FWIW I would just like to make a suggestion for those who may be wrestling with
viruses on a reg basis: make the case to management to block all incoming executables.
I made the case here and won it, and it has worked wonders. What is the vital
*business* purpose of executables? Ask them that if they object. Beyond some basic
issues of moral, no one could offer any real reasons. I block any kind of executable
attachment on the way in before I virus filter it, and it has saved us $$$ from
"missing out" on all the new variants that hit folks. Mgt likes that a lot. Moral is
fine btw. Everyone understands how important this is. If you can do it, my 2 cents is
to do it. If there is something critical that has to come in via email you can make
arrangements (have someone send you name.exe as name.txt for ex) The key thing IMHO
is removing the open door to social engineering exploits. No matter how many memos go
out about not opening unexpected attachments or those from stranger!
s, someone is always going to double click that thing IME. It's a relatively simple
matter to stop these things dead, and it is up to net admins and security personnel to
make it happen.
Thanks for listening, & Good luck out there!
>>> Fang Jin <[EMAIL PROTECTED]> 04/18/02 04:41AM >>>
New W32/Klez variants!!!
New variants of W32/Klez, variously referred to as G,H,K has been
spreading
at a slow but steady rate since the first detected in the early hours
yesterday. The worm is still making progress and may corrupt files.
The Subject of the predominant variant has been changed to include one
of
the following semi-random strings:
Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
or the following fixed strings:
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Consequently, little can be hooked by lexical analysis. However, as a
long
shot, a few of these may be added to worm.txt without too great a risk
of
false positive results.
Attachment names and message body text are random.
Several anti-virus vendors detect the variant without the need for new
signature updates. However, we suggest that you check the capabilities
of
your vendor and apply updates if necessary.
Links:
http://www.sophos.com/virusinfo/articles/klezh.html
http:[EMAIL PROTECTED]
ml
http://www.f-secure.com/v-descs/klez_h.shtml
http://www.kaspersky.com/news.html?id=560839
http://www.viruslist.com/eng/viruslist.html?id=4292
http://vil.nai.com/vil/content/v_99455.htm
http://www.norman.no/virus_info/w32_klez_g_mm.shtml
http://antivirus.about.com/library/weekly/aa041702a.htm
http://www.messagelabs.com/viruseye/threatlist.asp
Fang Jin <[EMAIL PROTECTED]>
Sent by: Mailing list for discussion To:
[EMAIL PROTECTED]
of Firewall-1 cc:
<[EMAIL PROTECTED] Subject: [FW-1]
Help - malicious email
point.com>
04/18/2002 03:50 PM
Please respond to Mailing list for
discussion of Firewall-1
Hello,
We have received claims from other companies saying our staff is sending
bulk mails to them.
After investigation, we found the mail was not originated from our mail
server, our staff didnot send
such mail. Someone else in other bulkmail domain sent out the mail with our
company email address.
e.g. Other company staff received a email
sender: [EMAIL PROTECTED],
receipient: [EMAIL PROTECTED],
But aaa didnot send out that mail. We noticed that mail originator is
[EMAIL PROTECTED] instead of
[EMAIL PROTECTED]
What are the ways to stop such prank?
Thanks in advance.
Jin
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
