BBV -- customized viruses, just for Black Box Voting?

Received two customized viruses, an .exe and a .scr (screensaver, supposedly). They were apparently ONLY for black box voting.

One traces back to a Cox Communications server in Atlanta, another to a server in Ohio. The reason I think they were not generally distributed around the Internet is that the sender address is spoofed and is from one black box insider to another -- one came from Andy Stephenson's PRIVATE email and was sent to my PRIVATE email. The other came from one of my little-used (and little-known) PR e-mails to my private e-mail. Both appear to be the same thing.

It is of high priority to (1) figure out what these do and (2) see if anyone can follow the bread crumbs back to the source.

I don't know that much can be made of the Atlanta / Ohio sourcing, though Diebold has offices in both places. It seems unlikely that someone would be so dumb as to use their own account to send these.

Each file came as a .zip and provided a password to open it. This is probably an inappropriate place to post this, other than, if it was politically motivated it would be of some interest.

I'd like to forward them to someone who has expertise, especially for tracing the source, if possible. If you want to take a crack at it, email Bevharrismail@aol.com.

Comments?

Bev

Are both Andy's address and your little known PR address in the same address book you use?

Are you using Outlook Express?

There are worms and virii that take advantage of "security" features (or the lack thereof) in Outlook to pull stunts like this.

If no to both, well, maybe you're right. Lord knows you'd be a target for such things by now ;)

edit: as for figuring out what they do, if you have a second PC, use it as a guinea pig. Just make sure the network cable is unplugged before you actually open the attatched files.

Are both Andy's address and your little known PR address in the same address book you use? Nope.

Are you using Outlook Express? Nope.

if you have a second PC, use it as a guinea pig. Just make sure the network cable is unplugged before you actually open the attatched files.

I feel very guilty about this, but I did that this morning using my son's computer, which isn't connected to anything. I opened them and then opened them in a text editor, and the insides, though these are compiled files, appear to be similar or identical. One readable string refers to kernel 32 and insert library A. An interesting feature is that as soon as I opened the first one, my system gave two messages "do you want to use Windows as a server" and "error, no connection available, do you want to work offline?"

Heck, I opened them both, and when I did, the computer whirred and clicked. After I shut his computer down I rebooted and everything worked, could detect no problems.

Bev

But I swear I didn't send you a virus.

I knew that the moment I saw it. Also, the format of each message was very similar, and yours was the second one I got. But it was your e-mail that made me think this needs further looking. Here's the message:

(first one)

Subject: Hey, ya! =))

Body: Argh, i don't like the plaintext :)

..btw, "86864" is a password for archive

Attachment: TextDocument.zip

(the password is needed to open the zip and the file is an .exe)

(second one)

Subject: Hi! :-)
Body: Looking forward for a response :P

..btw, "07808" is a password for archive

Attachment: MsgInfo.zip

(the password is needed to open the zip and the file is an .scr)

Now, with these messages being so similar, it would appear that this is some widespread thing sent out en masse, but for the use of the generally unavailable e-mails, both from and to. And these emails are not in an address book function.

I've gotten several emails identical to the 'Argh,I don't like the plaintext' one. I didn't note who they were from however. It's all I can do to keep up with shoveling the spam out of my inbox as it is, since I need to have that particular email address posted on a web page.

There are lots of messages very similar to this going around with the Beagle windows virus. All of them have one thing in common in that they have a password-encoded zip archive attached, along with the password.

BTW, I need to send you one of the 2004 version books. PM me or send shipping address to my aol email. You know why you're on the list for free copies, I'm sure.

Bev

Hi,

Did you run a scan on the attachments? There are many viruses out there that send payloads based on email addresses stored in a given person's machine.

To make sure you don't have a virus slip into your system, you may want to use Trend Micro's PC Cillin product. I found it better than Norton Anti-virus.
(http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm)

They also have a free web-based version if you just want to run a check of your systems:
(http://housecall.trendmicro.com/)

Sounds like you did the right thing and didn't open the attachment from the strange sources.

If you are concerned about software that can be installed on your PC's and track your activity without your knowledge, you can download Spybot (http://www.snapfiles.com/get/spybot.html).

Hope that helps

It is everywhere and is not specific to Black Box.

McAfee AVERT Receives Unprecedented Submissions of Virus Variants, Led Today by W32/Netsky.d@MM, from Customers Around the World

BEAVERTON, Ore., March 1 /PRNewswire-FirstCall/ -- Network Associates, Inc. (NYSE: NET) the leading provider of intrusion prevention solutions, today announced that McAfee® AVERT™ (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus and vulnerability research division of Network Associates®, raised the risk assessment to medium on the recently discovered W32/Netsky.d@MM, also known as Netsky.d. Netsky.d is a prolific worm that spreads via email, sending itself to addresses found on the victim's machine. The worm has many of the same functionalities as its Netsky predecessors, two of which are also currently rated a medium risk threat. McAfee AVERT researchers first saw the worm earlier today and to date, have received approximately 200 samples of Netsky.d from both real customer submissions and virus-generated mail from customers around the world. Most of the Netsky.d samples that McAfee AVERT has seen are from the virus itself, which is spoofing the addresses, and not from the infected customers. This is the case with most viruses at this point, the three most prevalent families being Mydoom, Bagle, and Netsky.

