RE: [Declude.JunkMail] VIRUS WARNING
What Matt said... Plus, a customer viewing a hostile message will not infect your server; the hypothetical infected .jpg file would simply be served up as a file and would not be "executed" on the server, just on the client that views the image. On the other hand, one of your own technicians could have read a hostile message via webmail while on the server, which WOULD infect the server. Particularly as most Declude mailservers don't have a real time virus scanner, just the on-demand scanner for Declude Virus. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kim Premuda > Sent: Wednesday, August 17, 2005 5:43 AM > To: Declude.JunkMail@declude.com > Subject: RE: [Declude.JunkMail] VIRUS WARNING > > To all... > > I posted this warning to the IMail list as well as the > Declude list, and someone responded with the following link > on August 16th: > > http://securityresponse.symantec.com/avcenter/venc/data/w32.es > bot.a.html > > Symantec has more precise information regarding the worm than > I can offer (in fact, they posted some not-so-obvious > registry changes we did not find), and they report that other > antivirus companies are now aware of this problem. > > I believe we were infected by this worm early on August 15th, > before any of the virus companies had a block/fix for it. I > was just trying to get the word out to others to spare them > the 2 days of frustration we went through tracking this down. > > Although I do not know exactly how we got the worm, I can > only surmise that one of our customers opened an HMTL page > containing a *.jpg file containing the worm which takes > advantage of the Plug and Play functionality of Windows (see > Symantec explanation). Last night, our local news in San > Diego reported that the city's entire network was brought > down by this worm as well as some local companies. They went > on to say that the worm was extemely virulent and just > viewing the HTML page was enough to trigger it > > Once infected, the worm was opening port scans throughout our > network creating a data traffic storm, thus bringing our > network to a crawl. > > Needless to say, we made certain all our servers were up to > date with Microsoft patches. > > I hope this helps! > > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] VIRUS WARNING
Kim, This most likely wasn't from an infected JPG. This vulnerability is attacked through TCP ports: Microsoft Security Bulletin MS05-039 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx ... Block TCP ports 139 and 445 at the firewall: These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site. Patching is of course necessary, but you might think about doing some port blocking on your router and creating walls (ACL's & VLAN's) between your customers' equipment and your own. Generally speaking, there are less than 10 ports that need to be opened in order to provide full hosting and E-mail services, and you would be much less likely to get worms. Matt Kim Premuda wrote: To all... I posted this warning to the IMail list as well as the Declude list, and someone responded with the following link on August 16th: http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html Symantec has more precise information regarding the worm than I can offer (in fact, they posted some not-so-obvious registry changes we did not find), and they report that other antivirus companies are now aware of this problem. I believe we were infected by this worm early on August 15th, before any of the virus companies had a block/fix for it. I was just trying to get the word out to others to spare them the 2 days of frustration we went through tracking this down. Although I do not know exactly how we got the worm, I can only surmise that one of our customers opened an HMTL page containing a *.jpg file containing the worm which takes advantage of the Plug and Play functionality of Windows (see Symantec explanation). Last night, our local news in San Diego reported that the city's entire network was brought down by this worm as well as some local companies. They went on to say that the worm was extemely virulent and just viewing the HTML page was enough to trigger it.. Once infected, the worm was opening port scans throughout our network creating a data traffic storm, thus bringing our network to a crawl. Needless to say, we made certain all our servers were up to date with Microsoft patches. I hope this helps! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
To all... I posted this warning to the IMail list as well as the Declude list, and someone responded with the following link on August 16th: http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html Symantec has more precise information regarding the worm than I can offer (in fact, they posted some not-so-obvious registry changes we did not find), and they report that other antivirus companies are now aware of this problem. I believe we were infected by this worm early on August 15th, before any of the virus companies had a block/fix for it. I was just trying to get the word out to others to spare them the 2 days of frustration we went through tracking this down. Although I do not know exactly how we got the worm, I can only surmise that one of our customers opened an HMTL page containing a *.jpg file containing the worm which takes advantage of the Plug and Play functionality of Windows (see Symantec explanation). Last night, our local news in San Diego reported that the city's entire network was brought down by this worm as well as some local companies. They went on to say that the worm was extemely virulent and just viewing the HTML page was enough to trigger it... Once infected, the worm was opening port scans throughout our network creating a data traffic storm, thus bringing our network to a crawl. Needless to say, we made certain all our servers were up to date with Microsoft patches. I hope this helps! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
> Before rebooting my server I allways RENAME a dangerous file... ..maybe this will not work as long as the processes run and can't be stopped in the task manager. But if possible I too rename the original malware file and create a new one. (new empty textfile renamed to the previous filename) Then set it to read only. If the malware resides somewhere else and will try to restore the original file if it was deleted by some virus/spyware-scanner this should help preventing a new infection. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] VIRUS WARNING
