be a virus. Then the macros are
> > tested to see if they're viral...
> >
> > Jimmy
>
> without updates, perhaps because the name is in the code!
>
> You don't say if you work for NAI/Dr S, but if Dr Solomon's Virus Patrol was
> looking at all atachments to see if they contained a macro, it should have
> warned of this virus as soon as it was first posted. It didn't.
Jimmy Kuo does work for NAI and so do I, the author of Virus Patrol. You
simply don't understand how Virus Patrol works. It goes through thousands
of newsgroups, downloading often gigabytes of data, "detaches" binary
attachments and scans them. It does mark as suspicious any document with
*any* macros in it. Then I look at the documents. Because of the huge
amount of data to download and scan and given the limited network bandwidth,
it takes many hours for Virus Patrol to go through all the thousands newsgroups
it scans. Thus the delay with its warnings.
--
Sincerely,
Dmitry O. Gryaznov
Richard M. Smith
> Richard M. Smith wrote:
> >I don't recommend them. They have a security hole in them that
> >can reveal your identity if someone wants to go through the trouble.
>
> Care to elaborate, Richard?
Nope, it's an exercise left to the reader :-)
> I'm using three remailers chained together and encrypting the message
> with PGP.
Yes, so what.....
Richard
Standz6270
>posting public information Brian!
Doesn't hurt me. I honestly have let my friends use this name before. But
anyway, I'm not bothered.
>By the way Brian, did you ever get the password crack for the Playboy site
>you
>were looking for? :-) Since you installed IE5 since then,I wasn't able to
>tell
>by looking on your computer.
That time someone got my password and changed it, luckily I had Standz6270 as
my real e-mail addy so I could get that password. But still, you've already
posted it and anyone can see it so I don't care. Installed IE5 since then? I've
have IE5 for a long time, it's still that beta version tho since I haven't
gotten around to getting the final version or whatever. I can admit that it's
not very great to know that people can see everything you've ever done. But
that's life, you've made it public so live with it.
pcg...@the-answer.com
cj...@my-dejanews.com wrote:
>
> Of course the warning was sent only after the detection was encoded. How else
> would the warning know the name of the virus?
>
> But the process does pull down all attachments to see if there are any
> macros, and thus any potential for it to be a virus. Then the macros are
> tested to see if they're viral...
>
> Jimmy
Well the little known Slovakian AV program DOM managed to name the virus
without updates, perhaps because the name is in the code!
You don't say if you work for NAI/Dr S, but if Dr Solomon's Virus Patrol was
looking at all atachments to see if they contained a macro, it should have
warned of this virus as soon as it was first posted. It didn't.
-----------== Posted via Deja News, The Discussion Network ==----------
Standz6270
>>>bicker with Julian Haley who thinks it's appropriate to post online
>>>"profile" details and suggest that this be the virus author.
>>
>>It was just a small theory. The name Sky Ro...@aol.com had been used before.
>
>
>an innocent person.
>
>>>It is ultimately irresponsible to publish information in this newsgroup
>>>about someone with the obvious slant of revenge, payback, etc.
>>
>>Where did you get that?
>
>
>>>This persons profile that was listed is likely not a virus writer, and by
>>>publishing this persons account details, you only seek to have a probably
>>>innocent person harrased.
>>
>>If that isn't the person who wrote it, the person that used his account name
>>was seeking to have an innocent person harasssed, not us.
>
>they were the ones who wanted to commit arson?
>
>>>Your position is indefensible unless you really think that you are the
>>>protector of the internet world by simply revealing data available in
>public
>>>databases...
>>
>>Who the Hell are you to say that? Who gives you the right to say that we're
>>wrong and you're not? We're using our opinions and our judgement just the
>same
>>way as you are! You think those things were unethical but plenty of others
>>don't. You think that those reasons are why the profile was posted, you're
>>wrong. Are you me? Are you Julian? No, I don't think you are. Therefore you
>>don't have the slighest idea what either of us are thinking. So you can just
>>butt out!
>
>result in problems for an innocent person? Wouldn't it have been better not
>to take this risk? Have you heard the term 'innocent until proven guilty'?
>
>>>I won't conclude with asking you to think before you post Julian. There is
>>>simply no point. Consider yourself added to the plonk list.
>>
>>I consider that to be childish. But hey, it's just my opinion.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I'm not going to try anymore. It seems that this guy is a stubborn a$$. Why is
this person attacking me? He's wasting his time. The Melissa virus and the
author are still out there and he's attacking me for something he and a few
others are considering unethical. What's done is done. I think he should stop.
Thanks for hearing me out anyone and everyone. From this point on I'm going to
help in any way I can.
cj...@my-dejanews.com
pcg...@the-answer.com wrote:
> In article <7dp01l$2l6$1...@nnrp1.dejanews.com>,
> cj...@my-dejanews.com wrote:
> >
> > Of course the warning was sent only after the detection was encoded. How
else
> > would the warning know the name of the virus?
> >
> > But the process does pull down all attachments to see if there are any
> > macros, and thus any potential for it to be a virus. Then the macros are
> > tested to see if they're viral...
> >
> > Jimmy
>
> Well the little known Slovakian AV program DOM managed to name the virus
> without updates, perhaps because the name is in the code!
>
> You don't say if you work for NAI/Dr S, but if Dr Solomon's Virus Patrol was
> looking at all atachments to see if they contained a macro, it should have
> warned of this virus as soon as it was first posted. It didn't.
Oops. In the god-so-many postings I've made these few days, I forget to
identify myself once, and it has to be this one. I apologize. I am
jk...@nai.com. That's what my sig usually is.
The way we name things has all sorts of intricate rules, the basis of which
is, "First one who names it and tells everyone else, wins." :-) So, it
doesn't have to be based on anything in particular, although we try to make
it meaningful. And a virus that's widely in the wild, we try to name it by
whatever the people would call it, unless it is obviously a derivative of
another already known virus.
So, we can't just go on the macro name for a name. (What if there was already
another virus with that name?)
But my point was that we examine everything. And it takes time. And things
cannot be instantaneous as there are plenty of postings that do not have
viruses that we also have to run and test. And specifically in this
situation, we had a virus crisis to work on all day. When it was time to run
Virus Patrol, "Aha, so that's where it came from!"
But in other less hectic situations, it would work faster. There are reports
of other viruses having been posted to the alt.sex newsgroups today. They
have been noted by Virus Patrol very quickly.
Jimmy
jk...@nai.com
Standz6270
>and accounts which are pretty much the equivalent of /dev/null...
>
>
>CU! Markus
>
>
>
>
>
>
>
>May I ask _where_ at AOL you sent it? There's good accounts to sent it to,
>and accounts which are pretty much the equivalent of /dev/null...
>
>
>CU! Markus
>
>
>
>
>
>
>
For newsgroups and the such, I'm pretty sure that you send it to ab...@aol.com.
I've used it before and it worked to the best of my knowledge.
Andy Ruddock
"Patricia A. Shaffer" wrote:
>
> On 30 Mar 1999 03:37:38 GMT, m...@gmx.net (Markus Mehring) wrote:
>
> >On Sat, 27 Mar 1999 23:58:16 -0700, "Anthony Simek"
> ><asime...@email.msn.com> wrote:
> >
> >>This is totally unethical.
