Anybody else observed that bigben gained about 19 years at about 1:25pm
this arvo?
$ date
Tue Jan 1 14:54:33 NZDT 2002
$ /usr/sbin/ntpdate -q truechimer.waikato.ac.nz
server 130.217.76.32, stratum 2, offset -0.001089, delay 0.04276
1 Jan 14:49:38 ntpdate[17537]: adjust time server 130.217.76.32 offset
-0.001089 sec
$ /usr/sbin/ntpdate -q bigben.clix.net.nz
server 203.167.224.60, stratum 1, offset 619315199.998172, delay 0.03613
1 Jan 14:49:55 ntpdate[17540]: step time server 203.167.224.60 offset
619315199.998172 sec
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
[I keep trying to redirect this noise somewhere else. Seems like some
peoples' mail clients don't respect standard headers, or something]
On Tue, Oct 01, 2002 at 04:47:16PM +1200, James Spooner wrote:
> Are you in fact an expert on car safety, or do you buy/travel in a car based
> on what you know about car safety?
I'm no expert.
> If in fact you do, does this not make you a parallel to someone using
> windows and outlook express, who 'should know better'.
>
> Why do you think you travel in a particular car, is it perhaps because it's
> available and it gets you from A to B?
Sure. I don't make a habit of travelling in cars which are not licenced
to drive on the road, though, and that affords me some safety without
needing first-hand, expert knowledge of the dangers involved.
> I think that the Car vs Computer parallel in fact works in favour of windows
> in this case Joe.
I don't follow you.
There are safeguards set up to ensure people don't drive in unsafe cars,
regardless of how little they personally know about car safety.
There are no safeguards set up to encourage people not to use unsafe
mail clients. The regular virus bulletins could say "as with this other
large list of security problems, this one can be avoided simply by using
a different mail client", but they don't. ISPs could stop shipping OE,
or could find ways to encourage users to install different mail clients,
but they don't.
> Check my headers if you wonder which client I use :)
So why do you use it?
Joe
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
Hi Joe,
We could state that in our advisories,
However, wouldn't it be on the same line as:
Avoid car accidents, disable all petrol and diesel?
Personally I would love to have the death rate
on the road reduced to 0. If this is realistically
achievable right now is another question.
The reality is that Microsoft and all its products are
a very large part of the global business world right
now. Just as unsafe cars. We can make them
somewhat safer by awareness and vigilance,
just as driving a car.
That is not to say that we don't agree with you,
but the other side of the coin is that there are
plenty of "non-windows" threats around; SSL,
apache etc also have their own vulnerabilities.
Arjen
-----Original Message-----
From: Joe Abley [mailto:jabley@automagic.org]
Sent: Tuesday, October 01, 2002 3:40 PM
To: Arjen De Landgraaf
Cc: 'Simon Byrnand'; nznog(a)list.waikato.ac.nz
Subject: Re: Virus alert
On Tue, Oct 01, 2002 at 03:16:57PM +1200, Arjen De Landgraaf wrote:
> From www.e-secure-it.us
>
> DETAILED DESCRIPTION OF BUGBEAR, HOW TO RECOGNISE AND FIRST AID KIT.
It continues to amazme me that the preventative measure "do not use
microsoft e-mail clients", or even "do not use windows" is never
suggested as part of these bulletins.
I think ISP and IT helpdesks of the world would do everybody a big
favour if they just stopped supporting mail clients which make it
so trivial to execute encapsulated scripts.
"I propose that we deploy Microsoft Outlook".
"You're fired. Never insult us with your presence again."
Mmm.
"I have a problem with my e-mail."
"Does it say Outlook Express at the top of the window?"
"Yes."
<click> brrrrrrr
Reply-To set :)
Joe
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
On Tue, Oct 01, 2002 at 03:58:36PM +1200, Arjen De Landgraaf wrote:
> Hi Joe,
>
> We could state that in our advisories,
> However, wouldn't it be on the same line as:
>
> Avoid car accidents, disable all petrol and diesel?
>No; I think it would be more along the lines of "do not drive vehicles
>which are unsafe".
LOL or could we also say "do not do those drugs as they are unsafe"
> The reality is that Microsoft and all its products are
> a very large part of the global business world right
> now. Just as unsafe cars. We can make them
> somewhat safer by awareness and vigilance,
> just as driving a car.
