If it has no way of self propagating then it cannot be called a worm and is
more accurately classified as a virus. Yes it can be spread by file sharing
as any other virus can. What makes worms unique is the ability to spread
without user intervention.
It looks like in this instance, the term "worm" is being used loosely.
Users must still swap files to spread the virus as was the case with media
sharing (floppy's, etc.) in the days before the Internet.
-----Original Message-----
From: Steven Trewick [mailto:STrewick (at) joplings.co (dot) uk [email concealed]]
Sent: Wednesday, October 27, 2004 2:26 AM
To: 'H Carvey'; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: MacOSX worm
Well, the reg
http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener/says
says the malware "contains a variety of destructive
functionality including a keylogger and backdoor components."
The Symantec write up linked from the article
http://www.sophos.com/virusinfo/analyses/shrenepoa.htmlhas
lists side effects including "Deletes files off the computer", and "Modifies
passwords", both of which could be considered
destructive actions.
Perhaps the semantics in the reg article are a bit off, but
I hardly think they can be accused of spreading FUD.
You could always email them and ask for clarification,
they are a fairly approachable lot.
As for the AV industry, I see no reason why they should downplay
the threat (quite the opposite surely ?), but since the Symantec
write up classifeis it as worm, and claims it spreads by file shares,
and the user write ups at http://www.macintouch.com/opener.html
suggest something different again, perhaps the combined effect
*becomes* FUD
Same old same old.
Steve
> -----Original Message-----
> From: H Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: 26 October 2004 17:09
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: MacOSX worm
>
>
>
>
> SF has a Register article about Opener/Renepo-A. The article
> describes this as a "rootkit" (the term is, in fact, used in
> the title of the article), yet Sophos (linked in the article)
> classifies it as a worm. Neither the Register article nor
> the Sophos write up describe any rootkit-like capabilities.
>
> Here's the Symantec writeup:
> http://www.sarc.com/avcenter/venc/data/macos.renepo.b.html
>
> The Register article calls the "rootkit" "destructive", yet
> doesn't describe any destructive capabilities. However, the
> Symantec writeup does.
>
> So...what's the real deal? Is the media spreading FUD, or is
> the A/V community downplaying the effectiveness of this bit
> of malware?
>
> Thanks,
>
> Harlan Carvey
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
>
The information contained in this e-mail is confidential and may be
privileged, it is intended for the addressee only. If you have received this
e-mail in error please delete it from your system. The statements and
opinions expressed in this message are those of the author and do not
necessarily reflect those of the company. Whilst Joplings Group operates an
e-mail anti-virus program it does not accept responsibility for any damage
whatsoever that is caused by viruses being passed. joplings.co.uk
more accurately classified as a virus. Yes it can be spread by file sharing
as any other virus can. What makes worms unique is the ability to spread
without user intervention.
It looks like in this instance, the term "worm" is being used loosely.
Users must still swap files to spread the virus as was the case with media
sharing (floppy's, etc.) in the days before the Internet.
-----Original Message-----
From: Steven Trewick [mailto:STrewick (at) joplings.co (dot) uk [email concealed]]
Sent: Wednesday, October 27, 2004 2:26 AM
To: 'H Carvey'; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: MacOSX worm
Well, the reg
http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener/says
says the malware "contains a variety of destructive
functionality including a keylogger and backdoor components."
The Symantec write up linked from the article
http://www.sophos.com/virusinfo/analyses/shrenepoa.htmlhas
lists side effects including "Deletes files off the computer", and "Modifies
passwords", both of which could be considered
destructive actions.
Perhaps the semantics in the reg article are a bit off, but
I hardly think they can be accused of spreading FUD.
You could always email them and ask for clarification,
they are a fairly approachable lot.
As for the AV industry, I see no reason why they should downplay
the threat (quite the opposite surely ?), but since the Symantec
write up classifeis it as worm, and claims it spreads by file shares,
and the user write ups at http://www.macintouch.com/opener.html
suggest something different again, perhaps the combined effect
*becomes* FUD
Same old same old.
Steve
> -----Original Message-----
> From: H Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
> Sent: 26 October 2004 17:09
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: MacOSX worm
>
>
>
>
> SF has a Register article about Opener/Renepo-A. The article
> describes this as a "rootkit" (the term is, in fact, used in
> the title of the article), yet Sophos (linked in the article)
> classifies it as a worm. Neither the Register article nor
> the Sophos write up describe any rootkit-like capabilities.
>
> Here's the Symantec writeup:
> http://www.sarc.com/avcenter/venc/data/macos.renepo.b.html
>
> The Register article calls the "rootkit" "destructive", yet
> doesn't describe any destructive capabilities. However, the
> Symantec writeup does.
>
> So...what's the real deal? Is the media spreading FUD, or is
> the A/V community downplaying the effectiveness of this bit
> of malware?
>
> Thanks,
>
> Harlan Carvey
> "Windows Forensics and Incident Recovery" http://www.windows-ir.com
>
The information contained in this e-mail is confidential and may be
privileged, it is intended for the addressee only. If you have received this
e-mail in error please delete it from your system. The statements and
opinions expressed in this message are those of the author and do not
necessarily reflect those of the company. Whilst Joplings Group operates an
e-mail anti-virus program it does not accept responsibility for any damage
whatsoever that is caused by viruses being passed. joplings.co.uk
[ reply ]