Re: [Full-disclosure] virus in email RTF message MS OE almost disabled



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Putting Phd, CISSP after your name combined with your original
request isn't going to get you much love on this list, but then
again, so much for the 30,000 ft birds eye academic view of
security(and we wonder why the so called *industry* is such a
failure...).

Now for some practical advice that they probably didn't teach you
in your Phd class or in the Sybex(or whatever you used) CISSP book:
If you were running with admin privileges when you opened that
attachment, as with most modern malicious code, they are
*generally* not worth trying to clean (hint..hint blended threats).
Backup your stuff, dban the drive(zero's, 1 pass) and rebuild the
box.


elazar
On Tue, 23 Nov 2010 09:26:49 -0500 "Mikhail A. Utin"
<mutin@xxxxxxxxxxxxxxxxxxxx> wrote:
As we see, our list has a few (luckily just a few) unprofessional
people thinking of themselves as gods, and hiding in such Russian-
born domains. It's useless to engage in any discussion as they
have too much time and will waste our time as well. And it's
useless to explain ethics, security basics, and our experience as
they are kiddies. Eventually they will grow ... may be.

List, thank you very much

Mikhail A. Utin, CISSP
Information Security Analyst
Commonwealth Care Alliance
30 Winter St.
Boston, MA
TEL: (617) 426-0600 x.288
FAX: (617) 249-2114
http://www.commonwealthcare.org
mutin@xxxxxxxxxxxxxxxxxxxx


-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Monday, November 22, 2010 4:52 PM
To: Mikhail A. Utin
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: virus in email RTF message MS OE almost disabled

Keep it on the list. No need for private emails if you need
assistance - give everyone a chance!

My response was far more useful than your post - "I got pwned by
an Office virus by opening an attachment in OE - What could it
be??" Jeeze dude. And I didn't give any "adice" about "Noton."
I said to get someone professional, which you *clearly* need to
do.

You should look up these guys:
http://www.rubos.com/pisa.html

Apparently they are Information System Security Professionals, and
they are in the same town as you. One even has a CISSP, so you
KNOW that he knows what he is doing. Funny thing is that he has
the exact same name as you do. What are the chances of that? If
these guys formed the company to sell services to businesses and
individuals to comply with legal security and privacy
requirements, then they should be able to figure out how to find
an Office virus on XP, right?

You can even join them as "Security professionals and experienced
Information Sestems professionals are welcome." I'm not sure what
a "Sestems professional" is, but it must be very important work.

Waste of time indeed. Apple Stores are hiring "geniuses" for the
holidays - even they know how to use XP and could help.

t





From: Mikhail A. Utin [mailto:mutin@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, November 22, 2010 1:26 PM
To: Thor (Hammer of God)
Subject: RE: virus in email RTF message MS OE almost disabled

Your email is useless. It is on my home PC. If you have better
adice than using Noton SW, then please use your mind to get
something minigful.
If you can name the virus or where to find its instance, it would
be a help. Otherwise do not waste you and my time.

From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Monday, November 22, 2010 3:17 PM
To: Mikhail A. Utin; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: virus in email RTF message MS OE almost disabled

You know, every time I start to get a bit of hope for what looks
like an upward trend of businesses and organizations taking
security seriously, I see crap like this.  Your organization is a
Medicare prescription contractor with a national network of 61,022
contracted pharmacies, and not only are you running unpatched
versions of old OS's and opening email attachments because they
"look OK," but you have to post to Full Disclosure asking help for
trivial virus detection and removal advice?   Now that everyone on
FD knows that you are vulnerable and that you open email
attachments, you've probably just caused the organization to be
pwned 9 ways from Sunday.

To answer your question, call a professional and have them do it. 
And in the future, don't send out emails like this from your
organization email announcing the state of your security.  That's
what Hotmail is for. 

t

From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Mikhail A. Utin
Sent: Monday, November 22, 2010 7:18 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] virus in email RTF message MS OE almost
disabled

Hello,
Opening looking OK email message in my MS OE I've very likely got
new kind of virus, which exploits MS Office flaw recently
announced. Immediately after, my OE started consuming huge memory
when I switched between folders or messages. I've not seen any
process in Task Manager taking up to 1 GB memory (physical is
512M). I did not find any newly installed executables either. When
I shut down OE, the computer works fine.
Any thoughts?
Thank you

Mikhail
CONFIDENTIALITY NOTICE: This email communication and any
attachments may contain confidential
and privileged information for the use of the designated
recipients named above. If you are
not the intended recipient, you are hereby notified that you have
received this communication
in error and that any review, disclosure, dissemination,
distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy
all copies of this communication
and any attachments. For further information regarding
Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at
http://www.commonwealthcare.org.

CONFIDENTIALITY NOTICE: This email communication and any
attachments may contain confidential
and privileged information for the use of the designated
recipients named above. If you are
not the intended recipient, you are hereby notified that you have
received this communication
in error and that any review, disclosure, dissemination,
distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy
all copies of this communication
and any attachments. For further information regarding
Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at
http://www.commonwealthcare.org.

CONFIDENTIALITY NOTICE: This email communication and any
attachments may contain confidential
and privileged information for the use of the designated
recipients named above. If you are
not the intended recipient, you are hereby notified that you have
received this communication
in error and that any review, disclosure, dissemination,
distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy
all copies of this communication
and any attachments. For further information regarding
Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at
http://www.commonwealthcare.org.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkzsKVoACgkQi04xwClgpZhkjgP+K3RrEQAXFsWLsPDc/oEjT0TM+ofP
TkLr6wrKfAER+dzeAyqL4diCeO8+/8/NKSurEAGlw1V72WPkXwAAxnbrk5UX9RNEKXsk
06x/dWtMjqVgQSC1BI7uswD9xpToYNTGCOU8CH5Yem4c2dbmOqnEhli79GNbWmWWs5lN
nZuNSeg=
=Z6pH
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] virus in email RTF message MS OE almost disabled
    ... Information Security Analyst ... virus in email RTF message MS OE almost ... knows that you are vulnerable and that you open email attachments, ... This email communication and any attachments may ...
    (Full-Disclosure)
  • Re: Please advise
    ... It could be spyware and / or malware and not just a virus. ... > then Format/HTML, the message would display. ... Because of this tendency of attachments to infect, Microsoft has now set OE to block all attachments. ... If you choose to adjust OE to allow attachments, make sure you save the attachment to disk first and then scan it with your antivirus software. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • CERT Advisory CA-2004-02 Email-borne Viruses
    ... CERT Advisory CA-2004-02 Email-borne Viruses ... Source: CERT/CC ... Unsolicited email messages containing attachments are sent ... A virus infection can have significant consquences on your computer ...
    (Cert)
  • CERT Advisory CA-2004-02 Email-borne Viruses
    ... CERT Advisory CA-2004-02 Email-borne Viruses ... Source: CERT/CC ... Unsolicited email messages containing attachments are sent ... A virus infection can have significant consquences on your computer ...
    (Cert)
  • Re: help on outlook express wont start
    ... the anti virus software was conflicting with OE ... Don't open attachments. ... Turn off email scanning in your antivirus software. ... attempting to infect your system, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)