> >
> >Absolutely not.
> >
> >>Posting information from someone's online
> >>profile of an ISP is just plain old wrong.
> >
> >available_, and there's no reason to _not_ publish it under the sign of
> >security related issues like in this case.
> >
> >>This is likely not a virus creator.
> >
> >Could be, but he is definitely an important link in the chain, especially
> >considering his past activities.
> >And BTW, this is nothing else than an assembly of information. No one's
> >actually propagating the idea of delivering a nuclear payload to his
> >house...
>
> ... yet!
>
> <http://www.zdnet.com/zdnn/stories/news/0,4586,2233931,00.html>
>
From messsage <36FDC0D7...@dial.pipex.com>
>"Richard M. Smith" wrote:
>>
>> Dmitry Gryaznov wrote:
>>
>> > According to Dr Solomon's Virus Patrol logs, the same AOL account -
>> > skyr...@aol.com - was used for similar purpose in December 1997.
>> > That is, to distribute through Usenet a document (another list of sites)
>> > infected with then new W97M/Blee.B virus.
>>
>> Interesting. What sorts of things did the Blee.B virus do?
>
> Nothing of the kind Melissa does.
>> Do you have a copy of the file, BTW? Might be interesting to
>> compare GUIDs.
> I did. They are different.
So Dmitry says the GUIDs are different and Richard Smith now says they
are, somebody's not telling the truth then are they?
--
AndyR
-----
Senior Software Developer
Norman Data Defense Systems (UK) Ltd.
PGP Fingerprint : EC0E 2CDA ABA4 C603 5BC7 5DDF B963 FFA0 64AA 061D
tmo...@intac.com
fred_...@my-dejanews.com wrote:
> Sorry I didn't quote anything but I went onto my AOL screen name (Standz6270)
> and looked up Sky Roket's member profile just for the heck of it. I don't know
> if it has anything to do with anything but this is what I found
> I doubt any of this matters but I figured I might as well post it just in
> case. Good luck all!
>
> Sincerely,
> Brian
I have to believe that the FBI doesn't need your help in getting AOL records.
Next time, please think about it a while before publically posting such stuff.
PC Guru
intervention was needed: I can see now why this delays scans. Do reports of known
viruses have to await manual confirmation too?
While I am glad to see NAI offering this service, and am sure that they get some good
publicity from it, I can also see that the service could be made much better, with
scans and some kind of initial warning within minutes of a new virus being posted.
I can also see that spending money on such improvements would unfortunately be counter
to NAI's commercial interests - after all if you had killed the Melissa virus within
minutes of it being posted, you wouldn't be seeing such a surge in interest in
corporate network scanners.
Nevertheless, it seems to me that "downloading gigabytes of data over limited network
bandwidth" is a clumsy way of doing this - surely it must be possible to come to some
arrangement with an existing news server, so that only messages with binary
attachments of appropriate types (i.e. other than jpeg) were downloaded to the
scanner? At the very least co-locate the scanning computer with a news server, or if
that is not possible, get a "broadcast" newsfeed, such as a Direct PC or STNS
satellite link.
In any case scanning Newsgroups immediately takes no more bandwidth than scanning them
12 hours later. I believe that it should be possible to have a fully automatic scanner
running 24 hours a day which would immediately flag (or better still cancel) known
viruses and also warn of any suspicious macros. After all why should any Word document
on the net contain any macros? An exception could be made for the few newsgroups
intended to carry Office macro programming examples.
Perhaps some other newsgroup-connected organisation, such as Deja News or AltaVista,
would be willing to co-sponsor such an extension to the Virus Patrol?
Finally is there some Internet organisation concerned with dealing with Usenet
problems such as viruses?
Paul Mullen
Computer Shopper, UK
kurt wismer
> >> And people ask me why I use anonymous remailers...
>
> Richard M. Smith wrote:
> >I don't recommend them. They have a security hole in them that
> >can reveal your identity if someone wants to go through the trouble.
>
> Care to elaborate, Richard?
>
> I'm using three remailers chained together and encrypting the message
> with PGP. Unless all three remailers are being run by one of our three
> letter agencies, I don't think you can trace this post.
what kind of traffic analysis counter measures do those remailers take?
PC Guru
-------------------------------------------------------------------------
Author: SkizzwikS <skiz...@cs.com>
Date: 1999/03/30
Message-ID: <19990329204413...@ng-fq1.news.cs.com>
any comments on melissa?and anyone know who created her?
i still haven't got the whole story. i do know the person who created her
though. she(YES-SHE) wishes to remain confidential
If anyone could send info on it or scanned newspaper articles i'd greatly
appreciate it.
thanx
PsYch0>
Dmitry Gryaznov
>
> Thank you for the explanation. I hadn't understood the extent to which manual
> intervention was needed: I can see now why this delays scans. Do reports of known
> viruses have to await manual confirmation too?
Yes. I don't want to spam newsgroups with false alarms (even though with Dr Solomon's
engine it's a rather rare event - am not taking chances) or too outdated warnings.
> While I am glad to see NAI offering this service, and am sure that they get some good
> publicity from it,
No. No good publicity until now. Virus Patrol has been in service for over two years
now. Have you heard about it before? I doubt it... It's mostly a philantropic project
I designed, developed and am maintaining virtually on my own, with necessary support,
of course, from Dr Solomon's and now NAI.
> I can also see that the service could be made much better, with
> scans and some kind of initial warning within minutes of a new virus being posted.
You still don't understand, it seems. It takes *hours* to scan through binary infested
newsgroups. And news do not spread instantly either. Several hours, or even a day or two,
delays are unavoidable.
> I can also see that spending money on such improvements would unfortunately be counter
> to NAI's commercial interests - after all if you had killed the Melissa virus within
> minutes of it being posted, you wouldn't be seeing such a surge in interest in
> corporate network scanners.
Excuse me, but this is complete bullshit. Virus Patrol found Melissa in Usenet about
13 hours after it was posted - with no artificial delays. And this was actually pretty
fast.
> Nevertheless, it seems to me that "downloading gigabytes of data over limited network
> bandwidth" is a clumsy way of doing this - surely it must be possible to come to some
> arrangement with an existing news server, so that only messages with binary
> attachments of appropriate types (i.e. other than jpeg) were downloaded to the
> scanner?
Do you know how binary attachments are sent? They are sent as *text*. Virus Patrol
recognizes several binary-to-text conversion formats, is able to assemble split files
from several postings, etc. etc. There is no sure way to know the attachment type before
hand until you "detach" it.
Then, most binaries are sent in archives (ZIP, ARJ, RAR, what not...), often - in
nested archives. Scanning inside archives is also not that fast.
> At the very least co-locate the scanning computer with a news server, or if
> that is not possible, get a "broadcast" newsfeed, such as a Direct PC or STNS
> satellite link.
The link I am using is fast enough - megabits per second. Still, not fast enough to
get all of the Usenet instantly...
