So far, we have stopped two instances of the Fretham.e variant of this virus. However, we use a little bit different security model than some of you folks do. Our mail relay box is a Linux box, running Qmail. We block quite a list of file extensions at that point. Now...whether it's because of the Linux part or the Qmail part, our mail relayer sees through the extension spoofing that these particular virii employ.
We have updated all of our IE deployments to patch the vulnerability employed by this virus. The BadTrans, Klez and SirCam viruses all use this same blended threat mechanism. Keep in mind however, that while your GS is not scanning attachments because they are several layers deep in the forwarding process, that your GS is probably also not scanning attachments that appear to be different file types than they really are, due to extension spoofing. All of these virii allow attached files to look as if they are a different file type. For example, you are blocking .exe files, but due to certain vulnerabilities, the attachment appears as a .wav file to a Windows machine and you're not blocking .wav files, so it lets it through. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. The Frethem.E write-up can be found at http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.frethem.e@mm. html Jim Blunt -----Original Message----- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:29 PM To: Exchange Discussions Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW > FW..etc) it will miss it...every time.... But yes GS should then get it...if it's working right ;-) bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -----Original Message----- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com > -----Original Message----- > From: Durkee, Peter [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 11, 2002 1:22 PM > To: Exchange Discussions > Subject: Possible New Virus? > > > Hi All, > I've seen several messages coming in this morning with the > subject line Re: Your Password!, an attachment named > decrypt-password.exe, and the same Content-Type: audio/x-midi > that Klez uses to auto-run. The messages are 50k or so in > size. Is anyone else seeing this? My usual virus info sources > don't have anything on it. > > -Peter > > > ______________________________________________ > This message is private or privileged. If you are not the > person for whom this message is intended, please delete it > and notify me immediately, and please do not copy or send > this message to anyone else. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