>Not quite. We reduce the problem of unsafe cars by passing laws which
>seek to enforce minimum standards for cars. If nobody took any steps to
>get unsafe cars off the road, more people would die.
The same could be said of the Internet, as more and more countries pass
legislation on what is and isn't acceptable use of this medium. If nobody
took any steps to pass and police these laws then more software
vulnerabilities would be discovered and exposed by, what can arguably be
explained as the biggest pain in our collective IT butt, Hackers, or did I
mean developers that move from the standard to claim their own.
>If the most popular car on the road had a defect which routinely caused
>people to die, I don't think people would say "the reality is that the
>car in question has a large market share, so it's really not practical
>to encourage people not to drive it."
Fix the defect and do a recall on the car in question, it is not a question
of practicality more one of morality, and we all know that practicality and
morality are clouded when it comes to the bottom line.
Darryl
Joe
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
>From www.e-secure-it.us
DETAILED DESCRIPTION OF BUGBEAR, HOW TO RECOGNISE AND FIRST AID KIT.
Bugbear / Tanatos
This virus is written in MSVC and packed with UPX.
It shuts down anti-virus and firewall software designed to block out
intruders and can spread by dropping copies of itself into folders on shared
networks, which are commonly used at corporations and large organizations.
The worm's most interesting feature is a Trojan horse component called
PWS-Hooker that secretly watches every keystroke on an infected computer,
and stores the captured information on the computer in encrypted form. The
data can be accessed later by the virus writer or anyone else who happens
upon the infected computer, or it can be e-mailed to the author.
Bugbear might be spreading because it is cleverly crafted and difficult to
spot with the naked eye. It arrives in a victim's e-mail inbox with a
subject line chosen randomly from dozens of possibilities, including:
Possible message subject lines include the following (however, other random
subject lines are also possible):
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
Hi!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help...
Re: $150 FREE Bonus!
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
wow!
Your Gift
Your News Alert
The message body varies and may contain fragments of files found on the
victim's system. The attachment name also varies, but may contain the
following strings:
Card
Docs
image
images
music
news
photo
pics
readme
resume
Setup
song
video
The actual infected file arrives as an attachment, which also has a random
name. And Bugbear's first task, upon infection, is to disable all installed
antivirus software.
It's throwing a lot of things at people to see if it can find something to
slip under the radar.
Once activated, the virus shuts down scores of vital processes used by
Windows and by antivirus software, records user keystrokes, opens a backdoor
to the infected machine for use by attackers, and attempts to mail copies of
itself out to other users, randomly generating new subject lines and virus
executable names as it does
W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts
to spread via network shares. The worm copies itself to the Windows system
folder as a file with a random four-letter name and an EXE extension and
adds to the following registry entry to run this file on the next reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
W32/Bugbear-A also drops a copy of itself in the Windows start up folder so
that is run on system restart.
The worm drops a randomly-named DLL file, which is related to logging
keystrokes, in the Windows system folder. It can also terminate certain
firewall and antivirus programs.
How to recognise:
The virus file is attached to e-mails with a wide variety of subject lines :
Attachment Length: 50,688 bytes (UPXed) or 50,664 bytes
The subject line, name of the attachment and text in the body of the message
can vary, and the attachment name typically has a double extension, such as
.xxx.pif, .xxx.scr etc
IF YOU ARE INFECTED:
Symptoms:
Method Of Infection
This virus spreads over the network (via network shares) and by mailing
itself (using it's on SMTP engine).