> In any case scanning Newsgroups immediately takes no more bandwidth than scanning them
> 12 hours later. I believe that it should be possible to have a fully automatic scanner
> running 24 hours a day which would immediately flag (or better still cancel) known
> viruses and also warn of any suspicious macros. After all why should any Word document
> on the net contain any macros?
And why not? Afterall, thousands of executables are posted daily to Usenet.
> An exception could be made for the few newsgroups
> intended to carry Office macro programming examples.
Right. And not only them, BTW.
> Perhaps some other newsgroup-connected organisation, such as Deja News or AltaVista,
> would be willing to co-sponsor such an extension to the Virus Patrol?
It still is a one-man project which I do in parallel with my main job. Maybe after
current events this will change.
Dmitry Gryaznov
>
> While I am glad to see NAI offering this service, and am sure that they get some good
> publicity from it,
Ironic, isn't it? What good publicity if even you found nothing better than *criticise*
Virus Patrol? :(
It's a free service to Usenet community. I spend my own time on it, like right now,
at 11:30pm... Do I get any appreciation? No, only criticism. Well, thank you.
I knew that doing good for people is an ungrateful thing...
Standz6270
>Next time, please think about it a while before publically posting such
>stuff.
It's already been said before. Besides, I wasn't posting for the FBI.
Standz6270
>dead box. Consider yourself lucky if you get a mere automated answer from
>there.
>Concerning Spam of any kind, ab...@aol.net (no, not a typo) is a much
>better bet, and I guess that goes for any complaint about a customer of
>AOL, like in this case. The latter account is actually _read_ by human
>beings, and you get a personal reply and confirmation every now and then.
>
>
>CU! Markus
>
>
>
>
>
>
>
Yeah! That was it aol.net not .com. I was a bit off but it's close. Anyway, I
did get something back from ab...@aol.net before, so I know it works too.
mel...@my-dejanews.com
>
> > However, it is possible that sky roket is *really* dumb - who would post
> > a virus and leave a trail to himself???? Criminals have been known to
> > do that!
>
> BTW, "Mr. Skyroket" pulled similar stunts back in Dec. 1997 with
> at least three other Word macro viruses:
>
>
http://x6.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=311346692&CONTEXT=922643094.71250
7465&hitnum=38
>
http://x6.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=310059412&CONTEXT=922643094.71250
7465&hitnum=37
>
http://x6.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=311142132&CONTEXT=922643094.71250
7465&hitnum=36
>
> From the last link, it looks like the AOL profile hasn't changed since Dec.
1997.
>
> I'm a bit surprised that AOL didn't yank his account at the time.
> I'm even more surprised that he is still using the account.
>
>
>
I'm shocked that the media isn't referring to "Melissa" as what it really is:
An Outlook/Office 97 virus. It doesn't affect, and cannot affect, those of us
who don't use both products on our computer.
I don't have to spend a cent to be protected from "Melissa." In fact, all I
have to do is make certain I'm not using "bleeding edge" Microsoft products.
It's time for an end to the slogan "Nobody gets fired for buying Microsoft."
My company (a multinational) uses a Lotus email product, and hasn't upgraded
from Office 4.3.
The CERT alarmism and all the resources being spent "fighting" Melissa are an
indirect subsidy of Microsoft and their customers. I find it objectionable.
tykeg...@my-dejanews.com
If someone doesn't want to be found, they won't be found. (but you could try
looking at Netscape Employee Files)
Tyke
Chris S.
"Patrick Nolan, VSA" <patric...@spamfilter.nai.com> wrote:
> "Sky Roket" also has an online profile on AOL - if any of the information in
> the profile is accurate, shouldn't take too long to locate him, that is if
> anyone is looking for him.
They interviewed the guy whose screen name on AOL is Sky Roket on the local
news yesterday and today. The news in Seattle, Washington that is.
He claims that he does not have the computer skills to make a virus... and
he's been getting E-mail from angry "Victims" including from some
corporations that were infected.... The media wants to do an interview on
him too...
He is a resident of Olympia, Washington.
--Chris
...Mabuhay...
Visit / Visitez http://www.game-master.com
Bobo
Borg 7 of 9} [Honorable Rev. JoWazzoo] ) said:
>It appears from late evidence that this started as a post to alt.sex
>which is NOT a binary group - should not have the post been nuked on
>sight - assuming someone saw it??
Since when are binary posts to non-binary alt.* groups nuked? Unless it's
moderated (unlikely in the alt.* hierarchy) you'd be relying on a rogue
canceller to weed those out. The real cancellers seem to focus more on SPAM
and UCE...they're not the "non-binary" police.
cj...@my-dejanews.com
PC Guru <pcg...@The-Answer.com> wrote:
> Thank you for the explanation. I hadn't understood the extent to which manual
> intervention was needed: I can see now why this delays scans. Do reports of
known
> viruses have to await manual confirmation too?
Yes. The reason is, if left alone to automatically respond, there are
situations where it could end up firing way too many messages.
Take for instance, the recent (and ongoing) Happy99 problem. Often times,
there are multitudes of the postings in the same newsgroup. Dmitry, on his
judgment, may combine the numerous reports into just a couple, or few.
> While I am glad to see NAI offering this service, and am sure that they get
some good
> publicity from it, I can also see that the service could be made much better,
with
> scans and some kind of initial warning within minutes of a new virus being
posted.
It serves all sectors, the public and ourselves. And obviously, those
qualities make for successful products. It serves to warn, and serves us to
quickly find the problems.
> I can also see that spending money on such improvements would unfortunately be
counter
> to NAI's commercial interests - after all if you had killed the Melissa virus
within
> minutes of it being posted, you wouldn't be seeing such a surge in interest in
> corporate network scanners.
We have found that we need not worry about killing a virus too fast. Even
with warnings plastered, there are plenty of people who would download the
infected packages. The message titles "XXX PASSWORDS" is so much more
enticing than "VIRUS FOUND" for instance.
> Nevertheless, it seems to me that "downloading gigabytes of data over limited
network
> bandwidth" is a clumsy way of doing this - surely it must be possible to come
to some
> arrangement with an existing news server, so that only messages with binary
> attachments of appropriate types (i.e. other than jpeg) were downloaded to the
> scanner? At the very least co-locate the scanning computer with a news server,
or if
> that is not possible, get a "broadcast" newsfeed, such as a Direct PC or STNS
> satellite link.
We have had this arrangement before, when McAfee was in San Jose. Having
moved the offices recently to Beaverton and Virus Patrol from England to
Beaverton, we are still setting it up again.
We have had this program running in multiple forms for years. We will
continue to evolve it as befit the circumstances. Those thoughts are helpful
and encouraging.
Thank you.
Jimmy
jk...@nai.com
> In any case scanning Newsgroups immediately takes no more bandwidth than
scanning them
> 12 hours later. I believe that it should be possible to have a fully automatic
scanner
> running 24 hours a day which would immediately flag (or better still cancel)
known
> viruses and also warn of any suspicious macros. After all why should any Word
document
> on the net contain any macros? An exception could be made for the few
newsgroups
> intended to carry Office macro programming examples.
>
> Perhaps some other newsgroup-connected organisation, such as Deja News or
AltaVista,
> would be willing to co-sponsor such an extension to the Virus Patrol?
