Re: blebla.b worm

> Probably by not being fully patched, or in the case of what is known
> as a "regression error", a recent patch can open an older vulnerability
> that had been previously patched.

good point

> True, but may also require some existant vulnerabilities to do so
> automatically (as I believe you are implying autoexecution here).

its possible

> But it must be remembered to be wary of those that she *does*
> know as well. Many worms will still come from people known
> to the person receiving the e-mail.

the only emails she has kept are 2 emails which have .jpg files in them
nothing else in her email acound has attachments

> Does she transport e-mail she received through hotmail to
> her otherwise isolated home PC via floppy disk?

she does not trasnport emails at all, the only thing she transports are word
documents

> Those security reports (or write-ups) are merely dealing with the
> forms normally found as a direct result of the worms actions. Keep
> in mind that it is only a program, and as such can also take the forms
> that any other program can take. Someone could trojanize a popular
> screensaver (.scr) with it and get it placed on her computer that way.
> It is not a form normally seen as a direct result of the worms action,
> so you wont find it on the write-ups, but it is just a program after all.

this is true, but why the time delay for the activation, she reported it to
me and the system operaters at our local community college on tuesday yet
the infection is dated to the 11th of this month

> No network connectivity may mean that it hasn't spread from there by
> its worm routine (which is a *good* thing).

it can not spread from her machine if the machine is not connected to a
network

> They might not be scanning *everything* in order to speed
> things up a little. They may be relying on the "on access"
> safety net to intervene.

they scan everything on the primary drive which has winXP pro and everything
else on it that you would expect any self respecting computer freak to have

> Does your friend use the "on access" scanning (which should
> have prevented the "infection"), or only the startup scan (which
> is a little like a dashboard light that tells you that all of that smoke
> coming from under your hood is there because you ran out of oil).

i dont know, but the problem still remains why didnt blebla activate til
tuesday... im baffled

"The Nameless One" <aclements@optushome.com.au> wrote in message news:3efa5c6f$0$8262$afc38c87@news.optusnet.com.au...

[snip]

> > But it must be remembered to be wary of those that she *does*
> > know as well. Many worms will still come from people known
> > to the person receiving the e-mail.
>
> the only emails she has kept are 2 emails which have .jpg files in them
> nothing else in her email acound has attachments

Excerpt from the McAfee link Arjan provided:
===
The email will appear to contain no contents or identifiable attachments
however is encoded to contain two files, xromeo.exe and xjuliet.chm.
===

So, it would be better to look at file size than at whether or
not an e-mail *appears* to have an attachment. Embedded
or "inline" content may not appear as attachments.

> > Does she transport e-mail she received through hotmail to
> > her otherwise isolated home PC via floppy disk?
>
> she does not trasnport emails at all, the only thing she transports are word
> documents

<wild assed guess>

I suppose that it is possible that a Word document can contain
some of the exploits known to be used by blebla, and result in
a false positive. Word documents can contain active content as
well, so it could have an embedded blebla executable I think.

</wild assed guess?>

> > Those security reports (or write-ups) are merely dealing with the
> > forms normally found as a direct result of the worms actions. Keep
> > in mind that it is only a program, and as such can also take the forms
> > that any other program can take. Someone could trojanize a popular
> > screensaver (.scr) with it and get it placed on her computer that way.
> > It is not a form normally seen as a direct result of the worms action,
> > so you wont find it on the write-ups, but it is just a program after all.
>
> this is true, but why the time delay for the activation, she reported it to
> me and the system operaters at our local community college on tuesday yet
> the infection is dated to the 11th of this month

How is this date determined?

> > No network connectivity may mean that it hasn't spread from there by
> > its worm routine (which is a *good* thing).
>
> it can not spread from her machine if the machine is not connected to a
> network

Not entirely true (which is why I said "by its worm routine"), if
any files are otherwise shared

> > They might not be scanning *everything* in order to speed
> > things up a little. They may be relying on the "on access"
> > safety net to intervene.
>
> they scan everything on the primary drive which has winXP pro and everything
> else on it that you would expect any self respecting computer freak to have

If I take your word for that (and your assessment of her computing
practices), then I have to believe that either blebla magically appeared
out of nowhere, or it is a false positive detection.

If the only source of inbound files is from a *fully* scanned and
up-to-date machine, then it isn't very likely the infection came from
there.....and yet you have a (fairly new) detection. Does the first
detection date correspond by any chance with a recent Def's update?

> > Does your friend use the "on access" scanning (which should
> > have prevented the "infection"), or only the startup scan (which
> > is a little like a dashboard light that tells you that all of that smoke
> > coming from under your hood is there because you ran out of oil).
>
> i dont know, but the problem still remains why didnt blebla activate til
> tuesday... im baffled

When (and how) do the AV definitions data files get updated
on the "victim" machine?

> Excerpt from the McAfee link Arjan provided:
> ===
> The email will appear to contain no contents or identifiable attachments
> however is encoded to contain two files, xromeo.exe and xjuliet.chm.
> ===
>
> So, it would be better to look at file size than at whether or
> not an e-mail *appears* to have an attachment. Embedded
> or "inline" content may not appear as attachments.
>

ok thanks for that

> <wild assed guess>
>
> I suppose that it is possible that a Word document can contain
> some of the exploits known to be used by blebla, and result in
> a false positive. Word documents can contain active content as
> well, so it could have an embedded blebla executable I think.
>
> </wild assed guess?>

also a good point

> How is this date determined?

****ed if i know... can i say **** in here?? oh well i just said it twice,
whoops

> Not entirely true (which is why I said "by its worm routine"), if
> any files are otherwise shared

good point

> If I take your word for that (and your assessment of her computing
> practices), then I have to believe that either blebla magically appeared
> out of nowhere, or it is a false positive detection.
> If the only source of inbound files is from a *fully* scanned and
> up-to-date machine, then it isn't very likely the infection came from
> there.....and yet you have a (fairly new) detection. Does the first
> detection date correspond by any chance with a recent Def's update?

i know its not a false positive since it her PC has being doing the things
that blebla does more or less
and virii never magicaly appear, so me is thinking that the systems at my
local community college picked it up from somewhere and their routine AV
scans killed it before the day was over... thats just my guess

> When (and how) do the AV definitions data files get updated
> on the "victim" machine?

i have no idea i didnt think to ask... stupid me