I tried to remember the rule, so I looked in my rules.ima,
and I found this for the rule:
B~filename=".vbs":NUL
I think this is incorrect. Could someone please repost the
rule.
--------------------------------------------------------
Rand Thacker
Technical Director - Net FX Corporation
Rockford, IL - http://netfxcorp.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Virtual Web
Servers
Sent: Friday, May 19, 2000 8:34 AM
To: [EMAIL PROTECTED]
Subject: Re: [IMail Forum] Another virus.
This is why EVERYBODY should be blocking *.vbs
If anyone reading this list is NOT blocking these files because they are
unsure of exactly how to do it, post the question. The subject was beaten to
death a couple of weeks ago, with every other post being about this problem,
so everyone should have a pretty good idea. But if you missed it, or didn't
figure it out, ASK somebody. With the number of Imail installs out there, we
can make a dent in the amount of this stuff that is moving around if
everybody does there jobs instead of crossing their fingers. Your users are
not as smart as you are, help them.
rusty
----- Original Message -----
From: Jonathan <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 19, 2000 9:10 AM
Subject: Re: [IMail Forum] Another virus.
Yep, we saw it rolling around 10a ... made me pretty glad to be blocking
*.vbs :)
Jonathan
At 08:45 AM 5/19/2000 -0400, you wrote:
>Sorry if this is off topic, but if it saves anyone it is worth it.
>
>There is a new strain of the love virus called VBS.NewLove.A. This one is
>vicious. Here is the write up from Norton.
>
>Mark
>
>Technical description:
>
>This polymorphic Loveletter variant will overwrite ALL files that are not
>currently in use regardless of extension. It arrives as an email message
>with a subject of "FW: FILENAME.EXT" and an attachment named
>"FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's
>recently opened documents list.) The body of the email is empty. If no
>documents have been used recently, this name is randomly generated. If the
>message has been generated by a system running Windows NT or Windows 2000,
>then the filename will be omitted and the subject of the message will be
>"FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file
>extension will vary depending on the recently opened documents list of
>infected machines.)
>
>Removal:
>
>The contents of all files will be deleted, leaving the affected files with
a
>byte length of zero. The worm will also append the extension '.vbs' to each
>of these files. For example, the file calc.exe will become calc.exe.vbs.
>Since this worm overwrites all files regardless of extension, proper
removal
>can only be achieved by restoring the affected files from known clean
>backups.
>
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html
>to be removed from this list.
________________________________
You want it? We've got it!
http://home.paperwork.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