>
> Finally is there some Internet organisation concerned with dealing with Usenet
> problems such as viruses?
>
> Paul Mullen
> Computer Shopper, UK
>
> Dmitry Gryaznov wrote:
>
> > Jimmy Kuo does work for NAI and so do I, the author of Virus Patrol. You
> > simply don't understand how Virus Patrol works. It goes through thousands
> > of newsgroups, downloading often gigabytes of data, "detaches" binary
> > attachments and scans them. It does mark as suspicious any document with
> > *any* macros in it. Then I look at the documents. Because of the huge
> > amount of data to download and scan and given the limited network bandwidth,
> > it takes many hours for Virus Patrol to go through all the thousands
newsgroups
> > it scans. Thus the delay with its warnings.
> >
> > --
> > Sincerely,
> > Dmitry O. Gryaznov
>
>
-----------== Posted via Deja News, The Discussion Network ==----------
fullm...@my-dejanews.com
Symantec's anti-virus team on Wednesday, March 31. (8:30 ET, 5:30 PT).
Joe
In article <36FDBB8D...@tiac.net>,
"Richard M. Smith" <smi...@tiac.net> wrote:
> Dmitry Gryaznov wrote:
>
> > According to Dr Solomon's Virus Patrol logs, the same AOL account -
> > skyr...@aol.com - was used for similar purpose in December 1997.
> > That is, to distribute through Usenet a document (another list of sites)
> > infected with then new W97M/Blee.B virus.
>
> Interesting. What sorts of things did the Blee.B virus do?
>
> Do you have a copy of the file, BTW? Might be interesting to
> compare GUIDs.
>
> Also, why didn't AOL shutdown the account back in 1997?
>
> Richard
PC Guru
Dmitry Gryaznov wrote:
> Ironic, isn't it? What good publicity if even you found nothing better than *criticise*
> Virus Patrol? :(
>
> It's a free service to Usenet community. I spend my own time on it, like right now,
> at 11:30pm... Do I get any appreciation? No, only criticism. Well, thank you.
> I knew that doing good for people is an ungrateful thing...
>
Dmitry, please don't think me ungrateful - I think you are doing a great job with the
resources that are available to you. What I am saying is that at the moment the Virus
Patrol is just you, working largely in your own spare time, for the benefit of the Usenet
community, and not particularly your own company.
I think that we both are saying that a much better job could be done with more resources.
Simply having a dedicated computer for the scanner continuously working 24 hours a day
would help spot dangerous files within minutes of being posted. I am though rather puzzled
why you need to check warnings manually. Does Scan v4 generate that many false hits? <g>
Paul
Pierre Vandevenne
>It's a free service to Usenet community. I spend my own time on it, like right
> now,
>at 11:30pm... Do I get any appreciation? No, only criticism. Well, thank you.
>I knew that doing good for people is an ungrateful thing...
This service is extremely helpful : thanks for setting it up. As we say in
French "les chiens aboient, la caravane passe".
Pierre
---
Pierre Vandevenne
www.datarescue.com, home of the IDA Pro Disassembler
Version 3.84 released - Pentium III, Hitachi SH-4, Atmel AVR
Folding, Improved analysis, FLIRT and FLAIR, & much more...
Gerry Andrews
available in his directory on AOL :) A possible setup?
Gerry
Chris S. wrote in message <7dself$31g$1...@nnrp1.dejanews.com>...
>In article <7dkb90$k7t$1...@zeitung.ngc.com>,
> "Patrick Nolan, VSA" <patric...@spamfilter.nai.com> wrote:
>> "Sky Roket" also has an online profile on AOL - if any of the information
in
>> the profile is accurate, shouldn't take too long to locate him, that is
if
>> anyone is looking for him.
>
>They interviewed the guy whose screen name on AOL is Sky Roket on the local
>news yesterday and today. The news in Seattle, Washington that is.
>
>He claims that he does not have the computer skills to make a virus... and
>he's been getting E-mail from angry "Victims" including from some
>corporations that were infected.... The media wants to do an interview on
>him too...
>
>He is a resident of Olympia, Washington.
>
>--Chris
>
>...Mabuhay...
>Visit / Visitez http://www.game-master.com
>
>
michael Raley
Has anybody posted the headers from the the latest skyrocket
post? Be interesting to see if the NNTP posting was from AOL.
>In article <36FDBB8D...@tiac.net>,
> "Richard M. Smith" <smi...@tiac.net> wrote:
>> Dmitry Gryaznov wrote:
>>
>> > According to Dr Solomon's Virus Patrol logs, the same AOL account -
>> > skyr...@aol.com - was used for similar purpose in December 1997.
>> > That is, to distribute through Usenet a document (another list of
sites)
>> > infected with then new W97M/Blee.B virus.
>>
>> Interesting. What sorts of things did the Blee.B virus do?
>>
>> Do you have a copy of the file, BTW? Might be interesting to
>> compare GUIDs.
>>
>> Also, why didn't AOL shutdown the account back in 1997?
>>
>> Richard
>>
>
--
//////////////Michael J Raley/////////////////////
TECHNICAL SUPPORT SPECIALIST, Seattle WA
Visit Modular Reality Systems:
http://www.geocities.com/SiliconValley/Lab/7577
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Rebecca Ore
{Sam Borg 7 of 9} [Honorable Rev. JoWazzoo] <JoWa...@WhiteICE.com> wrote:
>So a so-called misplaced binary is only Cancellable if it is posted to
>a moderated big 8 NG??
All binaries in non-binary groups are technically cancel-fodder. However,
since they're trivially filterable and since canceling amateur binary gets
yowls like one was gelding shoats with a dull knife, most of us have
historically been a trifle unenthusiastic absent flooding or true BI > 20
spam.
We *could* do it. Richard Depew set a lower limit of 100K on his binary
canceling bot, but that was, if I understand correctly, a technicality.
But it makes more sense to run Cleanfeed.
--
Rebecca Ore
Robbie S.
to non-binary NGs. Mindspring has been doing it for quite a while now.
Robbie
kurt wismer
> PC Guru wrote:
> >
> > While I am glad to see NAI offering this service, and am sure that they get some good
> > publicity from it,
>
> Ironic, isn't it? What good publicity if even you found nothing better than *criticise*
> Virus Patrol? :(
>
> It's a free service to Usenet community. I spend my own time on it, like right now,
> at 11:30pm... Do I get any appreciation? No, only criticism. Well, thank you.
> I knew that doing good for people is an ungrateful thing...
it's the nature of opinions, ones that are strong enough to be voiced are
usually negative...
if it means anything, i think the virus patrol was a great idea...
june...@my-dejanews.com
Dmitry Gryaznov <gr...@dial.pipex.com> wrote:
> "Richard M. Smith" wrote:
> >
> > Hello,
> >
> > I've be doing some research on the Web to try to track down
> > on the author of the Melissa macro virus. Here is what I
> > found so far.
> >
> > The earliest reference I found to the virus is this posting
> > on 3/26 by "Sky Roket"
> >
> > Path: newsflash!news-peer1.tiac.net!news-
feed1.tiac.net!newshub.northeast.verio.net!
