I haven't worked with any of the other packages, so I can't compare. It seems to do ok, although they don't have any "ALERT" system, and always seem to be the last to get a definition out. I still don't know if they have the Vote virus covered.
They automatically create a logon script to push the defs to the desktop, so as long as you make sure the server gets updated before everyone logs on it works fine. Our work hours make this a non-issue. Remote users have a problem with the speed.
I do know that I gave up on active desktop scanning. It slowed my workstations down too much. I've been lucky that my folks get a lot of e-mail, but aren't big on downloading files. So I'm scanning Exchange and Outlook. Personally, I think way too many of the virii are being caught at the desktop rather than the Exchange server. They also have no filtering/blocking.
As soon as I can free up some money I'll most likely dump the Panda for Exchange and get Sybari.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 6:21 AM
To: NT System Admin Issues
Subject: RE: Another F(*&^ virus! (OT)
A little off the topic here, but how do you find Panda? We use Norton AV
for desktop and server protection, but have Panda for Lotus Notes
protection (I think it's a good idea to have a double layer sometimes).
Panda was suggested by our Notes Admin guy, and it has not worked correctly
since! Currently it is only running on one of our 4 Notes servers, and I
don't think it is doing too well there! I'm about ready to dump it, and
have put Norton on the other Notes servers to make sure they are covered.
Anyone else out there use Panda, and would actually recommend it?
G.
RZorz@ScottsdaleC
hamber.com To: "NT System Admin Issues"
<[EMAIL PROTECTED]>
25/09/2001 13:51 cc:
Please respond to Subject: RE: Another F(*&^ virus!
"NT System Admin
Issues"
Actually one of my users sent that to me. I use Panda, which of course once
again seems to be the last to know.
-----Original Message-----
From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 4:03 PM
To: NT System Admin Issues
Subject: RE: Another F(*&^ virus!
According to SARC, updating your definitions will detect this worm.
Although, the latest update I get is dated Sep. 20. What's the scoop?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 4:37 PM
To: NT System Admin Issues
Subject: Another F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe
Size of attachment: 55808 Bytes
Symantec Security Response
http://securityresponse.symantec.com
W32.Vote.A@mm
Discovered on: September 24, 2001
Last Updated on: September 24, 2001 at 09:56:27 AM PDT
W32.Vote.A@mm is a mass-mailing worm that is written in Visual
Basic. When executed, it will email itself out to all email
addresses in the Microsoft Outlook address book. The worm will
insert two .vbs files on the system, and it will also attempt to
delete files from several antivirus products.
Type: Worm
Infection Length: 55,808 Bytes
Virus Definitions: September 24, 2001
Threat Assessment:
Wild:
Low Damage:
High Distribution:
High
Wild:
Number of infections: 0 - 49
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:
Payload:
Large scale e-mailing: Emails everyone in the Microsoft Outlook
addressbook
Deletes files: After reboot, the worm attempts to delete all
files in the Windows folder
Modifies files: All files with the extension "htm" or "html" will
be overwritten.
Compromises security settings: If the Backdoor.Trojan was
successfully downloaded and installed, anyone could gain full
access to the computer.
Distribution:
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe
Size of attachment: 55808 Bytes
Technical description:
W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic
language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all
contacts in the Microsoft Outlook address book. The email will
appear as follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.EXE
Next, the worm will insert two .vbs files on the system:
\<Windows folder>\ZaCker.vbs
\<Windows\System folder>\MixDaLaL.vbs
In addition, the worm will attempt to download and execute a
file. This file is detected as Backdoor.Trojan by Norton
Antivirus.
Finally, the worm will attempt to delete all files from several
folders. These folders appear to be the default installation
folders for several antivirus products. For Norton AntiVirus,
this worm will only attempt to delete the files if Norton
Antivirus is located in C:\Program Files\Norton AntiVirus.
What the dropped files do
MixDaLaL.vbs
MixDaLaL.vbs is a Visual Basic Script file that is inserted in
the \Windows\System folder. This file is executed by the worm. As
the file is executed, it will look through all folders on all
fixed drives and network drives for files with the extensions
.htm or .html. If such a files are found, they are overwritten
with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our
Turn >>> ZaCkEr is So Sorry For You
ZaCker.VBS
This file is inserted in the \Windows\System folder. It is not
executed by the worm. Instead, the value
Norton.Thar \Windows\System\ZaCker.vbs
is added to the registry key
HKEY_LOCAL_MACHINE\Microsoft\
Windows\CurrentVersion\Run
so that the file is executed when you start Windows.
When executed at the next restart, this file will attempt to
delete all files in the \Windows folder. Next, the worm will
create or overwrite the file C:\Autoexec.bat. Inside the file
there will be a command that formats the C drive. The
Autoexec.bat file is executed on Windows 95/98/Me and DOS systems
when you start the computer.
Finally, the worm will displays the message
The worm does attempt to shut down Windows after the message has
been displayed. However, because the files required for this
event to occur have been deleted from the \Windows folder, the
computer probably will not shut down.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent
virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is
configured to scan all files. For instructions on how to do this,
read the document How to configure Norton AntiVirus to scan all
files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Vote.A@mm. If the
worm has run and Norton AntiVirus is installed in C:\Program
Files\Norton AntiVirus, you should reinstall Norton Antivirus.
5. If the computer has been rebooted after the infection, or if
the computer seems very unstable, it is recommended that you
reinstall the operating system.
Additional information:
If the Backdoor.Trojan was successfully installed on the
computer, it is possible that your system has been accessed
remotely by an unauthorized user. For this reason it is
impossible to guarantee the integrity of a system that has had
such an infection. The remote user could have made changes to
your system, including but not limited to the following:
Stealing or changing passwords or password files
Installing remote-connectivity host software, also known as
backdoors
Installing keystroke logging software
Configuring of firewall rules
Stealing of credit card numbers, banking information, personal
data, and so on
Deletion or modification of files
Sending of inappropriate or even incriminating material from a
customer's email account
Modifying access rights on user accounts or files
Deleting information from log files to hide such activities
If you need to be certain that your organization is secure, you
must reinstall the operating system, and restore files from a
backup that was made before the infection took place, and change
all passwords that may have been on the infected computers or
that were accessible from it. This is the only way to ensure that
your systems are safe. For more information regarding security in
your organization, contact your system administrator.
Write-up by: Neal Hindocha
Ray Zorz
Information Technology Manager
Scottsdale Area Chamber - The Business Alliance
480-429-2241
http:\\www.scottsdalechamber.com
mailto:[EMAIL PROTECTED]
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english