It attempts to terminate the process of the following security programs:
ACKWIN32.exe
F-AGNT95.exe
ANTI-TROJAN.exe
APVXDWIN.exe
AUTODOWN.exe
AVCONSOL.exe
AVE32.exe
AVGCTRL.exe
AVKSERV.exe
AVNT.exe
AVP32.exe
AVP32.exe
AVPCC.exe
AVPCC.exe
AVPDOS32.exe
AVPM.exe
AVPM.exe
AVPTC32.exe
AVPUPD.exe
AVSCHED32.exe
AVWIN95.exe
AVWUPD32.exe
BLACKD.exe
BLACKICE.exe
CFIADMIN.exe
CFIAUDIT.exe
CFINET.exe
CFINET32.exe
CLAW95.exe
CLAW95CF.exe
CLEANER.exe
CLEANER3.exe
DVP95_0.exe
ECENGINE.exe
ESAFE.exe
ESPWATCH.exe
FINDVIRU.exe
FPROT.exe
IAMAPP.exe
IAMSERV.exe
IBMASN.exe
IBMAVSP.exe
ICLOAD95.exe
ICLOADNT.exe
ICMON.exe
ICSUPP95.exe
ICSUPPNT.exe
IFACE.exe
IOMON98.exe
JEDI.exe
LOCKDOWN2000.exe
LOOKOUT.exe
LUALL.exe
MOOLIVE.exe
MPFTRAY.exe
N32SCANW.exe
NAVAPW32.exe
NAVLU32.exe
NAVNT.exe
NAVW32.exe
NAVWNT.exe
NISUM.exe
NMAIN.exe
NORMIST.exe
NUPGRADE.exe
NVC95.exe
OUTPOST.exe
PADMIN.exe
PAVCL.exe
PAVSCHED.exe
PAVW.exe
PCCWIN98.exe
PCFWALLICON.exe
PERSFW.exe
F-PROT.exe
F-PROT95.exe
RAV7.exe
RAV7WIN.exe
RESCUE.exe
SAFEWEB.exe
SCAN32.exe
SCAN95.exe
SCANPM.exe
SCRSCAN.exe
SERV95.exe
SPHINX.exe
F-STOPW.exe
SWEEP95.exe
TBSCAN.exe
TDS2-98.exe
TDS2-NT.exe
VET95.exe
VETTRAY.exe
VSCAN40.exe
VSECOMR.exe
VSHWIN32.exe
VSSTAT.exe
WEBSCANX.exe
WFINDV32.exe
ZONEALARM.exe
TROJAN:
Port 36974 open
Existence of the following files (* represents any character):
%WinDir%\System\****.EXE (50,688 or 50,684 bytes)
%WinDir%\******.DAT
%WinDir%\******.DAT
%WinDir%\System\******.DLL
%WinDir%\System\*******.DLL
%WinDir%\System\*******.DLL
This worm emails itself to addresses found on the local system.
The worm copies itself to the Windows system folder as a file with a random
four-letter name and an EXE extension and adds to the following registry
entry to run this file on the next reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
When run on the victim machine it copies itself to %WinDir%\System as
****.EXE (where * represents random character). For example in testing:
Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE
2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE
The following Registry key is set in order to hook next system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
RunOnce "%random letters%" = %random filename%.EXE (Win9x)
The worm copies itself to the Startup folder on the victim machine as
***.EXE (where * represents random character), for example:
Win98 : C:\WINDOWS\Start Menu\Programs\Startup\CUK.EXE
2k Pro : C:\Documents and Settings\(username)\Start
Menu\Programs\Startup\CYC.EXE
Trojan component
The worm opens a port on the victim machine - port 36794 and searches for
various running processes, stopping them if found. The list of processes
includes many popular AV and personal firewall products.
This remote access server allows an attacker to upload, and download files,
run executes, and terminate processes.
It drops a DLL on the victim machine - keylogger related. This DLL is
detected as PWS-Hooker.dll.
Network share propagation
The worm attempts to copy itself to the Startup folder of remote machines on
the network (as ***.EXE - described above).
Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE
to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet
Explorer (ver 5.01 or 5.5 without SP2).
FIRST AID KIT:
AS EMERGENCY MEASURE - Remove, Disable or encrypt all local email addresses
(addressbook etc) TO PREVENT FROM SPREADING (BEFORE YOU ARE INFECTED)
INCOMING EMAILS:
Filter on attachment length 50,688 bytes (UPXed) or 50,664 bytes
Filter out attachments, especially .pif, .scr (By the way, you should filter
out all attachments anyway)
Nail down your Network shares - it replicates itself through them.
Make sure all USER PC's have IE updated with latest security patches
It takes advantage of a known vulnerability in Microsoft's Internet Explorer
versions 5.01 and 5.5 that allows attackers to embed malicious code in the
header of an improperly formatted HTML message that could cause e-mail
clients such as Outlook to automatically launch attached executable files.
