Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

Matts
  (email not shown publicly)

I work for MessageLabs [messagelabs.com] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Tuesday December 04, 2001
12:21 PM

New virus

[ #1489 ]

Wowsers,

We're seeing right now probably the fastest propogating mass mailing virus ever... Called "Goner", it comes with a file called gone.scr. Most AV vendors haven't updated their signatures yet (we stopped it with our heuristic scanner, which I hope to talk about at TPC in 2002), so it's just flooding through most people's systems. We've seen over 10,000 so far today, which is just phenomenal considering it kicked off at about 3pm (it's now 5:20pm).

Of course it's *great* for business. I'm sure The Register and other sites all over the web will be quoting us for the next few days. It's kinda cool working for a much talked about company :-)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Have you heard about Warhol worms [berkeley.edu]? A craftily written piece of malware could wreak some serious havoc in about 15 minutes. 2 hours? That's a blessing; you have enough time to notice the attack and formulate a response. (presuming you have some good heuristics in your mail filters. :-)
    • I get very few of these viruses. None of this new one. I think it must be due to me not knowing very many Windows users.

      Yet something else I am thankful for at this time of year.

      I get tons of spam, though. :/
    • Yes, we heard of warhol worms. It's all good business for us though, because if one of those breaks out, we'll still stop it heuristically (we offer a 100% anti-virus guarantee, with good reason).

      I think many sysadmins out there will think differently about 2 hours being a blessing :-) Remember it's not 2 hours to propogate, it's 2 hours to reach critical mass, which means that it's already infected enough computers to reach critical mass. Oh, and this one deletes antivirus software too, which is kinda fu
      • Wouldn't that indirectly make it anti-anti-virus software? (I've actually seen the term counter-counter-measures in use, so I don't think it's impossible to see the word anti-anti-virus.) :)
        --

        ------------------------------
        You are what you think.
  • Fortunately, the details were also on Symantec [symantec.com]. My manager opened it up (fortunately, he has Eudora so it didn't propogate) and I spent the next hour re-installing Norton (he had an old version that doesn't have e-mail protection) and taking out the virus.

    Fun fun...

    Jason

    PS: Where I can find out more about this heur. stuff you talk about?

    • You have to call our salespeople to get info on the heuristic stuff. Basically, we detect email viruses by checking if the email (or attachment) is trying to do something malicious, like mail itself all over the place, or open files, etc. It's more complex than that, but you get the idea. We have an almost zero false positive ratio, and a 100% anti-virus guarantee, which so far (2 months) we've kept to for all customers. We also run through 4 commercial scanners, just to be sure.

      And yes, it's written in P