From south-bay-birds-bounces+south-bay-birds-archive=[[email protected]] Wed Nov 13 10:53:18 2002 Received: from www.plaidworks.com (localhost [127.0.0.1]) by plaidworks.com (8.12.2/8.12.2) with ESMTP id gADInU7q005511 for <[[email protected]]>; Wed, 13 Nov 2002 10:49:30 -0800 (PST) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by plaidworks.com (8.12.2/8.12.2) with ESMTP id gADIn6ke005475; Wed, 13 Nov 2002 10:49:06 -0800 (PST) Received: from tiger2.earthlink.net ([12.234.116.218]) by rwcrmhc51.attbi.comESMTP <[[email protected]]>; Wed, 13 Nov 2002 18:49:04 +0000 Message-Id: <[[email protected]]> X-Sender: [[email protected]] X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 13 Nov 2002 10:49:05 -0800 From: Ira Greenberg <[[email protected]]> Subject: Re: [SBB] Birds you have a greeting card from . In-Reply-To: <[[email protected]]> References: <002901c28b3b$d8e4cd80$9ae97c42@tommoutoux> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1b4+ X-BeenThere: [[email protected]] X-Mailman-Version: 2.1b4+ Precedence: list Cc: South Bay Birding <[[email protected]]> List-Unsubscribe: , List-Id: South Bay Birding List-Post: List-Help: List-Subscribe: , To: [[email protected]] Sender: south-bay-birds-bounces+south-bay-birds-archive=[[email protected]] Errors-To: south-bay-birds-bounces+south-bay-birds-archive=[[email protected]] Hi Chuq. I agree with Tom that the greeting card email we received is dangerous, however technically it is not a virus. As pointed out in this warning I received from the NTBUGTRAQ organization, which tracks internet security issues, the bad guys tell you what they're going to do to you, and rely on you not paying attention. I'm upset that they got ahold of the SBB list. Regards, Ira Greenberg Date: Sun, 10 Nov 2002 18:56:06 -0500 Subject: FW: [TSMalcode] e-card follow-up no 6 To: [[email protected]] While not directly related to MS security, I figure its about time I put something out on this issue. TruSecure's TSMalcode mailing list has been tracking this for a couple of weeks now. Below are a list of URLs which are being presented in emails sent to you from someone you know. The email indicates you have received an on-line greeting from that person and you should click on the link to check it out. Here's the twist. This isn't malcode in the strictest sense. The authors of this thing provide you with proper install and de-install tools, and don't do anything they don't tell you they're going to do. The trick is in the End-User License Agreement (EULA) that you must accept to install the thing. The EULA explicitly outlines that it will use your email client to resend itself to everyone you know. Clearly, a great number of people never bother to read the EULA, or read it in its entirety. One can easily argue that you were told what this tool would do, and choose to install it and let it do its thing. I'd like to be sitting face to face with any of the 100+ people who have installed this on their systems and subsequently sent an email to NTBugtraq telling us they have a greeting for us...doh! I'd love to create one that simply says, "By clicking on the Ok button you agree to pay Russ Cooper $1000 for the experience", and give them an Ok and Cancel button. The email it would be contained in would be a legal agreement binding them to the execution of the Ok click. Upon the click, have a copy sent to me, and my lawyers, and the police. You get charged $1000 for me showing you how stupid you are...;-] While blocking the links below will help minimize the effects of this thing, nothing will improve the grey cells of your users who do click on such a link better than beating them over the head with a bill. Try sending a message to your users along the lines of that outlined above and copy their boss' (in the case of the CEO, copy the Chairman of the Board of Directors or your PR firm). These things are bad enough when they fool you, but one that tells you up front everything about it and still gets traction just goes to show that patches and security devices are, by and large, virtually useless in an environment full of uneducated users. Policy and Education are the key...;-] Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor URLs found in this thing; >www.friend-g"RemoveThis"reeting.com >www.friend-g"RemoveThis"reeting.net >www.friend-c"RemoveThis"ards.net >www.friendg"RemoveThis"reetings.com >www.friend-g"RemoveThis"reetings.com >www.friend-g"RemoveThis"reetings.net >www.cool-d"RemoveThis"ownloads.net the string "RemoveThis" is not part of the real url. At 09:59 AM 11/13/2002 -0800, Chuq Von Rospach wrote: >On Wednesday, November 13, 2002, at 09:41 AM, Tom & Marianne Moutoux >wrote: > >>This message is a virus. Don't attemp to open it or send it on. > >it is? How did you verify that? > >I can't get it to download, myself. But I can't find any evidence that >the site is known for sending viruses. How do you know this? > > >>> has sent you a greeting card -- a postcard from >>>Friend-Greetings.com. You >>>can pickup your greeting card at Friend-Greetings.com by clicking on >>>the >>>link below. >>> >>>http://www.friend-greeting.com/203746/ pickup.html?code=Birds&id=1311021 > >-- >Chuq Von Rospach, Architech >[[email protected]] -- http://www.plaidworks.com/chuqui/blog/ > >No! No! Dead girl, OFF the table! -- Shrek > >_______________________________________________ >Do not post admin requests to the list. They will be ignored. >south-bay-birds mailing list ([[email protected]]) >Help/Unsubscribe/Update your Subscription: >http://www.plaidworks.com/mailman/options/south-bay-birds/ibg%40earthlink.net > >This email sent to [[email protected]] _______________________________________________ Do not post admin requests to the list. They will be ignored. south-bay-birds mailing list ([[email protected]]) Help/Unsubscribe/Update your Subscription: http://www.plaidworks.com/mailman/options/south-bay-birds/south-bay-birds-archive%40plaidworks.com This email sent to [[email protected]]