Maybe cause the payload looks like a weblink?
When Nemix reports, it shows as:
===========
The message contained 1 virus(es):
www.myparty.yahoo.com infected with the [EMAIL PROTECTED]
virus
- - -
=======================
Your guess is as good as mine.
John Matteson; Exchange Manager
Geac Corporate Infrastructure Systems and Standards
(404) 239 - 2981
My toys! My toys! I can't do this job without my toys!
-----Original Message-----
From: Saul [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 3:08 PM
To: Exchange Discussions
Subject: RE: Alert: W32/Myparty-mm on the loose
I am also blocking *.com on our SMTP Scan Job for Antigen but this
attachment slipped by. Luckily the user who got suspected something and
called us. I have updated the virus engines running on our Antigen but I
am curious why the attachment blocking didn't work? Any IDEAS?
Saul
> This one slipped by our *.com file matching as well... actually it's been
a
> little hit and miss... some were caught but others were not stopped until
we
> installed the defnition file--We're running Antigen with the Norman def.
> I'm still seeing weird stuff.... some seem to be getting through he IMC
scan
> and making it to the store and getting disinfected there. That's the
first
> time I've ever seen that. Very odd indeed. Most that are being caught
are
> by the virus definition--because generally we just get the *.com type
block
> message. Wonder what's going on here.
>
> Fortunately we run something different on the desktop--and it had updated
> through the night.
>
> Josh Harmon
>
>
> -----Original Message-----
> From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 28, 2002 8:20 AM
> To: Exchange Discussions
> Subject: RE: Alert: W32/Myparty-mm on the loose
>
>
> Somehow this one slipped past our .com filter on our linux firewall. NAV
> for exchange caught it by the .COM extension, and norton had just
> liveupdated us an hour earlier with the new definitions that would have
> caught it if it wasn't a blocked extension. I think the syntax of the
> attachment code is probably not RFC compliant.
>
> Tom
>
> -----Original Message-----
> From: Chris Scharff [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 28, 2002 9:03 AM
> To: Exchange Discussions
> Subject: RE: Alert: W32/Myparty-mm on the loose
>
>
> Fortunately we're all blocking *.com right? The *.com viruses are going to
> take forever to combat from a social engineering standpoint. It's probably
> worth investing some time in user education on .com files because I think
> this is going to be a new favorite virus writing style for the next few
> months.
>
> Chris Scharff
> The Mail Resource Center
> http://www.mail-resources.com
>
> -----Original Message-----
> From: Martin Blackstone
> To: Exchange Discussions
> Sent: 1/28/2002 7:57 AM
> Subject: FW: Alert: W32/Myparty-mm on the loose
>
>
>
> -----Original Message-----
> From: Russ [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 28, 2002 5:45 AM
> To: [EMAIL PROTECTED]
> Subject: Alert: W32/Myparty-mm on the loose
>
>
> Be aware that this morning you will likely find a copy of this new mass
> mailer in your mail systems. This is a pure social engineering attack, it
> contains an attachment named as a URL with a .com extension. Since .com is
> also an application, it will be run as such if its double-clicked on.
Check
> with your AV company for updates and/or filtering criteria. If you can, be
> sure you have attachment filtering enabled at your mail gateway. Outlook
> Email Security Update, and Outlook 2002, both catch this attachment and
> prevent it from being available for the user to click on.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