Symptoms
Netsky.d is an Internet worm that once activated emails itself to addresses found on the victim's machine. The worm then attempts to copy itself to folders on drives C: through Z: and attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses. The worm causes unexpected network traffic and an audio payload, similar to the W32/Netsky.c@MM variant, and causes the machine to make random beeping sounds with varying pitches and rhythm upon a specific date and time. Users should immediately delete any email containing the following:

From: (forged address taken from infected system)

Subject: Taken from the following list:

Re: Hello
Re: Hi
Re: Thanks!
Re: Document
Re: Message
Re: Here
Re: Details
Re: Your details
Re: Approved
Re: Your document
Re: Your text
Re: Excel file
Re: Word file
Re: My details
Re: Your music
Re: Your bill
Re: Your letter
Re: Document
Re: Your website
Re: Your product
Re: Your document
Re: Your software
Re: Your archive
Re: Your picture
Re: Here is the document
Body: Taken from the following list:
Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Pathology
After being executed, Netsky.d emails itself out as a .PIF attachment with a filename taken from strings within the worm. It queries the DNS server for the MX record and connects directly to the Mail Transfer Agent (MTA) of the targeted domain and sends the message. The worm then copies itself the WINDOWS directory with the filename "WINLOGON.EXE." The worm adds the key, "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"ICQ Net" = %WinDir%\WINLOGON.EXE -stealth" to the registry, which helps it activate at the system start-up.

Cure
Immediate information and the cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101064.htm . Users of McAfee Security products should update their systems from that page. Generic protection, which also protects users against the W32/Netsky.c@MM variant, has been available with the 4328 or later scanning engine to stop potential damage.

Network Associates McAfee® Protection-in-Depth™ Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.

McAfee AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.

About Network Associates
With headquarters in Santa Clara, California, Network Associates, Inc. (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers.

For more information, Network Associates can be reached at 972-963-8000 or on the Internet at http://www.networkassociates.com/ .

NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners.

SOURCE Network Associates, Inc.

You should see the volume of email I get. I have over 10,000 emails in my system. They come from all over. I cannot imagine that this worm searched out two very obscure ones, both very closely tied to my research. Andy and I don't email each other all that much.

It is possible they are a standard worm. What seems unlikely is that the spoofed sender emails came from anything automated. I don't use an address book often, but when I do, it has media addresses in it, and doesn't contain either of the addresses used.

My system as a whole? No way. In fact, there are nearly 10,000 emails just in my inbox, and I have multiple accounts -- really, thousands and thousands. It could not have randomly pulled these two sender emails from anywhere.

Bev

If you have a friend or associate that has your less-used email address and *they* become infected with the trojan horse virus, you will be sent the virus as well based on a search the virus will do on your friend's infected PC.

These viruses spoof the sending address to throw you off.

Pretty sneaky little boogers...just make sure your anti-virus software is updated. Also run anti-spy software if you don't already.

I scanned with the latest, online version of McAffee and it found no virus or worm in either attachment.

Only about five people would have the particular combination of addresses on their own computer. One was an address I only used for two months, nearly a year ago, though it could be found by surfing through old Web pages that are online.

I haven't been wanting to waste people's time -- but if it is netsky, or the others, I think McAffee would identify it. It's been pretty good about catching incoming viruses and quarantining them on my email. These, it doesn't recognize.

Bev

.

is there any one person that would have those private email addresses in THEIR address book? (esp. if they use Outlook Express)

my tinfoilhat is in the shop for an overhaul and thickness upgrade (no 'enhancement' jokes please!) but it *could* be just part of a random virus attack

have you googled the name of the attached file(s)

how about the subject lines? BBV specific or the usual virus stuff like "Re: Hi!"

any coherent message text? blocks of dadist words?

just curious...

by having a password with the .zip file, the McAffee and so forth can't find it.

It's a new variant called BagleJ.

One of my dear friends who happens to have the odd combination of my emails must have been hit with it. Odd that it had my unusual e-mails and and Andy's personal email, but there are some activists who might have a smaller set of addresses in their system, that this went out on.

Note that the McAffee software will tell you if you send too many emails out, which will identify if it is your system that has a worm.

Thanks, and sorry.

Bev

....."Your IP address has been logged..." and did it have a .zip file attached? If so I got that 3-4 days ago and deleted it without opening it. IIRC, the return address was four random letters at at Hotmail account.

