Antigen from Sybari. http://www.sybari.com/home/ Conrad Schellenberg [EMAIL PROTECTED] Comark Inc. Phone (204) 633 1886 ext. 204 fax (204) 694 9689 ____________________Reply Separator____________________ Subject: RE: Author: "Matt Rogghe" <[EMAIL PROTECTED]> Date: 2/13/2001 11:43 AM Just an interesting note here and maybe a request for feedback. I first found the virus yesterday after I got back from lunch and had something like 10-15 e-mails from the users here in my office... all the virus. Four users here had opened the attachment before I could stop them. Since I had just, minutes before, received those e-mails, I ran to the server and yanked the connection between the firewall and the mail server.... deleted all outbound e-mails from the exchange server queue (users will at least get a non-delivery if it was genuine business).... cleaned off the PC's and then re-connected the server. Now, I work in a small office (~25 users) so I can do this sort of thing with impunity where some of you guys in bigger installations probably can't, but my real question here is: are there any good Exchange virus/content scan agents out there? I took a look at a few a short while back and again yesterday and was discouraged to note that not a single one would identify the Kournikova virus unless you had updated the software with a patch released sometime yesterday.... probably a little too late. I suppose I could purchase one of these and simply quarantine any .vbs/.js/any executable that came through until I looked at it, but I was hoping for something a little more automated. Just a pipe dream? Any products of note out there you guys have experience with? Thanks, Matt Rogghe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 13, 2001 10:53 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Matt Rogghe; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: I only meant that I use debug. > ---------- > From: Gibson, Brian > Sent: 13 February 2001 15:42 > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: > > Just curious but what exactly is the inherent risk in opening > attachments in a text only editor? I often use a text editor to > quickly review attachments for malicious intent. If they are binary > files then I go with an analyzer but for script attacks why is a text > editor a poor choice? > > If that wasn't your implications I apologize for misreading your > statement. > > -----Original Message----- > From: [EMAIL PROTECTED] [ > mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 13, 2001 8:31 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: > > > Que? > > I was not complaining about the e-mail informing us that is was a > 'nasty > little script'. I was highlighting the point that a mailing list whose > > focus is IT Security was used to prolifferate malware. > > Let me see if I have you straight here. OK its nice to see the A.V. > and > content analysis tools you have spent much resource on working as > intended (Cheers for the the sample guys). But you can't seriously be > telling me that the fact that this script was (Apparently/allegedly) > sent to every e-mail address in Mr Rollie's Address Book, and that it > was forwarded on to all of us is a usefull service? > > As one security professional to another. Even if it had no effect on > any > recipient. What would your response be when one of your company's > customers calls up to complain about being sent a virus via e-mail > from > one of your users. Let me see if I can guess.... > > To give you some comfort ( as you are obviosuly concerned for my well > being ) Of course I don't trust attachments. I do examine suspicious > attachments with something a little more sophisticated than Notepad > (or > is that vi). > > My appologies to all on the list. My mail was supposed to address what > I > considered to be a serious issue. My intention was not to flame the > guys > who run this list or to start a flame war on the list. However, I fear > > that may be the result. > > Liam. > > > ---------- > > From: Bill Royds > > Sent: 13 February 2001 13:00 > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; > > [EMAIL PROTECTED] > > Subject: RE: > > > > Actually that message was very useful to me. It gave me early > warning > > about the virus by showing that it leaked through our email > anti-virus > > and the code gave me some strings to scan for on our IDS. > > As a security professional, I never execute anything I get in > email, > > but I do examine it with text only tools to look for problems. Don't > > > you > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [ mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, February 13, 2001 06:03 > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: RE: > > Importance: High > > > > > > I have to say that it is a pretty sad state of affairs when a > mailing > > list that is dedicated to IT security issues falls foul of this type > > > of > > problem. > > > > Is there any need to allow attachments on this forum? > > > > I assume that there is some form of content analysis performed on > the > > traffic through this list.....? > > > > I would assume that most people on this list have some form of > content > > analyser implemented on their mail gateway. I would further assume > > that > > if you were not covered when the first VBS was distributed then you > > were > > pretty soon afterwards ( weren't you? ). This is the responsible > thing > > to do. I am sure that the guys who run this list would think so too. > > > > > I know that this list is run (pretty smoothly) as a free service to > us > > and the relevant T&Cs are in place, but people have been put on RBL > > for > > less. Is there a cheep and simple method you guys could implement by > > > which attachments could be prohibited on this list? > > > > Cheers,Liam. > > > > > > > > > > > > > > > > > > > > > ---------- > > > From: Matt Rogghe > > > Sent: 12 February 2001 20:55 > > > To: 'Gary Rollie'; [EMAIL PROTECTED] > > > > > > That last post to here was a nasty little replicator script. > Looks > > > like > > > it's just hitting the global address list so far on the exchange > > > server. > > > - > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > > "unsubscribe firewalls" in the body of the message.] > > > > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
