pslossPremium
join:2002-02-24
Alpharetta, GA | reply to guycad$
Re: 'IraqWorm' and XP: preliminary info said by guycad$:
Not because M$ made any effort to make them more secure in this respect, but because M$ seems to have crippled XP Home enough so this worm appears to not be a problem for Home users.
In my opinion, it's both. Simple File Sharing is a kind of crippling of XP Home in comparison to the file sharing available in Win2k Pro or XP Pro and that's protective -- but so are the efforts that result on XP in restricting enumeration of accounts and authenticating all logins (regardless of credentials supplied) as Guest. So even if one knew an Admin password, they wouldn't get Admin access remotely in a default config.
said by guycad$:
I will be posting some of the other things I found in another thread. 
I'll look for that one, too. If you think something is relevant here (with respect the worm's interaction with XP), please consider posting that, too...
Thanks,
Philip Sloss
--
stuff@lupwa.org |
|
 skjWelcome to the far side of realityPremium,Mod
join:2002-04-04
Gone South | reply to NetWatchMan
Re: mNW Alert: 'IraqWorm' propagating via tcp/445 NAV write-up
»securityresponse.symantec.com/av···ten.html |
|
| reply to NetWatchMan
Grisoft has updated for this worm:
»www.grisoft.com/html/us_faq.php?···o=lioten
Get your Update 431.
If anyone wants to send me the three different types of this thing, I'll see if AVG Free detects them. IM me. |
|
| Dr. Web is detecting all variants of this worm now (see pic): virus updates this morning 12/17/02.  :) |
|
| »story.news.yahoo.com/news?tmpl=s···d/108052 - Looks like this is known to quite a few people. Doesn't mention DSLR though. BTW, this was on the front page of Yahoo. |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | said by desreversti:
»story.news.yahoo.com/news?tmpl=s···d/108052 - Looks like this is known to quite a few people. Doesn't mention DSLR though. BTW, this was on the front page of Yahoo.
Well I have to laugh at that story only because the author just put some info together and started writing...one piece of info is his reference to DATRIX.
He does not know what he is talking about..but we know where he got it..you see, for one day the symantec write up for W32.HLLW.Lioten had a "typo ERROR" in the body of the write up refering to Datrix...Randy Bell notified them of the mistake and at the same time they figured it out and change it. So this guy is just a copy and pastes writer like me
This is Datrix and it has nothing to do with iraq-oil.exe.
»securityresponse.symantec.com/av···rix.html
I give the guy a -5 for the article.
--
GAV-Gladiator AntiVirus Forum-»www.forum.gladiator-antivirus.com/ |
|
| Here's a better article from the Inquirer:
»www.theinquirer.net/?article=6797 |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by Stonedonkey:
Here's a better article from the Inquirer:
»www.theinquirer.net/?article=6797
It's not really an article, but I liked the CERT incident note, which also has words on XP's default protection (both versions of XP) against the account enumeration this worm uses:
»www.cert.org/incident_notes/IN-2002-06.html
--
stuff@lupwa.org |
|
| reply to Name Game
said by Name Game:
Randy Bell notified them of the mistake and at the same time they figured it out and change it.
Hehe, only 'cause Name Game  sent Randy Bell an IM about the typo; but symantec fixed it before you could say "typo" ... :) |
|
| reply to NetWatchMan
Re: mNW Alert: Iraq Worm propagating via tcp/445 Now I'm really dissapointed! I saved the two files prior to updating my defs, (Nav 2003 on 2 comps and McAfee 5.21 on 3rd comp.) After updating, Nav nails both files no matter how I try to look at them, but McAfee tells me that everyting is Ok! Granted, the Mcafee is an older version, but one that is still supported. I tested Mcafee prior to updating the definitions, and again after getting the current version, (10 minutes ago!) Is Mcafee only updating their newest versions now? Looks like I need to replace the Mcafee with Nav!
Mcafee version 5.21.1000
Def 4.9.4238
Eng 4.1.60
I'm fairly new to Nav, been using Mcafee for years, but recently switched once I realized how badly it was affecting my system performance. |
|
 WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
|
Yep, they screwed up. Your version of McAfee is not really old and they do update and support it. The problem is the dat version 4238. It does not detect this particular file.
NAI does provide daily updates of the dat file. They add new viruses to the list or in cases like this correct their mistakes on a daily basis. Then each week they combine the daily files and release it as the weekly update that you get.
In the interim you can protect yourself by downloading the attached file. Find the directory where McAfee stores clean.dat, names.dat and scan.dat and simply put the extra.dat in that directory and you're done.
--
You can catch the Devil, but you can't hold him long.
[text was edited by author 2002-12-21 01:22:33] |
|
|
|
| I guess you and Corerott need to upgrade to NAV (grin). |
|
 joepwpbPremium
join:2000-12-15
West Palm Beach, FL | reply to Wildcatboy
said by Wildcatboy:
Yep, they screwed up. Your version of McAfee is not really old and they do update and support it. The problem is the dat version 4238. It does not detect this particular file.
--
You can catch the Devil, but you can't hold him long.
You're right, it looks like McAfee got caught napping and dropped the ball on this one since the other major virus protection firms jumped on this issue rather quickly. McAfee was unable to get this new virus added to the list in the DAT files released on 12/18/02 (# 4238). Here's a quote from their site:
Update 12/19/2002:
Due to the late appearance of this virus and the extra quality assurance testing required, AVERT decided to include it in the next (4239) weekly DAT update. Unfortunately, this information did not make it into the readme.txt file. If you would like an extra.dat for this threat, please write to extradat@avertlabs.com
Joe P |
|
