I started quarantining zips at our firewall yesterday evening at about 5pm EST and it has been steady at 5 - 7 per minute since. I have always blocked exe, bat, cmd, vbs, etc but I let zips through and everyone has gotten used to that - I guess well have to change that now...
Jeff Hague MCSE Network Manager Randolph-Macon College Ashland, VA -----Original Message----- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 12:24 PM To: Exchange Discussions Subject: RE : New variant of W32/Dumaru.y Well, I hope everybody have a lot of fun!!! We have received 3000 of those little critter since yesterday night. How can anybody let PIF/EXE/CMD/any executable file inside their network, even if it's in a zip file??? -----Message d'origine----- De : Scott Weston [mailto:[EMAIL PROTECTED] Envoy� : 26 janvier, 2004 20:48 � : Exchange Discussions Objet : RE: New variant of W32/Dumaru.y MessageLabs, the leading provider of managed email security services to businesses worldwide, has intercepted a high number of copies of a new worm known as W32/Mydoom.A-mm. Name: W32/Mydoom.A-mm Number of copies intercepted so far: 165,598 Time & Date first captured: 13.03pm GMT, 26th Jan 04 Origin of first intercepted copy: Russia W32/Mydoom.A-mm is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, ..htm, .txt. On January 23, 2004, MessageLabs, the leading provider of managed email security services to businesses worldwide, intercepted a large number of copies of another variant of the Dumaru email worm - W32/Dumaru.Y. General The initial copy of this new variant originated from the United States. To date, the majority of infected emails that MessageLabs has intercepted were sent from the United Kingdom - 42% of the total number of emails seen. Name: W32/Dumaru.Y-mm Aliases: W32/Dumaru.Z-mm Number of copies intercepted so far: 5,027 Time & Date first Captured: 23rd Jan 2004, 20.56 GMT Origin of first intercepted copy: United States The worm arrives as an attachment to an email called myphoto.zip (17Kb). The sender's email address may be forged, and therefore does not indicate the true identity of the sender. -----Original Message----- From: Steve [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 4:15 PM To: Exchange Discussions Subject: New variant of W32/Dumaru.y We got a new variant of this that neither McAfee or Trend is stopping (extra.dat is on the way). It is zipped and the subject and attachment name changes. Here is a link to NAI's description: http://vil.nai.com/vil/content/v_100980.htm Still nothing from Trend. This thing spreads like fire. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