Hi, A slight addendum to your instructions. [.] Then reboot the server. After rebooting, you will now be able to delete the two offending files. They are located in: c:\winnt\system32\mousebm.exe c:\winnt\system32\mousesync.exe Before rebooting my server I allways RENAME a dangerous file which I am not able to delete. Renaming has allways worked so far in cases where I am not able to delete a file. That way if I mis a reg key, or don't want to go hunting for all keys which launch a virus/trojan/etc., I can still disable it and remove it. p.s. You wrote no virusscanner found it yet, you did report this virus to you virus vendor didn't you? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
Hi, It's the IRC virus. Seems that you don't have MS05-039 missing: http://www.internetsecurity.fi/v-descs/ircbot_es.shtml Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, August 16, 2005 06:33 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] VIRUS WARNING Thanks for the heads up, Kim. If you still have the files, you can do a couple more things to help the wider community: Password protect them in a zip file and submit the samples to: The handlers at the SANS Internet Storm Center, who love to chase down new mailware and will share with vendors: http://isc.sans.org/ This free webform that will check multiple antivirus vendors' current signatures (submit them one executable at a time): http://www.virustotal.com/ The open source CLAM team, which will add to their database and submit your samples to other vendors: http://www.clamav.com/ For the most detail, submit the malware you've found to the Norman sandbox, which will email you a report of what the executable does (if it's hostile, it will advise you to forward the message plus the malware to their antivirus submission email address): http://sandbox.norman.no/live.html Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kim Premuda > Sent: Tuesday, August 16, 2005 3:13 PM > To: Declude.JunkMail@declude.com > Subject: [Declude.JunkMail] VIRUS WARNING > > VIRUS WARNING > - > > For the past 2 days, our server that runs IMail was bringing > the rest of our network to a crawl. If we disconnected this > server from the network, then the network would restore to > normal. Just in case anyone else is having network problems, > this may be the cause. Here's what we did to fix it. > > In the Windows Task Manager, look for either of two > programs/processes: > >mousebm.exe >mousesync.exe > > You will not be able to end these processes from Task > Manager. You must first open the Registry Editor and search > for the following folders and delete them: > >HKLM/System/ControlSet001/Services/Mousebm >HKLM/System/ControlSet001/Services/Mousesync > >HKLM/System/ControlSet002/Services/Mousebm >HKLM/System/ControlSet002/Services/Mousesync > > Then reboot the server. After rebooting, you will now be able > to delete the two offending files. They are located in: > >c:\winnt\system32\mousebm.exe >c:\winnt\system32\mousesync.exe > > > If you find that the offending files re-appear in the Task > Manager, look for the following file and delete it: > >c:\winnt\system32\i > > You will then have to repeat the above steps again. > > We searched Trend Micro, Symantec, McAfee, and Google for > these files, but none of these web sites had any information > on them. Perhaps, this virus has not yet been identified by them. > > Good luck! > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
Thanks for the heads up, Kim. If you still have the files, you can do a couple more things to help the wider community: Password protect them in a zip file and submit the samples to: The handlers at the SANS Internet Storm Center, who love to chase down new mailware and will share with vendors: http://isc.sans.org/ This free webform that will check multiple antivirus vendors' current signatures (submit them one executable at a time): http://www.virustotal.com/ The open source CLAM team, which will add to their database and submit your samples to other vendors: http://www.clamav.com/ For the most detail, submit the malware you've found to the Norman sandbox, which will email you a report of what the executable does (if it's hostile, it will advise you to forward the message plus the malware to their antivirus submission email address): http://sandbox.norman.no/live.html Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kim Premuda > Sent: Tuesday, August 16, 2005 3:13 PM > To: Declude.JunkMail@declude.com > Subject: [Declude.JunkMail] VIRUS WARNING > > VIRUS WARNING > - > > For the past 2 days, our server that runs IMail was bringing > the rest of our network to a crawl. If we disconnected this > server from the network, then the network would restore to > normal. Just in case anyone else is having network problems, > this may be the cause. Here's what we did to fix it. > > In the Windows Task Manager, look for either of two > programs/processes: > >mousebm.exe >mousesync.exe > > You will not be able to end these processes from Task > Manager. You must first open the Registry Editor and search > for the following folders and delete them: > >HKLM/System/ControlSet001/Services/Mousebm >HKLM/System/ControlSet001/Services/Mousesync > >HKLM/System/ControlSet002/Services/Mousebm >HKLM/System/ControlSet002/Services/Mousesync > > Then reboot the server. After rebooting, you will now be able > to delete the two offending files. They are located in: > >c:\winnt\system32\mousebm.exe >c:\winnt\system32\mousesync.exe > > > If you find that the offending files re-appear in the Task > Manager, look for the following file and delete it: > >c:\winnt\system32\i > > You will then have to repeat the above steps again. > > We searched Trend Micro, Symantec, McAfee, and Google for > these files, but none of these web sites had any information > on them. Perhaps, this virus has not yet been identified by them. > > Good luck! > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Virus Warning - Netsky.b@mm
I blocked it with declude Junkmail using this in a "myfilter" : BODY 15 CONTAINS TVqQAAME//8AAL BODY 15 CONTAINS UEsDBAoAAI2aUjBdbrA Thanks, Chris Patterson, CCNA Network Engineer Rapid Systems (813)232-4887 Ext. 112 [EMAIL PROTECTED] "Managed Spam Filtering and Anti-Virus Protection for Your Internet Service - Available Today from Rapid Systems" -Original Message- From: Doug Anderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 3:20 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Virus Warning - [EMAIL PROTECTED] New ONE Moving fast! Virus Warning - [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.