[sustran] Re: Virus on sustran-discuss

[Sujit Patwardhan]

13 January 2003


Dear Paul, Leo and others on the Sustran list,
Though I'm not an expert on the question of viruses, I doubt if the virus 
came from an attachment (from Kisan or anyone else), as to my knowledge 
Sustran list (like most other lists) drops (leaves out) any attachments 
from our list mailings, but as a precaution against MS Word (.doc files) 
attachments which have macros, I do not open attachments in the MS Word 
format, though I have a reliable and auto-upgraded virus protection 
software. I request the sender to re-send the attachment in RTF format 
(less chance of a virus in this format) by pasting the following message:

================================
No Entry
for attachments in Microsoft Word.

To avoid viruses I don't open attachments in the MS Word format.
Will you please resend it as an RTF file???
I'm sorry for the inconvenience.
Thanks
--Sujit
================================

Most email users are casual about viruses till they experience the pain of 
reformatting their hard disk and reloading all the programmes. Strictly 
resisting the temptation to open MS Word format attachments is the least 
one can do as a habit.

In this case however I think the virus (if it's a virus at all) must have 
come from the normal message and exploited the weakness in the MS Internet 
Explorer or Outlook Express software . I suspect that in its hurry to 
market newer and newer versions of these softwares, the company in question 
starts selling the new versions and takes its own time fixing the bugs 
through never-ending patches that need to be stitched on to the programme 
though time consuming downloads.

Anyway Sustran messages having dried down to a trickle these days, it was 
good to see mails from Paul, Leo, Alan etc. Hope this is a wakes up call 
for us to become active again.

Greetings for the New Year to all,
--
Sujit Patwardhan
Parisar,
Pune,
India


-----------------------------------------------------------

At 10:01 AM 1/13/2003 +0530, you wrote:
>Paul,
>
>The virus of Lirva, and was announced last week.  I think it is a worm that
>activates on particular dates.  Windows has an update for this and many
>virus scans are able to catch this script.
>
>Best
>
>Leo
>----- Original Message -----
>From: "Paul Barter" <geobpa at nus.edu.sg>
>To: <sustran-discuss at jca.ax.apc.org>
>Sent: Saturday, January 11, 2003 11:22 AM
>Subject: [sustran] Re: Virus on sustran-discuss
>
>
>Dear sustran-discussers
>
>Regarding Alan's message in response to yesterday's suspicious message
>from "Kisan Mehta [je at swisscontact.ph]"...
>
>Correct me if I am wrong but as far as I can tell no malicious code came
>through to sustran-discuss... At least not to me. And my university
>filters usually alert me when they intercept such attachments. I agree
>with Alan that it certainly does look like other messages in recent days
>which have had malicious attachments. Perhaps there are safeguards
>somewhere in the system which hosts sustran-discuss, and perhaps they
>worked in this case?
>
>The detailed headers of the message suggest it came from Kisan rather
>than Swiss Contact, despite the email address it 'apparently' came from.
>Therefore yesterday I immediately took the precaution of suspending
>Kisan temporarily from the list and have also now alerted him to the
>potential problem.
>
>I will try to investigate the anti-virus status of JCA networks which
>hosts sustran-discuss but I suspect that with the simple majordomo
>software the safeguards are probably not very sophisticated. I do know
>that the simple filter I have set up that stops large messages does
>often catch malicious attachments and benign ones alike.
>
>Nevertheless, as a general rule please do not send attachments through
>sustran-discuss and also do not open attachments from sustran-discuss,
>since no legitimate attachments should be appearing here. In general,
>ALWAYS be very cautious about clicking on attachments.
>
>All the best
>
>Paul
>
>
>Dr Paul Barter
>Fellow in the Department of Geography and the Public Policy Programme
>National University of Singapore
>1 Arts Link, Singapore 117570
>Tel: +65-6874 3860; Fax: +65-6777 3091
>E-mail: geobpa at nus.edu.sg
>
>-----Original Message-----
>From: owner-sustran-discuss at jca.ax.apc.org
>[mailto:owner-sustran-discuss at jca.ax.apc.org] On Behalf Of Alan Patrick
>Howes
>Sent: Saturday, 11 January 2003 11:48 AM
>To: 'sustran-discuss at jca.ax.apc.org'
>Subject: [sustran] Virus on sustran-discuss
>
>
>I'm not sure what the following means - but when I got a message with
>the same headers on my home machine it seemed to have a
>malicious attachment. My server at work would stop such attachments.
>
>Surely the sustran-discuss server should filter out such stuff?
>
>
>--
>Alan P Howes, Special Transport Advisor,
>      Dubai Municipality Public Transport Department
>aphowes at dm.gov.ae
>http://vgn.dm.gov.ae/DMEGOV/dm-mp-transportation
>Tel:    +971 4 286 1616 ext 214
>Mobile: +971 50 5989661
>
>-----Original Message-----
>From: Kisan Mehta [mailto:je at swisscontact.ph]
>Sent: Thu, 09 January, 2003 04:00
>To: undisclosed-recipients
>Subject: [sustran] Re: Reply on account for IIS-Security
>
>
>Restricted area response team (RART)
>
>
>
>Attachment you sent to Kisan Mehta is intended to overwrite start
>address at 0000:HH4F
>To prevent from the further buffer overflow attacks apply the MSO-patch

--
Sujit Patwardhan
sujit at vsnl.com