OT: More New Viri (Reliable Sources Used)
Kip Keil (kip@VSNET.COM)
Tue, 30 Mar 1999 11:06:11 -0700
This is a multi-part message in MIME format.
--------------C080B66128801057B5C80DE1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This message is being sent to you by Kip Keil (kip@vsnet.com) because you are
either:
-- A member of the Raydream Users list.
-- A member of the Scouts-L list.
-- Work for VisionNet and may need to answer client questions about this.
A new macro virus (W97M.Papa.A.Intended), and a new variant of a previously
identified macro virus (W97M.Ping.A) have been identified.
PAPA VIRUS (The real danger of Papa is, as yet, undetermined. The primary
source of info, CNN, indicates this macro virus to be of greater potency than
Melissa. The only authoritative source reporting on this so far, Symantec,
indicates Papa fails to function.)
CNN is reporting that Network Associates has identified another new macro virus,
calling it Papa.
(http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/index.html)
NOTE: Although I have not been able to confirm this on Network Associates site
(www.nai.com), CIAC (www.ciac.org), and CERT (www.cert.org), Symantec
(www.symantec.com/avcenter/venc/data/melissa.html) verifies the existence of
Papa, tagging it as .Intended.
According to the CNN report, Papa is more pernicious than Melissa. Papa
purportedly has a "subject line [claiming] the message is from 'all.net and Fred
Cohen.'" (It would seem logical that this is the "From: " line rather than the
subject, but I quote the report. Papa has an Excel attachment entitled
"path.xls." The message body instructs the recipient to disable the "Disable
Macros" feature before opening the attachment. Once activated, Papa allegedly
sends itself to the first 60 users in your address book. Furthermore, according
to CNN's report, Papa pings a [random] server to see if there is live
connection. (This report indicates this pinging is sufficient to bring down an
unprotected server. See Ping Virus below.) Papa was apparently built by a
different hacker than was Melissa, but Melissa seems to be the blueprint.
Unlike Melissa, Papa attempts sends out infectious e-mail each time it is
activated. (Melissa sent only on the its initial activation.) Again, the
degree of damage of which Papa is capable is, as yet, undetermined as sources do
not agree on whether or not Papa can actually activate.
PING VIRUS (CNN's report alludes to this as an element of Papa. Again, CIAC,
CERT and Network Associates have not published an advisory on this macro virus.)
A new variant of the Ping macro virus (X97M.Ping.A) has been identified. This
virus attempts to maliciously ping the host server in an effort to cause the
server to be unable to respond to any other applications, requests, commands
(denial of service through CPU usurpation). Most servers should already be
configured to protect from this effect by blocking flood-pinging. Symantec has
already prepared and released updates to identify and eliminate Ping.A
(www.symantec.com/avcenter/download).
I have no affiliation with any entity producing, marketing, or otherwise related
to antivirus software.
--
Kip Keil, Sr. Programmer, V i s i o n N e t
http://www.vsnet.com | http://kip.vsnet.com
MC, Ad Hoc P-3055; MC, Advancement T-1022; MC, Ad Hoc T-175
AA, Ceremonies El-Ku-Ta 520, Great Salt Lake Council, BSA
--We all learn from history . . .
...either by study, or by repetition.
-- Kip Keil, 1998
--------------C080B66128801057B5C80DE1
Content-Type: text/x-vcard; charset=us-ascii;
name="kip.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Kip Keil
Content-Disposition: attachment;
filename="kip.vcf"
begin:vcard
n:Keil;Kip
tel;work:801.328.4585
x-mozilla-html:FALSE
url:http://kip.vsnet.com
org:VisionNet
adr:;;310 South Main Street, Suite 1200;Salt Lake City;UT;84101;USA
version:2.1
email;internet:kip@vsnet.com
title:Senior Programmer
fn:Kip Keil
end:vcard
--------------C080B66128801057B5C80DE1--