> > cpk-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.cwix.com!152.163.199.19!
> > portc03.blue.aol.com!audrey01.news.aol.com!not-for-mail
> > From: skyr...@aol.com (Sky Roket)
> > Newsgroups: alt.sex
> > Subject: Passcode List 3-26-99
> > Lines: 283
> > NNTP-Posting-Host: ladder05.news.aol.com
> > X-Admin: ne...@aol.com
> > Date: 26 Mar 1999 12:15:53 GMT
> > Organization: AOL http://www.aol.com
> > Message-ID: <19990326071553...@ng-cg1.aol.com>
> > Xref: newsflash alt.sex:1680745
> >
> > _=_
> > _=_ Part 001 of 001 of file list.zip
> > _=_
> >
> > This message contains a zip file with the now famous list.doc
> > file in it. The file is infected with the Melissa virus.
> >
> > The first reports of the Melissa virus in the wild started
> > showing up 8 to 12 hours later.
> >
> > Dr. Solomon's newsgroup virus scanner found the first infected message
> > a few days later on 3/27:
> >
> >
http://x5.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=459557018&CONTEXT=922562568.10322
57544&hitnum=0
>
> Huh? Why "a few days"? The ZIP file with that infected LIST.DOC was posted to
> alt.sex on 26 March 1999 at 12:15:53 GMT, that is 26 March 1999 04:15:53 PST.
> Dr Solomon's Virus Patrol posted its warning on 27 March 1999 01:36:11 GMT,
> that is 26 March 1999 17:36:11 PST. In other words, it's a few *hours* later,
> not *days*.
>
> > I did some "dumpster diving" in the list.doc file and found
> > the following revision log in the file:
> >
> > 3360:07 00 FF FF 06 00 00 00 0B 00 4A 00 6F 00 68 00 ........|..J.o.h.
> > 3370:6E 00 20 00 48 00 6F 00 6C 00 6D 00 65 00 73 00 n. .H.o.|l.m.e.s.
> > 3380:19 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 ..C.:.\.|W.I.N.D.
> > 3390:4F 00 57 00 53 00 5C 00 44 00 65 00 73 00 6B 00 O.W.S.\.|D.e.s.k.
> > 33A0:74 00 6F 00 70 00 5C 00 50 00 30 00 2E 00 64 00 t.o.p.\.|P.0...d.
> > 33B0:6F 00 63 00 0B 00 4A 00 6F 00 68 00 6E 00 20 00 o.c...J.|o.h.n. .
> > 33C0:48 00 6F 00 6C 00 6D 00 65 00 73 00 1F 00 43 00 H.o.l.m.|e.s...C.
> > 33D0:3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 :.\.W.I.|N.D.O.W.
> > 33E0:53 00 5C 00 44 00 65 00 73 00 6B 00 74 00 6F 00 S.\.D.e.|s.k.t.o.
> > 33F0:70 00 5C 00 4C 00 69 00 73 00 74 00 30 00 38 00 p.\.L.i.|s.t.0.8.
> > 3400:31 00 39 00 2E 00 64 00 6F 00 63 00 03 00 48 00 1.9...d.|o.c...H.
> > 3410:69 00 6D 00 1B 00 43 00 3A 00 5C 00 57 00 49 00 i.m...C.|:.\.W.I.
> > 3420:4E 00 44 00 4F 00 57 00 53 00 5C 00 44 00 65 00 N.D.O.W.|S.\.D.e.
> > 3430:73 00 6B 00 74 00 6F 00 70 00 5C 00 6C 00 69 00 s.k.t.o.|p.\.l.i.
> > 3440:73 00 74 00 2E 00 64 00 6F 00 63 00 FF 40 01 80 s.t...d.|o.c..@..
> >
> > Looks like "Mr. Holmes" is running Windows 95 or 98. I wonder who
>
> As I've been informed, John Holmes was a popular porno star. Died some
> time ago. No wonder his name was used by whoever compiled the list
> of porno sites.
>
> > "Him" is? Also, the file has been named "p0.doc", "List0819.doc",
> > and finally "list.doc".
>
> Which says that whoever that "John Holmes" might be it was not him
> who infected the file and then posted it.
>
> According to Dr Solomon's Virus Patrol logs, the same AOL account -
> skyr...@aol.com - was used for similar purpose in December 1997.
> That is, to distribute through Usenet a document (another list of sites)
> Usenet postings from skyr...@aol.com shows that there were some postings
> to a number of newsgroups (cracks and sex related) from that account
> in late December 1997 and then nothing till yesterday, 26 March 1999.
> Over a year of silence broken only to spread another virus.
>
> --
> Sincerely,
> Dmitry O. Gryaznov
>
ion the Happy 99 worm, this virus named "Melissa" attaches itself to other
email messages sent.Melissa on the other hand is more potent, more
destructive. I doubt "skyroket" was the original hacker or a hacker at all,
it seems he was yet another victim of this virus created by an unknown smart
hacker. detestful!!!!!!
thanks; june bone
Homebuilt LAN
Actually, this sounds like a good home based business: "CyberSnitch
(hardly) anonymous remailing service and (extensively logged) kiddie porn
news server". Pricing might be something like "$5 gets you 20 to life".
Low start-up costs too...
--
Homebuilt LAN - The Resource Center for the Networked Home User
http://www.homebuilt-lan.com
f...@homebuilt-lan.com
Secret Squirrel <squi...@echelon.alias.net> wrote in article
<6b9b32c550fcff1a...@anonymous.poster>...
> >> I'm using three remailers chained together and encrypting the message
> >> with PGP. Unless all three remailers are being run by one of our
three
> >> letter agencies, I don't think you can trace this post.
>
> kurt asks -
> > what kind of traffic analysis counter measures do those remailers take?
>
> Good question, Kurt.
>
> Traffic analysis is about the only way to identify the users of anonymous
> remailers. But you can use latency - instruct the remailer to hold your
mail
> for a set period of time before sending it on - or add 'garbage' -
insert 5k
> (for example) of text that gets cut out of the message - to make your
> message change size.
>
> Both of these techniques make traffic analysis difficult at best.
>
> When Richard Smith says, "They have a security hole in them that can
> reveal your identity if someone wants to go through the trouble.", I
suspect
> he's just blowing smoke.
>
>
>
> Mats
>
>
>
>
Standz6270
>looking at Netscape Employee Files)
>
Because the virus was created to harm office 97 programs and netscape hates
microsoft?
Bobo
Borg 7 of 9} [Honorable Rev. JoWazzoo] ) said:
>>Since when are binary posts to non-binary alt.* groups nuked? Unless it's
>>moderated (unlikely in the alt.* hierarchy) you'd be relying on a rogue
>>canceller to weed those out. The real cancellers seem to focus more on SPAM
>>and UCE...they're not the "non-binary" police.
>
>So a so-called misplaced binary is only Cancellable if it is posted to
>a moderated big 8 NG??
No, it's just more likely to be cancelled. I haven't seen the cancellers
spend too much time policing alt.* since it's a mess anyway.
