RE: Possible New Virus?
So far, we have stopped two instances of the Fretham.e variant of this virus. However, we use a little bit different security model than some of you folks do. Our mail relay box is a Linux box, running Qmail. We block quite a list of file extensions at that point. Now...whether it's because of the Linux part or the Qmail part, our mail relayer sees through the extension spoofing that these particular virii employ. We have updated all of our IE deployments to patch the vulnerability employed by this virus. The BadTrans, Klez and SirCam viruses all use this same blended threat mechanism. Keep in mind however, that while your GS is not scanning attachments because they are several layers deep in the forwarding process, that your GS is probably also not scanning attachments that appear to be different file types than they really are, due to extension spoofing. All of these virii allow attached files to look as if they are a different file type. For example, you are blocking .exe files, but due to certain vulnerabilities, the attachment appears as a .wav file to a Windows machine and you're not blocking .wav files, so it lets it through. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. The Frethem.E write-up can be found at http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.frethem.e@mm. html Jim Blunt -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:29 PM To: Exchange Discussions Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource
RE: Possible New Virus?
I have believe that I have stopped FW:, FW:, FW: ,etc. before. I think that this is really the problem/danger with WS. It will work flawlessly on one installation and completely miss on others. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:28 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives
RE: Possible New Virus?
Although their tech sup is terrifically stupid(imo) that webshield appliance is sweet. We dumped our desktop NAI solution based on the lack of expertise of their tech supp department, once they came back and told us once that they wern't sure if they could support the Groupshield product anymore we knew we were in trouble. -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 10:58 AM To: Exchange Discussions Subject: RE: Possible New Virus? possible...But when I talked with disgust.. a bit with NAI on the phone about WS-SMTP and this...and basically their response was..Yep...it'll miss'em...IF you really want to get them, then buy our Websheild Applicane.. bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 12:49 PM To: Exchange Discussions Subject: RE: Possible New Virus? I have believe that I have stopped FW:, FW:, FW: ,etc. before. I think that this is really the problem/danger with WS. It will work flawlessly on one installation and completely miss on others. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:28 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource
RE: Possible New Virus?
Yeh I looked at the small applianceand went round them bend with them on how they bundle itIt was pathetic the answers I got.. Boiled down to too much $$ for me and they where going to jam their hardware down my thought, and they wouldn't play nicedid sound cool... Tech suppI find it hit and miss.. had good... had bad... bill -Original Message- From: Hansen, Eric [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 1:09 PM To: Exchange Discussions Subject: RE: Possible New Virus? Although their tech sup is terrifically stupid(imo) that webshield appliance is sweet. We dumped our desktop NAI solution based on the lack of expertise of their tech supp department, once they came back and told us once that they wern't sure if they could support the Groupshield product anymore we knew we were in trouble. -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 10:58 AM To: Exchange Discussions Subject: RE: Possible New Virus? possible...But when I talked with disgust.. a bit with NAI on the phone about WS-SMTP and this...and basically their response was..Yep...it'll miss'em...IF you really want to get them, then buy our Websheild Applicane.. bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 12:49 PM To: Exchange Discussions Subject: RE: Possible New Virus? I have believe that I have stopped FW:, FW:, FW: ,etc. before. I think that this is really the problem/danger with WS. It will work flawlessly on one installation and completely miss on others. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:28 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch
RE: Possible New Virus?
I think that you may be confusing what he was saying. I think that Bill was talking about WS (Webshield SMTP) not being able to or missing attachments that are further down due to multiple forwarding. What you are talking about having done with your Linux box and Qmail is basically what is being done with WS. I block as I am sure Bill does multiple attachment types so if the attachment comes in disguised as a WAV file it gets blocked as well. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 8:21 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? So far, we have stopped two instances of the Fretham.e variant of this virus. However, we use a little bit different security model than some of you folks do. Our mail relay box is a Linux box, running Qmail. We block quite a list of file extensions at that point. Now...whether it's because of the Linux part or the Qmail part, our mail relayer sees through the extension spoofing that these particular virii employ. We have updated all of our IE deployments to patch the vulnerability employed by this virus. The BadTrans, Klez and SirCam viruses all use this same blended threat mechanism. Keep in mind however, that while your GS is not scanning attachments because they are several layers deep in the forwarding process, that your GS is probably also not scanning attachments that appear to be different file types than they really are, due to extension spoofing. All of these virii allow attached files to look as if they are a different file type. For example, you are blocking .exe files, but due to certain vulnerabilities, the attachment appears as a .wav file to a Windows machine and you're not blocking .wav files, so it lets it through. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. The Frethem.E write-up can be found at http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.frethem.e@mm. html Jim Blunt -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:29 PM To: Exchange Discussions Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages
RE: Possible New Virus?
