Hi, So, the virus taking advantage of this MS Word/VB vulnerability is [EMAIL PROTECTED]
Also, are you simply blocking *.txt extensions in your Exchange AV or some other file formats? We were talking about this in our security meeting yesterday however this is the first I have heard of an exploit.... Thanks in advance, Erik L. Vesneski WCDC Intel Lead/Systems Consultant ISO - Intel Systems Ph#: 925-658-6161 www.pmigroup.com mailto:[EMAIL PROTECTED] -----Original Message----- From: Bendall, Paul [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 7:29 AM To: Exchange Discussions Subject: RE: The New MS Word / VBA vulnerability in Attachments Excuse my ignorance what is the vulnerability, do you have a Q article or security update number from MS. When was the vulnerability reported. TIA, Paul -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: 11 September 2003 15:24 To: Exchange Discussions Subject: RE: The New MS Word / VBA vulnerability in Attachments We instituted the same policy yesterday. We started diverting all office format documents as well as .txt files (we had seven instances of [EMAIL PROTECTED] make it all the way to the mail server, where the AV picked it, because the attachment was disguised as a .txt file.) for testing. We told the users it may delay the delivery of an e-mail up to an hour...no complaints, and we have the backing of the computer security person, the CIO and the president of the company. -----Original Message----- From: Michael Henry [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 1:54 PM To: Exchange Discussions Subject: The New MS Word / VBA vulnerability in Attachments After reading the announcement concerning the vulnerability in MS Word / VBA, began to think proactively about the impact. I started filtering .doc and checking them myself before forwarding them on. And sent out a notice to that affect. I do about 20 or so of these daily. Well, I was reluctantly supported by my manager. And now I am getting negative feedback because of the impact it's having. No 'real' complaints about delayed delivery. The social engineering is practically perfect on this. The virus on first pass, simply looks up every e-mail with a .doc. Infects it and re-sends it with "UPDATED" added to the subject line. Then e-mails others with "I forgot to send this." So the sender is known by the recipient on this one. Please let me ask you, especially if the VBA is polymorphic/self modifying, what are the chances, that if it got through the AV on your server, that your user would open this e-mail? As time goes by, the caliber and sophistication of viruses are getting better and not worst. Now, I hope that the payload does not turn bad on this one. Like the virus detects that it has sent to everyone that it could, then starts deleting files. Until the first virus hits and it's variants, Am I being cautious? Therefore, should keep the filter on. Or Am I over reacting? An need to turn off the filter. Your opinion is requested. Regards, Michael Henry The one responsible either way it goes. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