ANY post is cancellable, no matter what. Nice cancellers are responsible and
they only cancel posts that obviously violate some policy.
The comp.*, rec.*, talk.* etc. groups are well defined, but it's not always
obvious which alt.* groups allow binaries and which don't...you really can't
go by if "binaries" appears in the NG name or not...sigh... Meaning the
cancellers don't seem to bother much with alt.* except for UCE and Spam.
wilds...@my-dejanews.com
at billcl...@hotmail.com LOL whatever! Anyone could claim anything, and
if you REALLY know "her," why don't you call her up and ask her where to
point and click so you can get some newspaper articles from it. El duh!
Newspapers are also ONLINE oh brilliant one. Well, I guess i should step off
my soapbox and go log onto my AOL account. j/k hehe
-WildScooter http://www.wildscooter.com
P.S. It was a she? I never would have thought yer mom would do it!
In article <37017E7E...@The-Answer.com>,
-----------== Posted via Deja News, The Discussion Network ==----------
Dr Alan Solomon
>incident reveals that it only scans for known viruses - the alert mentioned
>on 27 March, was in fact in response to a copy posted at 8:20pm EST on 26th
>March, when it was already the 27th in England! The warning was published at
>1.34am GMT - just 14 minutes later if I have the time zones right. The
>scanner only picked up the posting after Melissa was added to their virus
That's what you'd expect from a scanner, that's what scanners are designed
to do. See below for more on this.
>list. I can't help but feel that if Alan Solomon still ran the company, it
>would be detecting ANY suspicious macro found in newsgroup attachments and
>might have stopped this outbreak before it started. But of course then NAI
>wouldn't have a rush of new orders for their Exchange Server virus scanner!
I don't think so. The hassle that would cause in terms of false alarms is
hard to estimate, but I've seen other products that flag "suspicious"
files, and after the first several false alarms, users soon learn to
ignore what it says anyway. If they don't, then overworked IT departments
soon learn to tell users to ignore the warnings. So you wind up causing
more problems than you fix.
By the way, people might like to hear the generic solution I've devised for
myself, to this whole problem.
1. I don't run EXE files that arrive via email.
2. If I do need to read a DOC file that arrived via email, I use Word
View, which doesn't run macros. Or Wordpad (but Wordpad often can't read
them). If there were a product that could pull out the text of a Word Doc
file into a new file, leaving all other stuff (macros etc) behind, I'd
be interested.
3. I don't use Outlook Express.
I do appreciate that this generic solution might not be suitable for
everyone, since it requires user education, which I don't actually
believe is feasible. But it seems to me that a product could be written
that implements the three rules above (there may be others one would add,
such as equivalent rules for spreadsheets, which I never get sent so aren't
an issue for me).
You might be surprised at my advocacy of a generic solution, since for
many years I advocated virus-specific (scanner) type solutions as the most
cost-effective response to the virus issue.
The reason for my change of mind, is that the world has changed.
A few years ago, viruses spread slowly. Boot sector viruses required
actual physical disks in order to spread. Major spread (such as with Form)
took *years*. My impression is that today, COM and EXE file viruses (that
only propagate in that form) are pretty much dead. Boot sector viruses are
a relatively small problem, since the use of floppy disks is massively
down; people email files to each other.
In 1995, the speed of viruses spreading started to change with Word macro
viruses, and the influence of the Internet. Major spread of Concept took
months, but months was enough (for some products, maybe not for others) to
get virus-specific solutions in place. Concept-type viruses were still
handle-able using the scanners and VxDs.
Now, we seem to be looking at something more like days. Clearly it's
going to be impossible for AV companies to update with that sort of
frequency, so they'll increasingly move to generic solutions.
I don't foresee any instant meltdown of the internet, in spite of what the
newspapers are saying. But I do foresee an increasing number of viruses
of the Melissa type, using email to spread, and requiring little or no
user-cooperation.
As someone else pointed out on this newsgroup, Microsoft's attitude is
that it's worth trading a large amount of security, for usability. OK,
fine, and many people will be happy with that. But for those who aren't,
I'm suggesting a product that *reduces* the functionality of any products
that need that reduced in order to get significantly more security.
And what happens when Microsoft releases Word 2000, and your
functionality-reducer doesn't handle that? Simple. You don't upgrade your
Word, until the functionality-reducer can handle this new version. If
that slows down the sales of some Microsoft upgrades, then Microsoft
might consider releasing their own functionality-reducer as an option.
For example - if someone offered me a product that prevented Word from
running Word macros, I'd be very interested. Or a product that prevented
me from receiving EXE files by email. I want reduction of functionality.
And I'm guessing that some companies would be willing to pay for such
reductions in functionality.
If, as I've read here (and have heard elsewhere), mail servers were
overloaded and out of action by Melissa, the loss of security has clearly
gone too far, and has led to a total loss of usability.
Is anyone currently offering such a functionality reducer?
--
Alan Solomon (remove x's from email addresses to answer)
drso...@xibmpxcug.co.uk http://www.ibmpcug.co.uk/~drsolly
AOL Keyword SAFETYONLINE
I use Dr Solomon's Antivirus on a couple of my computers
kurt wismer
> By the way, people might like to hear the generic solution I've devised for
> myself, to this whole problem.
>
> 1. I don't run EXE files that arrive via email.
> 2. If I do need to read a DOC file that arrived via email, I use Word
> View, which doesn't run macros. Or Wordpad (but Wordpad often can't read
> them). If there were a product that could pull out the text of a Word Doc
> file into a new file, leaving all other stuff (macros etc) behind, I'd
> be interested.
doesn't f-macro have an option to wipe out all macros in a document? i
seem to recall that being used long, long ago to get rid of cap
infections...
> 3. I don't use Outlook Express.
>
> I do appreciate that this generic solution might not be suitable for
> everyone, since it requires user education, which I don't actually
> believe is feasible.
why? they're getting educated enough to become users, why can't the get
further educated and become secure users?
> You might be surprised at my advocacy of a generic solution, since for
> many years I advocated virus-specific (scanner) type solutions as the most
> cost-effective response to the virus issue.
in a general sense virus specific type solutions are the most cost
effective response to the virus issue... when you narrow your scope to a
specific infection vector proactive generic techniques become more
feasible...
you can cover email that way, you can cover irc that way, etc, etc...
but guess what happens when you try and cover all of them that way? you
get back into the real of user education because they have to be made
aware of what needs to be covered next (there will always be new
vectors)...
PC Guru
Dr Alan Solomon wrote:
> Now, we seem to be looking at something more like days. Clearly it's
> going to be impossible for AV companies to update with that sort of
> frequency, so they'll increasingly move to generic solutions.
>
Or more like hours in the case of Melissa. That is why I feel we need some
automated procedure to warn quickly when a posting contains known viruses and to
warn of possible danger when a posting contains unknown macros.
> As someone else pointed out on this newsgroup, Microsoft's attitude is
> that it's worth trading a large amount of security, for usability. OK,
> fine, and many people will be happy with that. But for those who aren't,
> I'm suggesting a product that *reduces* the functionality of any products
> that need that reduced in order to get significantly more security.
