I finally got it to autoupdate for Exchange. But as I said earlier, I'm still not sure if they have Vote in their defs, their website doesn't get updated quick enough and they don't send alerts.
-----Original Message-----
From: Hasan Dervish [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 9:19 AM
To: NT System Admin Issues
Subject: Re: Another F(*&^ virus! (OT)
I use panda on BackOffice and BackOffice SBS
the only problem I have seen its inability to fully autoupdate in sbs, and
autoupdate exchange server in BackOffice.
----- Original Message -----
From: "Miranda, Fausto" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 2:57 PM
Subject: RE: Another F(*&^ virus! (OT)
> dump it, I have never seen it work correctly.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 25, 2001 9:21 AM
> To: NT System Admin Issues
> Subject: RE: Another F(*&^ virus! (OT)
>
>
>
> A little off the topic here, but how do you find Panda? We use Norton AV
> for desktop and server protection, but have Panda for Lotus Notes
> protection (I think it's a good idea to have a double layer sometimes).
> Panda was suggested by our Notes Admin guy, and it has not worked
correctly
> since! Currently it is only running on one of our 4 Notes servers, and I
> don't think it is doing too well there! I'm about ready to dump it, and
> have put Norton on the other Notes servers to make sure they are covered.
> Anyone else out there use Panda, and would actually recommend it?
>
> G.
>
>
>
>
> RZorz@ScottsdaleC
>
> hamber.com To: "NT System Admin
Issues"
>
>
> <[EMAIL PROTECTED]>
> 25/09/2001 13:51 cc:
>
> Please respond to Subject: RE: Another F(*&^
> virus!
> "NT System Admin
>
> Issues"
>
>
>
>
>
>
>
>
>
> Actually one of my users sent that to me. I use Panda, which of course
once
> again seems to be the last to know.
> -----Original Message-----
> From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
> Sent: Monday, September 24, 2001 4:03 PM
> To: NT System Admin Issues
> Subject: RE: Another F(*&^ virus!
>
> According to SARC, updating your definitions will detect this worm.
> Although, the latest update I get is dated Sep. 20. What's the scoop?
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Monday, September 24, 2001 4:37 PM
> To: NT System Admin Issues
> Subject: Another F(*&^ virus!
>
>
>
>
> Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
> Name of attachment: WTC.exe
> Size of attachment: 55808 Bytes
>
>
> Symantec Security Response
> http://securityresponse.symantec.com
>
> W32.Vote.A@mm
> Discovered on: September 24, 2001
> Last Updated on: September 24, 2001 at 09:56:27 AM PDT
>
>
> W32.Vote.A@mm is a mass-mailing worm that is written in Visual
> Basic. When executed, it will email itself out to all email
> addresses in the Microsoft Outlook address book. The worm will
> insert two .vbs files on the system, and it will also attempt to
> delete files from several antivirus products.
>
>
> Type: Worm
>
>
> Infection Length: 55,808 Bytes
>
>
> Virus Definitions: September 24, 2001
>
>
> Threat Assessment:
>
>
>
> Wild:
> Low Damage:
> High Distribution:
> High
>
>
>
> Wild:
>
>
> Number of infections: 0 - 49
> Number of sites: 3 - 9
> Geographical distribution: Medium
> Threat containment: Moderate
> Removal: Moderate
> Damage:
>
>
> Payload:
> Large scale e-mailing: Emails everyone in the Microsoft Outlook
> addressbook
> Deletes files: After reboot, the worm attempts to delete all
> files in the Windows folder
> Modifies files: All files with the extension "htm" or "html"
will
> be overwritten.
> Compromises security settings: If the Backdoor.Trojan was
> successfully downloaded and installed, anyone could gain full
> access to the computer.
>
>
> Distribution:
>
>
> Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
> Name of attachment: WTC.exe
> Size of attachment: 55808 Bytes
>
>
> Technical description:
>
>
> W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic
> language. It requires the file Msvbvm50.dll to execute.
>
>
> When executed, the worm will attempt to email itself to all
> contacts in the Microsoft Outlook address book. The email will
> appear as follows.
>
>
> Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
>
>
> Message:
> Hi
> iS iT A waR Against AmeriCa Or IsLaM !?
> Let's Vote To Live in Peace!
