Date: Thu, 25 Sep 2003 12:04:32 +0100
Reply-To: John Whittington <John.W@MEDISCIENCE.CO.UK>
Sender: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From: John Whittington <John.W@MEDISCIENCE.CO.UK>
Subject: Re: please check for viruses
In-Reply-To: <E1A2Swr-0005oh-00@coumxnn02.netbenefit.co.uk>
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 11:40 25/09/03 +0200, Becker, Eckhard [IAW-06] wrote:
>Unfortunately it won't help if all subscribers are 'clean'. The worm/virus
>SWEN retrieves mail-adresses from newsgroups and SAS-L is gatet to
>comp.soft-sys.sas :-(
That's not my understanding from what I've read about the beast. My
understanding (per Symantec website) is that it Searches all the .html,
.asp, .eml, .dbx, .wab, and .mbx files on the hard disk(s) of the infected
machine for email addresses, and then sends copies of itself to those
addresses, in the process creating the file, %Windir%\Germs0.dbv, where it
stores the email addresses it has found. Maybe looking for the presence of
that file would be a simple way for people to check to see if their machine
has been infected.
I understand that it also looks for newsgroup addresses and sends copies of
itself TO those addresses (I suspect the main method of the initial
distribution), but I haven't heard that it extracts any information (such
as e-mail addresses) from newsgroups - but maybe I've just missed that!
In any event, I wholeheartedly agree that everyone should be encouraged to
make sure that their machines are not infected, since these wretched
e-mails (still 20-50 per hour for me) are as sure as hell coming from
somewhere :-)
Kind Regards
John
----------------------------------------------------------------
Dr John Whittington, Voice: +44 (0) 1296 730225
Mediscience Services Fax: +44 (0) 1296 738893
Twyford Manor, Twyford, E-mail: John.W@mediscience.co.uk
Buckingham MK18 4EL, UK mediscience@compuserve.com
----------------------------------------------------------------
| 
