Beyond the question of who opened what with what.... This virus affects /only/ users of Microsoft Outlook who /have not applied the vendor patch from (what appears to be) June 7, 2000/. Folks, we are security professionals here. If a vendor supplies a security patch, why would we not apply it? (Of course, we could have the obligatory argument about why a security professional would use a product with 'major' security issues... but that would not be helpful) When there is a known security risk, and a patch is made available... apply the patch. It will save you alot of pain later. Carl E. Mankinen writes: > If you are running a firewall, you can run content security scanners like eSafe > and strip script code from attachments etc. I think some of these products > integrate with exchange as well. > > My Exchange admin says there is a $500 tool that works with exchange > and strips all VBS code from attachments. Fine by me, I don't see a need > to send SCRIPT code in emails... > > ----- Original Message ----- > From: "Matt Rogghe" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 13, 2001 11:43 AM > Subject: RE: > > > > Just an interesting note here and maybe a request for feedback. I first > > found the virus yesterday after I got back from lunch and had something like > > 10-15 e-mails from the users here in my office... all the virus. Four users > > here had opened the attachment before I could stop them. Since I had just, > > minutes before, received those e-mails, I ran to the server and yanked the > > connection between the firewall and the mail server.... deleted all outbound > > e-mails from the exchange server queue (users will at least get a > > non-delivery if it was genuine business).... cleaned off the PC's and then > > re-connected the server. Now, I work in a small office (~25 users) so I can > > do this sort of thing with impunity where some of you guys in bigger > > installations probably can't, but my real question here is: are there any > > good Exchange virus/content scan agents out there? I took a look at a few a > > short while back and again yesterday and was discouraged to note that not a > > single one would identify the Kournikova virus unless you had updated the > > software with a patch released sometime yesterday.... probably a little too > > late. I suppose I could purchase one of these and simply quarantine any > > .vbs/.js/any executable that came through until I looked at it, but I was > > hoping for something a little more automated. Just a pipe dream? Any > > products of note out there you guys have experience with? > > > > Thanks, > > Matt Rogghe > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 13, 2001 10:53 AM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Matt Rogghe; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: RE: > > > > > > I only meant that I use debug. > > > > > ---------- > > > From: Gibson, Brian > > > Sent: 13 February 2001 15:42 > > > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > Subject: RE: > > > > > > Just curious but what exactly is the inherent risk in opening > > > attachments in a text only editor? I often use a text editor to > > > quickly review attachments for malicious intent. If they are binary > > > files then I go with an analyzer but for script attacks why is a text > > > editor a poor choice? > > > > > > If that wasn't your implications I apologize for misreading your > > > statement. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [ > > > mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, February 13, 2001 8:31 AM > > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > > [EMAIL PROTECTED] > > > Subject: RE: > > > > > > > > > Que? > > > > > > I was not complaining about the e-mail informing us that is was a > > > 'nasty > > > little script'. I was highlighting the point that a mailing list whose > > > > > > focus is IT Security was used to prolifferate malware. > > > > > > Let me see if I have you straight here. OK its nice to see the A.V. > > > and > > > content analysis tools you have spent much resource on working as > > > intended (Cheers for the the sample guys). But you can't seriously be > > > telling me that the fact that this script was (Apparently/allegedly) > > > sent to every e-mail address in Mr Rollie's Address Book, and that it > > > was forwarded on to all of us is a usefull service? > > > > > > As one security professional to another. Even if it had no effect on > > > any > > > recipient. What would your response be when one of your company's > > > customers calls up to complain about being sent a virus via e-mail > > > from > > > one of your users. Let me see if I can guess.... > > > > > > To give you some comfort ( as you are obviosuly concerned for my well > > > being ) Of course I don't trust attachments. I do examine suspicious > > > attachments with something a little more sophisticated than Notepad > > > (or > > > is that vi). > > > > > > My appologies to all on the list. My mail was supposed to address what > > > I > > > considered to be a serious issue. My intention was not to flame the > > > guys > > > who run this list or to start a flame war on the list. However, I fear > > > > > > that may be the result. > > > > > > Liam. > > > > > > > ---------- > > > > From: Bill Royds > > > > Sent: 13 February 2001 13:00 > > > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > > [EMAIL PROTECTED]; > > > > [EMAIL PROTECTED] > > > > Subject: RE: > > > > > > > > Actually that message was very useful to me. It gave me early > > > warning > > > > about the virus by showing that it leaked through our email > > > anti-virus > > > > and the code gave me some strings to scan for on our IDS. > > > > As a security professional, I never execute anything I get in > > > email, > > > > but I do examine it with text only tools to look for problems. Don't > > > > > > > you > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [ mailto:[EMAIL PROTECTED]]On Behalf Of > > > > [EMAIL PROTECTED] > > > > Sent: Tuesday, February 13, 2001 06:03 > > > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > > Subject: RE: > > > > Importance: High > > > > > > > > > > > > I have to say that it is a pretty sad state of affairs when a > > > mailing > > > > list that is dedicated to IT security issues falls foul of this type > > > > > > > of > > > > problem. > > > > > > > > Is there any need to allow attachments on this forum? > > > > > > > > I assume that there is some form of content analysis performed on > > > the > > > > traffic through this list.....? > > > > > > > > I would assume that most people on this list have some form of > > > content > > > > analyser implemented on their mail gateway. I would further assume > > > > that > > > > if you were not covered when the first VBS was distributed then you > > > > were > > > > pretty soon afterwards ( weren't you? ). This is the responsible > > > thing > > > > to do. I am sure that the guys who run this list would think so too. > > > > > > > > > > > I know that this list is run (pretty smoothly) as a free service to > > > us > > > > and the relevant T&Cs are in place, but people have been put on RBL > > > > for > > > > less. Is there a cheep and simple method you guys could implement by > > > > > > > which attachments could be prohibited on this list? > > > > > > > > Cheers,Liam. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------- > > > > > From: Matt Rogghe > > > > > Sent: 12 February 2001 20:55 > > > > > To: 'Gary Rollie'; [EMAIL PROTECTED] > > > > > > > > > > That last post to here was a nasty little replicator script. > > > Looks > > > > > like > > > > > it's just hitting the global address list so far on the exchange > > > > > server. > > > > > - > > > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > > > > "unsubscribe firewalls" in the body of the message.] > > > > > > > > > - > > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > > > "unsubscribe firewalls" in the body of the message.] > > > > > > > - > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > > "unsubscribe firewalls" in the body of the message.] > > > > > > > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
