Re: Crispin on Badtrans.B, was: REMOVE FROM CRIME LIST

From: Alan (alan@private)
Date: Wed Nov 28 2001 - 11:35:52 PST

  • Next message: George Heuston: "CRIME FW: NIPC Advisory 01-027"

    On Tuesday 27 November 2001 18:25, Kuo, Jimmy wrote:
    > >I've received about three copies of that new virus (I forget
    > >the name)
    >
    > Badtrans.B
    >
    > >in the last 24 hours. No impact on me (Linux mail client) but
    > >one of our business guys got bit. Anyone else getting hammered?
    >
    > It's basically a "home-user" scenario right now.  Corporates are much
    > better at keeping up to date (and if they used us, any DAT within the last
    > month would have stopped it).  And with the virus coming out over
    > Thanksgiving holidays, any other corporate entity would have gotten in the
    > office and updated their data files.
    >
    > But in the home arena, people update much less frequently (and if they used
    > us, they would have needed a particular setting of scanning compressed
    > files, which is not the default) or don't even have AV at all, and were
    > mostly home when the virus came out and didn't have the communications
    > medium as available at the office to know that there was a virus rampant,
    > and thus the home arena got much more infected.
    >
    > So, the more "hobby" mailing lists you belong to, the more likely you'll be
    > seeing these messages with viruses, as responses to messages you may have
    > posted to those hobby mailing lists.
    >
    > I myself got one.
    
    I have gotten at least three.  What is odd is that they are all from places 
    outside the US. (Taiwan and Norway.)  Maybe I just have odd hobbies.
    
    Then again, I am still seeing Sircam viruses in my mail... (Not that they 
    will have any effect on KMail.)
    
    My experience with corporate AV protection is that if they can find an admin 
    who can set things up to auto-update AV signatures, then they are OK. (For 
    the most part.) That is, if the mail server scanner they are using is 
    actually catching what goes through in the first place.  (At NCD they had a 
    scanner that let through all sorts of things, including the "ILoveYou" virus.)
    
    Another issue is the problem of laptops. We had problems with people who 
    would reinfect the system with viruses because they were unwilling to learn 
    how to scan for viruses on machines that they took off-site.  (Actually that 
    is not exactly true. They were unwilling to learn how to use them at work as 
    well.)
    
    Sometimes the admins were part of the problem. On a couple of Windows 
    Terminal Server machines, the admins had turned off the automatic virus scans 
    because it was slowing the system down too much.  (And only turned it back on 
    when I used the hidden system information in the infected Word documents to 
    track down the machine infecting the rest of the network.)
    
    In any system where you have large number of MS Office and/or Outlook users, 
    the admins will be spending a great amount of time and money dealing with 
    viruses.  The anti-virus tools help a great deal, but you either have to 
    force install and updates transparently on all Windows users or hope that 
    they are willing to learn how to use the tools and able to keep their systems 
    updated.  
    
    One of the biggest hurdles I have encountered are users who are unwilling to 
    learn anything that might involve more than two brain cells. They have been 
    told that "computers are hard", so they refuse to even attempt to learn the 
    simplest tasks.  Usually it is the folks in Sales and Marketing (S&M) that 
    have the biggest problems. (Maybe because their rational faculties have been 
    damaged as part of the training for their job.  Lobotomies tend to do that...)
    
    But then again, these are the same people who kept the password "changeme" 
    until we phisically forced them to change them, one at a time...
    
    But enough ranting...
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:35:31 PDT