>
>
> Attachment: WTC.EXE
>
>
> Next, the worm will insert two .vbs files on the system:
>
>
>
>
>
> \<Windows folder>\ZaCker.vbs
> \<Windows\System folder>\MixDaLaL.vbs
>
>
> In addition, the worm will attempt to download and execute a
> file. This file is detected as Backdoor.Trojan by Norton
> Antivirus.
>
>
> Finally, the worm will attempt to delete all files from several
> folders. These folders appear to be the default installation
> folders for several antivirus products. For Norton AntiVirus,
> this worm will only attempt to delete the files if Norton
> Antivirus is located in C:\Program Files\Norton AntiVirus.
>
>
> What the dropped files do
>
>
> MixDaLaL.vbs
> MixDaLaL.vbs is a Visual Basic Script file that is inserted in
> the \Windows\System folder. This file is executed by the worm.
As
> the file is executed, it will look through all folders on all
> fixed drives and network drives for files with the extensions
> .htm or .html. If such a files are found, they are overwritten
> with the message:
>
>
> AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our
> Turn >>> ZaCkEr is So Sorry For You
>
>
> ZaCker.VBS
> This file is inserted in the \Windows\System folder. It is not
> executed by the worm. Instead, the value
>
>
> Norton.Thar \Windows\System\ZaCker.vbs
>
>
> is added to the registry key
>
>
> HKEY_LOCAL_MACHINE\Microsoft\
> Windows\CurrentVersion\Run
>
>
> so that the file is executed when you start Windows.
>
>
> When executed at the next restart, this file will attempt to
> delete all files in the \Windows folder. Next, the worm will
> create or overwrite the file C:\Autoexec.bat. Inside the file
> there will be a command that formats the C drive. The
> Autoexec.bat file is executed on Windows 95/98/Me and DOS
systems
> when you start the computer.
>
>
> Finally, the worm will displays the message
>
>
>
>
>
>
> The worm does attempt to shut down Windows after the message has
> been displayed. However, because the files required for this
> event to occur have been deleted from the \Windows folder, the
> computer probably will not shut down.
>
>
>
>
>
> Removal instructions:
>
>
>
>
>
> 1. Run LiveUpdate to make sure that you have the most recent
> virus definitions.
> 2. Start Norton AntiVirus (NAV), and make sure that NAV is
> configured to scan all files. For instructions on how to do
this,
> read the document How to configure Norton AntiVirus to scan all
> files.
>
>
> 3. Run a full system scan.
> 4. Delete all files that are detected as W32.Vote.A@mm. If the
> worm has run and Norton AntiVirus is installed in C:\Program
> Files\Norton AntiVirus, you should reinstall Norton Antivirus.
>
>
> 5. If the computer has been rebooted after the infection, or if
> the computer seems very unstable, it is recommended that you
> reinstall the operating system.
>
>
>
>
>
>
> Additional information:
>
>
> If the Backdoor.Trojan was successfully installed on the
> computer, it is possible that your system has been accessed
> remotely by an unauthorized user. For this reason it is
> impossible to guarantee the integrity of a system that has had
> such an infection. The remote user could have made changes to
> your system, including but not limited to the following:
>
>
>
>
>
> Stealing or changing passwords or password files
> Installing remote-connectivity host software, also known as
> backdoors
> Installing keystroke logging software
> Configuring of firewall rules
> Stealing of credit card numbers, banking information, personal
> data, and so on
> Deletion or modification of files
> Sending of inappropriate or even incriminating material from a
> customer's email account
> Modifying access rights on user accounts or files
> Deleting information from log files to hide such activities
>
>
> If you need to be certain that your organization is secure, you
> must reinstall the operating system, and restore files from a
> backup that was made before the infection took place, and change
> all passwords that may have been on the infected computers or
> that were accessible from it. This is the only way to ensure
that
> your systems are safe. For more information regarding security
in
> your organization, contact your system administrator.
>
>
>
>
>
> Write-up by: Neal Hindocha
>
>
>
>
>
>
>
>
> Ray Zorz
> Information Technology Manager
> Scottsdale Area Chamber - The Business Alliance
> 480-429-2241
> http:\\www.scottsdalechamber.com
> mailto:[EMAIL PROTECTED]
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> Want to unsub? Do that here:
>
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mod
> e=0&lang=english
>
>
>
>
> Want to unsub? Do that here:
>
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mod
> e=0&lang=english
>
> Want to unsub? Do that here:
>
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mod
e=0&lang=english
>
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
