[grrltalk] RE: [techtalk] heads-up: M$ (e-mail) virus makingrounds.

Annette Stroud astroud at uswest.net
Thu May 4 20:00:00 EST 2000 

Darren wrote:
> 
> On Thu, 4 May 2000, Stephanie Alarcon wrote:
> 
> >This is possibly a stupid question, but
> >http://www.drsolomons.com/home/vbslove.htm talks about this:
> >
> >------------------------------------------
> >This worm also has another trick up it's sleeve in that it tries to
> >download
> >and install an executable file called
> >WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing
> >program
> >that will email any cached passwords
> >to the mail address MAILME at SUPER.NET.PH
> >------------------------------------------
> >
> >Is that "win- bugfix" thing as new as the virus or has it been around for
> >a while?
> >Did a couple searches and came up empty-handed.
> 
> Reports indicate that it's as new as the virus. There are four URLs on two
> domains that MSIE might try to download it from. Both sites are located in
> the Phillipines -- I'm not sure if this is why people think it originated
> there, or if this is corroborating evidence for that.

The first few lines of the vbs also
contain a reference to the
Philippines -- whether as a red
herring or bravado, I don't know. 
It would also make sense looking
out the path of the pathogen.

> Apparently, after it downloads the program, it changes the MSIE start page
> to 'about:blank' to cover its tracks and modifies the registry so that the
> bugfix.exe program starts when Windows starts. I haven't yet read anything
> that says what bugfix.exe actually does, though.

It is a lovely little password
catcher.  It is just lovely, the
whole thing.  The world must be
hungry for love for this to have
traveled so quickly and so
thoroughly.  I have had a very VERY
aggravating day at work because I
am a lowly secretary who is good
for telling someone how to untangle
their document, or to decode an
errant email, or recover data, or
convert files, or make the software
do x y or z, but I am not IT.  And
IT at work doesn't blow their
collective noses unless M$ tells
them it's okay and how to do it and
what brand of tissue to use.  We
are badly infected on our network
drives.  Unfortunately, all of the
loyal people who come into work
early are the ones who habitually
pass around cute attachments.  The
head of IT was waiting for the
Norton AV -- but the website was
down.  Of course, there were other
ways to find it, and I did and gave
him the ftp address and a nice
little summary of the
warnings/advice someone had
compiled.  But last I heard he is
still waiting for Norton to call
him back.  He also didn't know
about the cute little vbs files
running around on the shared
network until I told him this
afternoon.  (I had searched all of
the files I had access to for vbs
extensions.)  I don't think he yet
knows what is happening.

I had to listen to him give a
defensive lecture on how this would
have been as bad on unix.  A man
without a clue.  I need another
job.

Tomorrow I get to help with the mop
up. 

Annette

More information about the Techtalk mailing list