Re: Rumor about US disaster
Geeze, give me a break. I hope you are not spreading rumors everywhere you can get to. War on who? Now, what was done has been classified as an act of war, but that is against us, not by us. Draft? Get real. That has to work its way through Congress. A response against what? Don McMorris wrote: [snip] Second of all, there is a rumor that war WILL BE DECLARED. Supposedly all males between 18 and 40 will be drafted. At this time, as far as I know, they do not have a definite answer about who dun it. [snip] -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: onlyphones.com
Apparently, everyone on the ietf mailing list, right next to the one that says infect me [EMAIL PROTECTED] wrote: big snip ok, who's wearing the sign that says spam me? -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: MANZAOLI
Another double-dot attachment? Geeze... From a microsoft site? uh oh... CESAR HERNANDEZ wrote: Part 1.1Type: Plain Text (text/plain) Encoding: quoted-printable Name: MANZAOLI.doc.com MANZAOLI.doc.com Type: unspecified type (application/octet-stream) Encoding: base64 Download Status: Not downloaded with message -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: Mailing Lists
Why should a firewall or virus protection be necessary? It should be intuitively obvious just looking at the attachment name. James K. Murray (AMSS Domain) wrote: There can be nothing more irritating than receiving several dozen Emails with attachments, each containing a virus! Fortunately, both my firewall and virus protection software trapped the little bugger. PLEASE REMOVE ME FROM YOUR MAILING LIST !!! James - Original Message - From: AMSS Hotmail To: [EMAIL PROTECTED] Sent: Thursday, August 02, 2001 5:49 PM Subject: Mailing Lists Please remove me from the [EMAIL PROTECTED] mailing list. It is really becoming quite burdensome, 2MB attachments and hundreds of Emails daily. The Email address to be removed is [EMAIL PROTECTED] Thank You! Best Regards, James K. Murray President A. M. Software Services, Inc. (718) 978-3956 [EMAIL PROTECTED] http://AMSoftwareServices.com -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: Microsoft, please protect your stacks (was Re: [ih] ...stack?)
And you expect them to save us from ourselves? Interesting. David P. Reed wrote: Not sure why I got this(I'm not on ietf.org), but probably I was bcc'ed. It calls for a response, though, if only to oppose a burgeoning meme that somehow Microsoft could save us all from hackers if it only did one or two simple things. Those things being techniques that bar perfectly sensible coding practices and techniques in order to save us from hackers. -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: Attachment Stripped in Transaction
Works nicely. Seems that there may be active content in the templates used. Check http://support.microsoft.com/support/kb/articles/Q288/2/66.ASP Robert Moskowitz wrote: At 08:42 PM 7/24/2001 -0400, [EMAIL PROTECTED] wrote: On the other hand, I could live with the filtering of active content and executables (which is what the *real* problem is, right?) any attachments. there is proof of concept now for rtf trojans. -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: Production Feb 7
You realize, of course, that there is no way I am going to open an attached Shortcut to MS-DOS Program (double dot file). I suspect a viral infection. Robert Shelton wrote: Part 1.1Type: Plain Text (text/plain) Encoding: quoted-printable Name: Production Feb 7.xls.pif Production Feb 7.xls.pif Type: Shortcut to MS-DOS Program (application/x-unknown-content-type-piffile) Encoding: base64 Download Status: Not downloaded with message -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: Production Feb 7
In particular, http://antivirus.about.com/library/weekly/aa071801a.htm?iam=dpileterms=%2BSirCam Documents' folders is one of the most accessible, whether from the desktop, Windows Explorer, or the default save to location in many programs. As a result, many use it as a repository for all their data files - even those which contain sensitive or confidential information. This practice has never been a good idea as it gives ill-intentioned intruders a virtual roadmap to your personal and work output. The SirCam worm takes the vulnerability one step further, using the contents of the folder to package and disguise itself to others. Sircam, (a.k.a. I-Worm.Sircam, W32.Sircam, and W32/SircCam) mass mails itself using addresses found in the Windows Address Book and in cached email addresses found on the system. The attachment it sends is a compilation of its infection routine and a file found in the My Documents folder. The original name of the file is left intact, with an executable extension appended to it. For example, .PIF, .COM, or .EXE would be added to the orginal filename, thus myphoto.jpg would become myphoto.jpg.exe. Users who did not have file extension viewing enabled would see only the original extension and in the example above, could be tricked into believing an executable file was actually a harmless image file. The worm then mails itself in an email with following message body: Hi! How are you? I send you this file in order to have your advice See you later! Thanks The subject line of the email is the name of the orginal file. When the infected attachment is executed, whatever file was lifted from the sender's My Document folder is displayed, thus disguising the SirCam worm's actions. This is particularly risky, as an infected user who stores confidential data in the My Documents folder could easily find proprietary and sensitive data mass-mailed to others. SirCam then copies itself to the Recycle Bin, C:\recycled\SirC32.exe, in an attempt to avoid detection by some antivirus scanners. The worm modifies the registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], so that the worm is run first when any .EXE on the system is run. This method makes improper removal of the worm a dangerous proposition. If the worm is deleted before the registry modification is corrected, no .EXE on the system will run. Complete removal instructions, either manually or via an automated tool can be found at: http://antivirus.about.com/library/weekly/aa072301a.htm. Meritt James wrote: You realize, of course, that there is no way I am going to open an attached Shortcut to MS-DOS Program (double dot file). I suspect a viral infection. Robert Shelton wrote: Part 1.1Type: Plain Text (text/plain) Encoding: quoted-printable Name: Production Feb 7.xls.pif Production Feb 7.xls.pif Type: Shortcut to MS-DOS Program (application/x-unknown-content-type-piffile) Encoding: base64 Download Status: Not downloaded with message -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566 -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
Re: Any value in this list ?
How about the ones who have the problem doing a bit towards solving THEIR problem? You think there is one-and-only-one cause for everything? Perhaps you didn't notice that the patch to repair the vulnerability that Red Code exploits was released back in June? Keith Moore wrote: I especially don't like the way one company is lynched for every software problem in the world. you'd rather put the burden of responsibility for solving the problem on somebody besides the folks who caused it? -- James W. Meritt, CISSP, CISA Booz, Allen Hamilton phone: (410) 684-6566