Microsoft addressed the issue in Service Bulletin MS01-020 and issued a
patch for the vulnerability in March of 2001.
Trojan:
Port 36974 open - CHECK ON THIS PORT!!!!
Existence of the following files (* represents any character):
%WinDir%\System\****.EXE (50,688 or 50,684 bytes)
%WinDir%\******.DAT
%WinDir%\******.DAT
%WinDir%\System\******.DLL
%WinDir%\System\*******.DLL
%WinDir%\System\*******.DLL
FURTHER INFORMATION ON PWS-HOOKER:
Type: Zoo Trojan Horse
Infection Length: variable
Systems Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows
2000, Windows XP, Windows Me
Trojans in this family can record your keystrokes and store this information
in encrypted form. The Trojan sends this encrypted file and the IP address
of the compromised computer to email addresses that are defined by the
hacker.
The following is a description of a specific PWS.Hooker.Trojan variant that
can be dropped by the W32.Badtrans.gen@mm worm.
When the Trojan runs, it does the following:
It copies itself as C:\%System%\Kern32.exe.
NOTE: %System% is a variable. The Trojan locates the \Windows\System folder
(by default this is C:\Windows\System or C:\Winnt\System32) and copies
itself to that location.
It also drops C:\%System%\Hksdll.dll. This file is a component of, and is
detected as W32.Badtrans.gen@mm.
The Trojan adds the value
kernel32 C:\%System%\kern32.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
This causes the Trojan to run then next time that you start Windows.
Arjen de Landgraaf
www.e-secure-db.uswww.e-secure-it.us
-----Original Message-----
From: Simon Byrnand [mailto:simon@igrin.co.nz]
Sent: Tuesday, October 01, 2002 3:14 PM
To: nznog(a)list.waikato.ac.nz
Subject: Virus alert
For those that havn't noticed yet, a new virus has just come out which is
spreading extremely rapidly.
Depending on what antivirus software you use its called "W32.Bugbear@mm"
(Norton Antivirus) or "I-Worm.Tanatos" (Kaspersky) - it may go under
different names on other scanners. Both Norton and Kaspersky have only
added detection of it in the last 12 hours AFAIK, and it looks like it has
been in the wild in NZ at least 24 hours before updates to most scanners
were able to detect it.
(On topic bit :) The thing that's interesting about this particular virus
is that it actively scans netblocks for machines listening on port 137
(Windows file/printer sharing) using simple incremental scans, so its quite
easy to spot machines that are infected. Apparently it also sends
information about the compromised machine to a pre-defined email address,
and also opens a backdoor listening on TCP port 36794.
As well as that, it uses the I-Frame exploit to automatically infect
machines with unpatched versions of Outlook Express, and has the ability to
automatically close all commonly used virus scanners whenever you try to
run them.
Based on the massive flood of this virus we've seen today it looks like a
Klez killer has arrived.....
(its outnumbering Klez by about 16 to 1 in our stats today)
More info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
Regards,
Simon Byrnand
iGRIN Internet
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
For those that havn't noticed yet, a new virus has just come out which is
spreading extremely rapidly.
Depending on what antivirus software you use its called "W32.Bugbear@mm"
(Norton Antivirus) or "I-Worm.Tanatos" (Kaspersky) - it may go under
different names on other scanners. Both Norton and Kaspersky have only
added detection of it in the last 12 hours AFAIK, and it looks like it has
been in the wild in NZ at least 24 hours before updates to most scanners
were able to detect it.
(On topic bit :) The thing that's interesting about this particular virus
is that it actively scans netblocks for machines listening on port 137
(Windows file/printer sharing) using simple incremental scans, so its quite
easy to spot machines that are infected. Apparently it also sends
information about the compromised machine to a pre-defined email address,
and also opens a backdoor listening on TCP port 36794.
As well as that, it uses the I-Frame exploit to automatically infect
machines with unpatched versions of Outlook Express, and has the ability to
automatically close all commonly used virus scanners whenever you try to
run them.
Based on the massive flood of this virus we've seen today it looks like a
Klez killer has arrived.....
