Re: Another new worm???

[BlueBoar () THIEVCO COM (Blue Boar)]

Dan Schrader wrote:
> Thank you

You're welcome.

> You have no provided the virus to 40,000 people who have nothing in common

I've got less than 10,000 subscribers.  Dunno how many people read the
archives on the SecurityFocus.com site.

> except that they are interested in security.  Go to usenet and you will find
> dozens of posts from virus writers and vx wannabes asking for viruses to
> play with - you answered their prayers.

I'm not really the best source of viruses, but I help out when I can.

> This virus has already been extensively analyzed  - there was no need to
> spread it further.

Hm... now there's a sticky point.  I've tried once or twice to get a copy
of a virus from Trend Micro (and other AV vendors.)  I've been turned down
flat each time.  Seems there's a policy to not give out the code.  Now, if
I wanted to by cynical, I'd assume that was because the AV vendors have
a direct financial interest in the code not being publicly available,
thereby forcing people to buy AV software for protection.  I get the
distinct impression that they don't share with each other as well.  I'll
leave that for you to comment on if you like.

However, there are loads of us who maintain our own mail filters and IDS
signatures, and who want to understand the root issues behind the virus
spread.  We don't necessarily want to pay someone else to do that for us.
The "information" that AV companies publish about viruses is nearly useless
for these purposes.

> In the future if you wish to have a file analyzed, send to known, trusted
> experts or send to one or more of the antivirus vendors.  Trend Micro will
> analyze unsolicated files if you send them to:
>
> virus_doctor () trendmicro com

So now you've got it, let's see the analysis.  Keep in mind that the kind
of analysis that has gone on here before often includes picking through
the code and commenting on interesting bits.

                                BB