>
> For example - if someone offered me a product that prevented Word from
> running Word macros, I'd be very interested. Or a product that prevented
> me from receiving EXE files by email. I want reduction of functionality.
> And I'm guessing that some companies would be willing to pay for such
> reductions in functionality.
>
I agree that such a product might be very useful for some organisations. However
many others use macros specifically because they can then tell relatively
uneducated users "here you just click this button". So it is the users for whom
macros are most dangerous who need them the most.
What would be more useful is a system that turns off all macros that are not
previously registered with the company IS department. Hopefully such as system
will make it into Office 2000.
Paul
Andrew Gierth
Dmitry> Yes. I don't want to spam newsgroups with false alarms
But you think it's OK to spam newsgroups with genuine warnings?
Sorry, no.
(Didn't I warn you about this earlier this year, with specific
reference to Happy99? I notice though that you don't seem to be
finding many of the copies of Happy99 that actually get posted (138
since midnight GMT today, for example)).
--
Andrew.
Robert Moir
PC Guru <pcg...@The-Answer.com> wrote in message
news:37014040...@The-Answer.com...
[snippage]
>
>Nevertheless, it seems to me that "downloading gigabytes of data over
limited network
>bandwidth" is a clumsy way of doing this - surely it must be possible to
come to some
>arrangement with an existing news server, so that only messages with binary
>attachments of appropriate types (i.e. other than jpeg) were downloaded to
the
>scanner? At the very least co-locate the scanning computer with a news
server, or if
>that is not possible, get a "broadcast" newsfeed, such as a Direct PC or
STNS
>satellite link.
But there is no way to guarantee that a certain news server would see all
posts.
>
>In any case scanning Newsgroups immediately takes no more bandwidth than
scanning them
>12 hours later. I believe that it should be possible to have a fully
automatic scanner
>running 24 hours a day which would immediately flag (or better still
cancel) known
>viruses and also warn of any suspicious macros. After all why should any
Word document
>on the net contain any macros? An exception could be made for the few
newsgroups
>intended to carry Office macro programming examples.
>
>Perhaps some other newsgroup-connected organisation, such as Deja News or
AltaVista,
>would be willing to co-sponsor such an extension to the Virus Patrol?
>
>Finally is there some Internet organisation concerned with dealing with
Usenet
>problems such as viruses?
>
Besides alt.comp.virus ;-) I dont really think so. After all, whose Internet
is it anyway?
> Paul Mullen
> Computer Shopper, UK
Not a bad magazine that.
--
Robert Moir, Microsoft MVP,
Topic Leader, MSN Safe Computing forum for viruses
My Homepage - http://www.bitey.force9.co.uk
** Please post all replies to the newsgroup **
Robert Moir
PC Guru <pcg...@The-Answer.com> wrote in message
[snip]
>
>Dmitry, please don't think me ungrateful - I think you are doing a great
job with the
>resources that are available to you. What I am saying is that at the moment
the Virus
>Patrol is just you, working largely in your own spare time, for the benefit
of the Usenet
>community, and not particularly your own company.
>
>I think that we both are saying that a much better job could be done with
more resources.
>
>Simply having a dedicated computer for the scanner continuously working 24
hours a day
>would help spot dangerous files within minutes of being posted.
Do you understand how quickly newsgroup postings propogate across news
servers? Its not a case of seeing things within miniutes of being posted.
And what about the postings on one server that don't make it to another at
all.
>I am though rather puzzled
>why you need to check warnings manually.
Because they want to be correct when they warn about a posting.
Also, think about it, at the time in question here, Melissa was new.. You
could scan it all day and all night with any virus scanner you please before
the database is updated without picking anything up.
Robert Moir
Dmitry Gryaznov <gr...@dial.pipex.com> wrote in message
news:3701D016...@dial.pipex.com...
>PC Guru wrote:
>Ironic, isn't it? What good publicity if even you found nothing better than
*criticise*
>Virus Patrol? :(
>
>It's a free service to Usenet community. I spend my own time on it, like
right now,
>at 11:30pm... Do I get any appreciation? No, only criticism. Well, thank
you.
>I knew that doing good for people is an ungrateful thing...
Well I remember the Virus Patrol being on the go for a little while now, but
I had no idea that you did it in your own time. I think you are doing a
great job, and even more so if you spend your own time on it.
As far as criticising Virus Patrol, I work in tech support, and I know that
people rarely ring you up, write to you or post email to compliment, but
often just to rant and rave when things go wrong. That makes the thanks you
do get so much more valuable and (to me anyway) appreciated. Thankyou
Dmitry.
cj...@my-dejanews.com
PC Guru <pcg...@The-Answer.com> wrote:
>Does Scan v4 generate that many false hits? <g>
Not the type where the Virus Patrol reports with a name. But as mentioned
before, everything is downloaded.
And I thought I had mentioned, Dmitry goes through the results and decides
which warnings get posted. For instance, there is no reason to post a
warning about BackOrifice to the alt.hacks newsgroup about a message saying,
"Here's BackOrifice" and a zip file contains the program at issue.
Or, occasionally, there's a message storm (such as Happy99) that will just
fill up a newsgroup. An automated responder would just flood it again.
The way Dmitry handles how Virus Patrol operates is a considered effort based
on test sending the alerts to the AV community first. Many AVers and friends
made suggestions on how to be most effective and least annoying.
This is simply the current rendition.
When Dr Solomon's and McAfee were bitter rivals, my sincerest form of
flattery to him was to have our guys build NewsSniffer, our advantage being
that in San Jose, we had access to an ISP nearer to the top of the food
chain. But the idea was his. And I am absolutely estatic that both Dmitry
and Virus Patrol now bear the Network Associates label.
Jimmy
jk...@nai.com
cj...@my-dejanews.com
Your first statement tells him his posts are spam. Then you imply he should
be posting more warnings? Please make up your mind.
And your statement is presumptious. You *notice* that he is not posting
warnings for those other situations. You have no idea if he is finding them.
Dr Alan Solomon
>amount of data to download and scan and given the limited network bandwidth,
>it takes many hours for Virus Patrol to go through all the thousands newsgroups
>it scans. Thus the delay with its warnings.
How much bandwidth do you currently have for Virus Patrol?
Wayne Riddle
says...
> 2. If I do need to read a DOC file that arrived via email, I use Word
> View, which doesn't run macros. Or Wordpad (but Wordpad often can't read
> them). If there were a product that could pull out the text of a Word Doc
> file into a new file, leaving all other stuff (macros etc) behind, I'd
> be interested.
>
Something that I have done in the past that has worked is to start Word
and then use the Insert|File to import a file. To date that has always
removed any macros in the files that I have tried it on.
I can not say that it will always work, but worth looking at.
--
Wayne Riddle
Remove .nospam to reply to e-mail address
Trailer
Someone said:
> > I can also see that spending money on such improvements would
unfortunately be counter
> > to NAI's commercial interests - after all if you had killed the Melissa
virus within
> > minutes of it being posted, you wouldn't be seeing such a surge in
interest in
> > corporate network scanners.
>
> Excuse me, but this is complete bullshit. Virus Patrol found Melissa in
Usenet about
> 13 hours after it was posted - with no artificial delays. And this was
actually pretty
> fast.
