From: Russ [Russ.Cooper@RC.ON.CA] Sent: Wednesday, November 10, 1999 9:07 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Alert: A couple of virus notes -----BEGIN PGP SIGNED MESSAGE----- CNN today was running the story about the BubbleBoy virus. Unfortunately, most of the time they were getting the story wrong (to be expected really, they are so clueless on air about computer security stuff its ridiculous). Some hoopla has been made about BubbleBoy because "you don't have to open it for it to work". What you do have to do is view it in the preview pane (if you have one). Just in case anyone reading this doesn't already know, enabling the preview pane is no different than opening an email. If an email-borne virus is going to invoke upon opening, it will invoke upon viewing in the preview pane too. Richard Smith and Georgi Guninski (amongst others) have been telling the stories of this sort of problem for well over a year now. Data Fellows are claiming its "the very first worm that is able to infect without opening the attachment." McAfee Online claim "VBS/Bubbleboy infects PCs as soon as the transmitting email message is opened. This is a VERY significant innovation!" Neither Trend Micro nor Symantec are over-hyping this thing (which, btw, doesn't affect NT) Now I don't mean to rag on these folks, but the MIME NAME exploit discovered by the University of Oulu researchers (and first reported on NTBugtraq 7/27/98, ) was, IMNSHO, the first worm that was able to infect without opening the attachment. Since then, there have been many VBS-based worms and issues based on embedded jscript or html that have the same effect as BubbleBoy (get invoked if viewed from the preview pane or opened). From what I've seen, BubbleBoy is nothing new. On another front, Dublin Wicklow Mountain Rescue (???) reported another virus to NTBugtraq on Tuesday. Named "FunLove" by NAI's AVERT group, a description of which can be found at . According to Dublin Wicklow Mountain Rescue; >symptoms are that any exe that is run causes a service called flc to be >created and an .exe called flcss.exe to be created in winnt\system32. >this services is the started and appears to be a network process as the >services database is locked out during the process start. > >the process can been seen in task manager and stopped, but next time an >.exe is launched, the process is re-started. > >the affected server then causes significant amounts of network traffic >accross mulitple ip segments. Disclaimer: NTBugtraq is not an anti-virus forum. I occasionally put through messages about viruses that have either been misrepresented in the press, or affect NT and are not widely known. Such messages are not intended to spur discussion, there are other forums for that. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQCVAwUBOColOxBh2Kw/l7p5AQHMZgP8CDPsm+DR7m6+xDlbkSwkKUvLVei2qKkc 07cbgLTfFuby+G2QJJffxIFpe2+dVyKT6w8uXOhbRuiNDHLYrMsAEqxVcGPh7r60 ohJD3C0Oa22E+yIUhJjUpA6X2ywHSyl903HT66dGlDZaNGieMRyORJxK1OCKQbEO mIQuvmXHFBA= =MNIC -----END PGP SIGNATURE-----