After updating the Virus Definition files Antigen reported it as; Antigen for Exchange found www.myparty.yahoo.com infected with W32/MyParty-A (Sophos,McAfee4,CA(InoculateIT),CA(Vet)) worm. The message is currently Purged. The message, "new photos from my party!", was sent from user and was discovered in user\Outbox located at Company/First Administrative Group/Exchange Server.
But before the update, the *.com filter didn't work. Wierd! Saul > And Trend reports it as: > > "WORM_MYPARTY.A" virus was found in attachment "www.myparty.yahoo.com", > ScanMail has moved the attachment to C:\Program Files\Trend\Smex\Virus. > > Paul Chinnery > Network Administrator > Mem Med Ctr > > > -----Original Message----- > From: John Matteson [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 3:24 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > Maybe cause the payload looks like a weblink? > > When Nemix reports, it shows as: > =========== > The message contained 1 virus(es): > > www.myparty.yahoo.com infected with the [EMAIL PROTECTED] > virus > - - - > ======================= > > Your guess is as good as mine. > > John Matteson; Exchange Manager > Geac Corporate Infrastructure Systems and Standards > (404) 239 - 2981 > My toys! My toys! I can't do this job without my toys! > > > > -----Original Message----- > From: Saul [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 3:08 PM > To: Exchange Discussions > Subject: RE: Alert: W32/Myparty-mm on the loose > > > I am also blocking *.com on our SMTP Scan Job for Antigen but this > attachment slipped by. Luckily the user who got suspected something and > called us. I have updated the virus engines running on our Antigen but I > am curious why the attachment blocking didn't work? Any IDEAS? > > Saul > > > This one slipped by our *.com file matching as well... actually it's been > a > > little hit and miss... some were caught but others were not stopped until > we > > installed the defnition file--We're running Antigen with the Norman def. > > I'm still seeing weird stuff.... some seem to be getting through he IMC > scan > > and making it to the store and getting disinfected there. That's the > first > > time I've ever seen that. Very odd indeed. Most that are being caught > are > > by the virus definition--because generally we just get the *.com type > block > > message. Wonder what's going on here. > > > > Fortunately we run something different on the desktop--and it had updated > > through the night. > > > > Josh Harmon > > > > > > -----Original Message----- > > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 8:20 AM > > To: Exchange Discussions > > Subject: RE: Alert: W32/Myparty-mm on the loose > > > > > > Somehow this one slipped past our .com filter on our linux firewall. NAV > > for exchange caught it by the .COM extension, and norton had just > > liveupdated us an hour earlier with the new definitions that would have > > caught it if it wasn't a blocked extension. I think the syntax of the > > attachment code is probably not RFC compliant. > > > > Tom > > > > -----Original Message----- > > From: Chris Scharff [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 9:03 AM > > To: Exchange Discussions > > Subject: RE: Alert: W32/Myparty-mm on the loose > > > > > > Fortunately we're all blocking *.com right? The *.com viruses are going to > > take forever to combat from a social engineering standpoint. It's probably > > worth investing some time in user education on .com files because I think > > this is going to be a new favorite virus writing style for the next few > > months. > > > > Chris Scharff > > The Mail Resource Center > > http://www.mail-resources.com > > > > -----Original Message----- > > From: Martin Blackstone > > To: Exchange Discussions > > Sent: 1/28/2002 7:57 AM > > Subject: FW: Alert: W32/Myparty-mm on the loose > > > > > > > > -----Original Message----- > > From: Russ [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 28, 2002 5:45 AM > > To: [EMAIL PROTECTED] > > Subject: Alert: W32/Myparty-mm on the loose > > > > > > Be aware that this morning you will likely find a copy of this new mass > > mailer in your mail systems. This is a pure social engineering attack, it > > contains an attachment named as a URL with a .com extension. Since .com is > > also an application, it will be run as such if its double-clicked on. > Check > > with your AV company for updates and/or filtering criteria. If you can, be > > sure you have attachment filtering enabled at your mail gateway. Outlook > > Email Security Update, and Outlook 2002, both catch this attachment and > > prevent it from being available for the user to click on. > > > > Cheers, > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