In another post you mentioned 'a few hours'...But that's not really
important...
Looking at what was said by Jimmy and yourself, I have to draw this
conclusion ; VP scans for unknowns, and then you manually look at the
unknowns. It doesn't reply automatically to warn users, it needs
authorisation.
So it's a virus sample gathering device, which doesn't benefit Usenet
immediately but in general after more than a day...Maybe you should consider
scanning for high risk and low risk newsgroups in separate setups ?
Only that way, VP will truly benefit Usenet. And that it needs manual
authorisation is imho crap....Your only concern should be to react as
quickly as possible on a 'possible' instead of letting a virus propagate. A
warning stating that there may be something is still a heck lot more than
nothing at all...
Trailer
Robert Moir
Trailer <reply_t...@yahoo.com> wrote in message
news:7e7b64$h59$1...@news.casema.net...
>So it's a virus sample gathering device, which doesn't benefit Usenet
>immediately but in general after more than a day...Maybe you should
consider
>scanning for high risk and low risk newsgroups in separate setups ?
That depends on how much NAI wish to invest in this project, wouldn't you
say? I mean Dmitry has already said he's doing it in his own time, and well
, ya know I'm sure that in addition to his job and VP now he also has a
"real life" he might want to pay attention to sometimes.
As for "high risk" newsgroups... well lets look at the alt.sex ones that
Melissa supposedly spread from. I think its safe to say that you lie down
with those kinds of dogs you must expect to get fleas every now and again.
People who open documents, or run executables from that kind of newsgroup
should have some kind of idea of what they are letting themselves in for.
I'm not saying that makes it ok to put viruses up in these areas, but I am
saying that people should be prepared to take some responsibility for their
own actions. There has to be a balance.
>
>Only that way, VP will truly benefit Usenet. And that it needs manual
>authorisation is imho crap....Your only concern should be to react as
>quickly as possible on a 'possible' instead of letting a virus propagate. A
>warning stating that there may be something is still a heck lot more than
>nothing at all...
But your opinion might change about that if VP started posting a lot of
false alarms. More to the point, if it did that to the extent that people
just ignored it, would you then be be back here whinging again because
something got released and was fingered by this hypothetical new version of
VP and the alarm was ignored because of other false alarms?
And don't forget that people's reputations and indeed businesses may be hurt
by something that posted a lot of false alarms. IMHO VP is doing a good job
now, and I do believe that its better to have something slightly slower but
more reliable than fast and crap.
Trailer
Robert Moir <mara...@force9.co.uk> wrote in message
news:VpIN2.1694$54.1476@wards...
>
> But your opinion might change about that if VP started posting a lot of
> false alarms. More to the point, if it did that to the extent that people
Well, the Solomon engine doesn't alert falsely that often. It does happen
sometimes, but not that much..I'd say a warning saying that something
suspicious was found would be adequate ; the word virus shouldn't be used to
avoid any hype situations.
>
> And don't forget that people's reputations and indeed businesses may be
hurt
They would be more hurt if it was something real ! Oh well, NAI has always
been a bit careless with what they sent out 8-)
> by something that posted a lot of false alarms. IMHO VP is doing a good
job
> now, and I do believe that its better to have something slightly slower
but
> more reliable than fast and crap.
It's serving a purpose, yes. Maybe if it was totally clear what the
objectives are, then we can evaluate if it's doing a good job or not. At the
moment, imho, stopping virusses from spreading seems not to be the prime
objective. So that's why I regard it as a virus sample collecting device.
>
> --
> Robert Moir, Microsoft MVP,
> Topic Leader, MSN Safe Computing forum for viruses
> My Homepage - http://www.bitey.force9.co.uk
> ** Please post all replies to the newsgroup **
>
By the way, what is the official MS view on what some people say about them
being the ones to blame for all this ? A bit of a silly view, in my own
opinion, but I'd still like to know how you guys think about this....
Cheers
Marcel
Bill Clark
> If there were a product that could pull out the text of a Word Doc
> file into a new file, leaving all other stuff (macros etc) behind, I'd
> be interested.
Hop on over to hobbes.nmsu.edu and download word2x-ex3.zip. While this
is an OS/2 version it has a GNU copyleft and the source... The couple
of times I've tried it, it has worked very well...
-bc-
SSC
cj...@my-dejanews.com
"Trailer" <reply_t...@yahoo.com> wrote:
> Your only concern should be to react as
> quickly as possible on a 'possible' instead of letting a virus propagate. A
> warning stating that there may be something is still a heck lot more than
> nothing at all...
In this business, we have learned that people do not see the word "possible"
in front of the word "virus."
Randy Abrams
Lord Natas <Use-Author-Address-Header@[127.1]> wrote in message
news:1999032909293...@anon.efga.org...
> On 29 Mar 1999 03:24:56 GMT stand...@aol.com (Standz6270) wrote:
>
> >>In any event, this is my final post on the subject. I am not going to
> >>bicker with Julian Haley who thinks it's appropriate to post online
> >>"profile" details and suggest that this be the virus author.
> >
> >It was just a small theory. The name Sky Ro...@aol.com had been used
before.
>
> Theory, yes. Just a theory. But it may very well lead to problems for
> an innocent person.
>
If you are so concerned about something leading to problems for innocent
users, then why haven't you kept your viruses to yourself?
Mind you, this is no justification for the action mentioned above, just an
observation.
Regards,
Randy
--
The opinions expressed in this message are my own personal views
and do not reflect the official views of the Microsoft Corporation.
anton...@my-dejanews.com
That would be easy if he accessed his account by dialing an 800#, but likely
he just called a local number. So did they trace a local call? I didn't
think phone logs of local calls existed. If anyone knows, email me
antony...@yahoo.com Thanks.
Richard M. Smith
> So did they trace a local call?
Yep, at the New Jersey ISP they apparently use caller ID on
their modems.
Speaking of "caller ID", DejaNews includes an IP address in
newsgroup messages. Example:
kmlp01m06-150.bctel.ca [209.52.33.150]
Richard
hapticz
time, not just the stuff you see on your phone bills. often they keep a FILO
log of calledto/called from numbers for at least a month's time for EVERY
line access that occurs. this is for their own maintenance and repair
service departments and for them to assess the trends that determine what
and how much equipment they will apportion to certain areas. they must
assess line usage and capacity available so thay can route the "traffic"
through the best "conduit".
dont think for an instant that it is easy to track individual access calls
that are buried in mountains of other calls. it isn't, but with the
implementation of e-switching that was installed starting in the 1980's it
has become no harder to do than typing in a search query on their own
computer systems. 99.99 percent of all service is now digitally processed
using packet mode/multiplexed transfers using optic/microwave links.
this ain't the turn of the 19th/20th century anymore folks! copper wire and
ratcheting switch panels are long gone! they are modernized and fully
capable of tracking any and all calls!
ISP's are required to keep logs of traffic also! some just do a more
thorough job than others though!
they may not be able to see who is tapping the keys, but they can tell
when/where it happened!
that, at least is called circumstantial evidence in any court of law!
--
best regards
hap...@email.msn.com