(its outnumbering Klez by about 16 to 1 in our stats today)
More info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
Regards,
Simon Byrnand
iGRIN Internet
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
> From: Andy Gardner [mailto:andy@navigator.co.nz]
> Sent: Wednesday, 25 September 2002 08:59
> To: nznog(a)list.waikato.ac.nz
> Subject: RE: domain renewal fee
>
>
> At 8:52 AM +1200 9/25/02, Donald Neal wrote:
> >Discussion of the value of InternetNZ's involvement with
> ICANN looks to me
> >to be way outside that policy.
>
> Not when you consider that ICANN is attempting to dictate
> policy to APNIC.
Discussion of APNIC: In
Discussion of InternetNZ's air fares/hotel bills: Out
- Donald Neal
------------------------------------------------------------------------------
"This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read
it - please contact me immediately, destroy it, and do not
copy or use any part of this communication or disclose
anything about it. Thank you."
------------------------------------------------------------------------------
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
> From: Juha Saarinen [mailto:juha@saarinen.org]
> Sent: Wednesday, 25 September 2002 08:47
> To: DPF
> Cc: nznog(a)list.waikato.ac.nz
> Subject: Re: domain renewal fee
[...]
>
> Hummm... $73,423 is the actual figure, so each meeting costs just over
> $18,000, or $9,000 per person.
>
> Are the meetings worth that kind of expenditure?
Could subscribers please remember that the AUP for this list reads in part:
1. Discussion will focus on Internet operational and technical
issues.
2. Discussion related to meetings of network service providers is
appropriate.
3. Discussion unrelated to these topics is not appropriate.
...
7. Postings of a political, philosophical or legal nature are
discouraged.
Discussion of the value of InternetNZ's involvement with ICANN looks to me to be way outside that policy. I believe any operational content of this thread has now been exhausted.
- Donald Neal
------------------------------------------------------------------------------
"This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read
it - please contact me immediately, destroy it, and do not
copy or use any part of this communication or disclose
anything about it. Thank you."
------------------------------------------------------------------------------
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
On Tue, 24 Sep 2002, Keith Davidson wrote:
> While I assume this was a little tongue in cheek, it should be noted
> that the amount spent by InternetNZ on ICANN travel is less than 50
> cents per domain name per year.
Oh no... you mean the rest ($91.50) is blown on gerbil-fuelled
orgies and Bonzai Buddy licenses? No wonder .nz names are so expensive!
;-)
--
Juha Saarinen
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
> On Tue, Sep 24, 2002 at 05:32:25AM +0000, David Farrar wrote:
> > > Afternoon,
> > >
> > > Just wondering if anyone knows why the annual renewal fee has gone up
> > > for .nz domains? Got a piece of a tree in the mail the other day
> > > mentioning that renewals have gone up a few bucks a year. Granted other
> > > costs have gone down, but for those who already have domains are going
> > > to wear the punch.
> >
> > The issue is slightly complex. At present the .nz registry is with
DOMAINZ and
> > they have a range of fees depending if you are an accredited provider or
if you
> > register direct through their website. DOMAINZ is also the sole Registrar.
> >
>
> I've heard the palava about the SRS coming online for a trial month,
> then going live, however, where's the complexity which causes the
> renewal fee to go up by 10 bucks a year?
The renewal fee isn't going up by $10 a year.
DOMAINZ at present charge what I would call a combined registry/registrar fee
of $44 (or $74 for new customers) for those who register directly through them.
Under the SRS the registry fee will be $24 and each registrar will charge
their own registrar fee on top of that. DOMAINZ have signalled their prices
and services, other registrars will vary no doubt. The idea behind the SRS is
that registrants will be able to choose the registrar which offers what they
want - price will be a factor in this but so will other considerations such as
service, billing terms, bundling of other services etc.
>I could justify keeping a couple of lines in a text file for a year for a few
>hot breakfasts, but not the increase the fee's gone up to.
You are right that the variable cost of registering a domain name is very
low. There have been significant costs involved in setting up the SRS,
consultation on business and technical rules etc and that is why the registry
fee has been set at $2/month to cover depreciation etc. A major cost is
actually paying for DNS Name Server Operations incidentially. I personally
hope that after a short while this fee will track downwards once costs of
running the new registry are known as opposed to projections.
DPF
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog