[Esa-l]Here's a new one....

Gerard MANNIG mannig at worldnet.fr
Fri May 11 15:08:58 PDT 2001


A 16:49 09/05/01 +0100, Murray Crane icrit:
>Brett
>Yes.  It's pretty new.  F-Secure call it VBSWG.X or 'homepage'. See
http://www.f-secure.com/v-descs/vbswg_x.shtml if you care to.  F-Secure
released a signature update this
>morning that detects it, but I didn't find that out until after the
sanitizer had caught *five* copies of it...

Even an individual email client may be set up up to block/kill any incoming
email which corps contains a file with 2 "." (dots) in its name. Such files
are at 99.9999% virus. Tobe simplier, all attachement that end by ".vbs"
ARE viruses.

The HomePage virus is very likely to become a new ( and borring )
LoveLetter plague. Not in terms of destroyed data : in terms of wasted
bandwidth.

Period

>F-Secure say it's propagating quicker than AnnaK, and I'm inclined to
believe them.

There's a 2-step strategy that brings a 100% "waterproof" protection vs.
the so-called VBS and javaScript viruses. it consists, on the machine ( not
on servers. Although...) to wipe out/rename :

WSCRIPT.EXE
CSCRIPT.EXE

files. Those executables are devoted to interpret and execute the
isntructions contained in both Visual basic and JavaScript. Unless you are
suicidary trends, executing such codes in *emails* in not compulsory AT
ALL. We all have very well lived before they surfaced and we can very
easily still live without such time bombs !

Afterwards, any double-clik on suich files ( or simply opening an incoming
email ) will fail. As easy as 1.2.3 ;-)

-_-

This tip has been widespred but I can say for sure ( and what you are
currently reporting is another evidence ) that maybe 0.02% of users apply
it  }8-<

Everybody is wondering at loud voice ( or smooth one ) " What will happen
if VBS/JavaScript cannot be executed?". Well, nothing, dears. Worse that
this, some so-called "AV firewall" let it come in like Santa ! I received
this evening an email spread on a mailing-list that carried HomePage virus
although it has theorically been scanned with AMaViS

A nice : "X-AntiVirus: scanned for viruses by AMaViS 0.2.1
(http://amavis.org/)" features on the email header. Also a nice ad that
backfires ;-))

As a (temporary?) conclusion, I cannot do more that citating a declaration
of KAV staff:

"'Homepage' is simply the latest harmful code using a primitive method of
introducing itself, but in no way poses a threat to those strictly adhering
to the rules of computer hygiene. Those who have fallen victim are those
who, despite the numerous warnings do date, continue to open files with
suspicious contents," commented Denis Zenkin, Head of Corporate
Communications for Kaspersky Labs."

Forbidding them to open bombs by deleting the software tool this operations
requires will suffice.



Gerard Mannig
International Consultant
  V.A.R.S Intl antivirus Support     http://www.hitchhikers.net/vir-vrf.htm
         Member of the Wild List ( http://www.wildlist.org )
Discovered the viruses'JUMPER' , partially familly 'WereWolf' ,
Win.Tentacle.1958,GGM.936 & EMAS.2456, Win32.HLLP.DeTroie, Trojan.BadSector,
     JS.Trojan.WindowBomb, I-Worm.LoveLetter.ao, SillyOC.155



More information about the esd-l mailing list