Sophos, pulled every hour, all clients updated every hour, mail gateways every 5 minutes, NAI groupshield onboard exchange servers updated once a week (yeah, groupsuck, but it's a different vendor just as a double check). We've run active scans on all web servers and all victim clients with sophos, nothing. The issue has been reported to Sophos tech support, we're waiting on a reply presently. It is hitting a new person on our campus at the rate of about 1 every 15-20 minutes. We are seeing it on everything from secured admin workstations to 'very' unsecured student computers. No common denominator yet for a possible delivery application, except they are all Win2k running IE6 or IE5.5SP2 so far. Several of the clients don't even have outlook, but could be accessing through OWA, so mail-based starting point isn't out of the picture yet. We are getting nervous that noone else outside our campus seems to be reporting this yet.
Brad -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 12:33 PM To: MS-Exchange Admin Issues Subject: RE: Web redirects - virus/CSS/Email based? Do you have the latest and greats dat files for it? Also, try the free AV scanner from Trend.... -----Original Message----- From: Brad Metzler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 12:31 PM To: MS-Exchange Admin Issues Subject: RE: Web redirects - virus/CSS/Email based? Done, on two victim machines so far, returned nothing. -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 12:13 PM To: MS-Exchange Admin Issues Subject: RE: Web redirects - virus/CSS/Email based? Do it anyways.... -----Original Message----- From: Brad Metzler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 12:13 PM To: MS-Exchange Admin Issues Subject: RE: Web redirects - virus/CSS/Email based? Dennis, This is happening to clean system with no messaging agents or anything on them. No new installs, no modifications, secured access computers. There is nothing to indicate that the problem is being started by an adware or spyware agent. The problem is that it is trying to install one obviously, we are trying to find out where this chain is starting. Somehow that first site is getting called that starts the redirect and the install attempts, but where is the first call coming from? We are trying to determine if it is embedded in a popular web site like msn or yahoo or something or if it is embedded in an E-mail. If we're the only ones having this problem then I'll know to start looking for the source internally, but right now I have really no leads on the source. Brad -----Original Message----- From: Dennis Atherton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 12:06 PM To: MS-Exchange Admin Issues Subject: RE: Web redirects - virus/CSS/Email based? Go to www.lavasoftusa.com, and download the latest version of Ad-Aware. It will scan your systems and kill the sh*t. -----Original Message----- From: Brad Metzler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 12:01 PM To: MS-Exchange Admin Issues Subject: Web redirects - virus/CSS/Email based? Is anyone else having this problem? We are suddenly having dozens of reports from users who find that anywhere they web-browse to is being redirected to a "domain for sale" page with pop-ups and other windows for places like reunion.com and in some cases it attempted to start an install of Gator. Once you pick it up, it appears you have to reboot to be able to browse normally again. It doesn't affect all sites you browse to afterward however(?). Smells like a virus, but feels like a javascript dropper from a CSS attack or something. We have been unable to isolate which site is dropping the file or if maybe it is embedded in an email. All three levels of our virus scanning on E-mail and on the network have detected nothing. The source address of the redirect file is 161.58.178.209 and if you visit that address you will see the domain for sale page and the popups, and in my case it again tried to install gator, so USE CAUTION. I'm posting this here hoping someone else may recognize the symptoms and also curious is there is an E-mail going around that might be carrying the starting point for this. Thanks Brad Metzler Director of ITS Infrastructure Concordia University - Portland List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