My system was compromised the other night while I was taping your appearance on Nightline. I noticed my Java Console was open and running in the background when I shut down for the night. The following morning when I restarted the computer, It updated my registry files, reported that it had not been shut down properly, auto-ran scandisk, and then several programs refused to run, most notably all of my media and security related programs.

I got all of the security stuff reloaded without problems however I can't seem to reload any of my media stuff. I keep getting an "RPC Version Conflict" error.

One other thing, I went to Gibson Research.com to check the status of my system ports, and when I ran ShieldsUP!, I found that port 113 is no longer in 'stealth' mode, it now reports 'closed'.

Just a note, I'm on DSL and am supposed to have a 'dynamic' IP address. I don't know when it started but my IP addy is now STATIC! It doesn't matter how many times I recycle power to the modem or how long I leave it off for, I get the same address every time. :( I have to rely on the dynamic addressing of my router to keep moving the target.

You know enough to realize when your system is compromised. I decided a long time ago not to drive myself crazy, other than to have up to date virus scanning, and pretty restrictive firewalls.

Of course, whenever I run Netscape I get a message that stops me and says the server is busy with the "other" program. It dinks around for awhile -- sometimes, various programs are highlighted and when I shut down, the computer tells me it is shutting down programs that aren't even open, but what the hell.

I gave up monitoring this stuff too closely. All it does is give me a headache. I use the ignoramus version of security: When it's really critical, I go to another computer, off line, and do things with old fashioned disks that I send or give to people. Heck, sometimes I even go to Kinkos.

I do get my online activities shut down, whether on Netscape or AOL, if I stay online too long. It starts breaking the connection intermittently, over and over, rapidly, so I can't receive or transmit. This is solved by switching to new access numbers. When I was traveling, I'd use new access numbers and they'd work great -- until one day, holed up in a motel, I was online all day. The access number stopped working after about 6 hours, and then all the local access numbers in that area stopped working after I'd used them for about 20 minutes.

Same thing happens on my husband's computer. Same thing happens on AOL. Ah we have to hassle with such annoyances.

because I'm tired of losing weeks if not months of work. :evilfrown:
As I sit here typing, I can see someone probing my router. The activity light is flashing once about every 2 seconds. If he manages to get past the router, all he has to do is figure out what address I'm on on the switcher. Then get past the firewall.

Multiple levels of security and all. :evilgrin:

Whoever it is that has been getting in is GOOD!

Try Zonealarm personal firewall and VisualZone....both are free.

Zonealarm tracks your ports and people trying to look at your PC. Visualzone takes that tracking info and gives you lots of option to ID the intruders and reach out an touch them...

http://www.visualizesoftware.com/

.....When I first got involved with this 'crazy lady' here, the very first thing that happened after I downloaded the infamous 'Diebold Source Code' was my ZA firewall started to act funny, that is it would intermittently not flag traffic that had been disallowed!

I removed it and reinstalled a later version and that's when the real fun began. The ZA screen graphics would change from the new version to the older version and back while I was online. We tracked what was happening and found that someone was 'spoofing' my firewall. For all intents and purposes it appeared to be running but a 'ctrl, alt, delete' showed the vector engine not loaded. We determined that a program had been installed using a hole in the Adobe Acrobat program and about a dozen files had been hidden deep in the Acrobat program folders. Owing to the 'cross platform' nature of Acrobat, IE; it allows file access to many other programs on the machine, whoever loaded that program was able to set themselves up access to everything in my computer, log all changes to any files and drives in the system and send out a report every time I started the system, all before the system even loaded the vector engine.
None of these events showed up in the ZA logs. We had to use a packet sniffer to find that traffic.

To make matters worse, Neo Trace showed that all of the traffic coming and going from my computer was being routed through a server in Alexandria, Virginia. :tinfoilhat:

If you leave your computer connected to the net via DSL, you *gotta* have a firewall like Zonealarm running(unless you have a Mac).

Microsoft's security holes are amazing. Folks can scan for open ports on the Inetrnet and gain access to your PC with no warning at all.

To try to keep your Windows-based system protected at a minimum-level:
1) Up-to-date antivirus software
2) A personal firewall if you use the 'net (they may be a pain to set up and integrate with your software, but worth it)
3) Anti-spy software (to remove ad software and tracking software )
4) Windows cache and cookie removal software (to remove web-sufinf history)

Just a note, Yes I do have all of the above and then some. I have a few 'friends' who are IT security experts in management positions with Fortune 100 companies. They're the ones that help me with my security. I can assure you that the people who are watching what is going on here are not script kiddies. But then again, neither are we. :)

Oh, BTW, since you mentioned Zone Alarm, I hope you haven't upgraded it since they were bought recently. Do a little research on who bought them. you might be surprised at what you find. :scared:

nt