That seems to be their answer to everything lately. I got the full court press to go to the e500 as well. The only thing that really intrigues me is the ability to check/scan/stop web-based mail as well. WS SMTP has really worked well for us. I have not had the problems that others have had it seems with support. I take that back, I did used to have problems until we upped our support to a higher level. I never wait more than 1 minute and get escalated pretty quickly. Also, the TVDUG on Yahoo groups has a lot of NAI back line support people on it. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 10:19 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Yeh I looked at the small applianceand went round them bend with them on how they bundle itIt was pathetic the answers I got.. Boiled down to too much $$ for me and they where going to jam their hardware down my thought, and they wouldn't play nicedid sound cool... Tech suppI find it hit and miss.. had good... had bad... bill -Original Message- From: Hansen, Eric [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 1:09 PM To: Exchange Discussions Subject: RE: Possible New Virus? Although their tech sup is terrifically stupid(imo) that webshield appliance is sweet. We dumped our desktop NAI solution based on the lack of expertise of their tech supp department, once they came back and told us once that they wern't sure if they could support the Groupshield product anymore we knew we were in trouble. -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 10:58 AM To: Exchange Discussions Subject: RE: Possible New Virus? possible...But when I talked with disgust.. a bit with NAI on the phone about WS-SMTP and this...and basically their response was..Yep...it'll miss'em...IF you really want to get them, then buy our Websheild Applicane.. bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 12:49 PM To: Exchange Discussions Subject: RE: Possible New Virus? I have believe that I have stopped FW:, FW:, FW: ,etc. before. I think that this is really the problem/danger with WS. It will work flawlessly on one installation and completely miss on others. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 5:28 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED
RE: Possible New Virus?
We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
Your answer/question might be better if phrased: Which DAT version. Run the latest DAT, with that the Webshield 54sp1a product I run before my exch server picks it up. bill -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:10 PM To: Exchange Discussions Subject: RE: Possible New Virus? Which McAfee product found it as Exploit-MIME? -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:54 To: Exchange Discussions Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
No, I really meant which product. I have VirusScan on the desktops with the 4206 dats, and the NAI engine running under Antigen on the Exchange server, also with the 4206 dats, and neither of those caught it. To be honest though I don't think any of the few people who received it tried to run it, nor did it run itself on those machines, so maybe VirusScan never had a chance to catch it. -Peter -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 10:42 To: Exchange Discussions Subject: RE: Possible New Virus? Your answer/question might be better if phrased: Which DAT version. Run the latest DAT, with that the Webshield 54sp1a product I run before my exch server picks it up. bill -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:10 PM To: Exchange Discussions Subject: RE: Possible New Virus? Which McAfee product found it as Exploit-MIME? -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:54 To: Exchange Discussions Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL
RE: Possible New Virus?
WebshieldSMTP caught it as Exploit-MIME.gen. Antigen with the 2 CA Engines enabled are usually the only ones that I can get to catch the exploit. Sybari has also added this to their worm list, so that may improve. --jim -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:54 PM To: Exchange Discussions Subject: RE: Possible New Virus? No, I really meant which product. I have VirusScan on the desktops with the 4206 dats, and the NAI engine running under Antigen on the Exchange server, also with the 4206 dats, and neither of those caught it. To be honest though I don't think any of the few people who received it tried to run it, nor did it run itself on those machines, so maybe VirusScan never had a chance to catch it. -Peter -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 10:42 To: Exchange Discussions Subject: RE: Possible New Virus? Your answer/question might be better if phrased: Which DAT version. Run the latest DAT, with that the Webshield 54sp1a product I run before my exch server picks it up. bill -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:10 PM To: Exchange Discussions Subject: RE: Possible New Virus? Which McAfee product found it as Exploit-MIME? -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:54 To: Exchange Discussions Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message
RE: Possible New Virus?
Ooop's ..sorry.. I try not to let it get that far. my Websheild -SMTP 45sp1 has 4205 on it right now..I see these things all the time. Exchange55sp4 server is GS45.1 (no laughing please..it run's). I also have the Websheild set for some content/attachment blocking (does this poorly) GS451 is also set for attachment blocking/stripping if something get's by the webshield(which it does all the time).. Ive not gotten into the setup deeply for the desktop with regard to it's intergration with OL, But I do believe you must go into the OL and set it to watch the OL bill -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:54 PM To: Exchange Discussions Subject: RE: Possible New Virus? No, I really meant which product. I have VirusScan on the desktops with the 4206 dats, and the NAI engine running under Antigen on the Exchange server, also with the 4206 dats, and neither of those caught it. To be honest though I don't think any of the few people who received it tried to run it, nor did it run itself on those machines, so maybe VirusScan never had a chance to catch it. -Peter -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 10:42 To: Exchange Discussions Subject: RE: Possible New Virus? Your answer/question might be better if phrased: Which DAT version. Run the latest DAT, with that the Webshield 54sp1a product I run before my exch server picks it up. bill -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:10 PM To: Exchange Discussions Subject: RE: Possible New Virus? Which McAfee product found it as Exploit-MIME? -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:54 To: Exchange Discussions Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ
RE: Possible New Virus?
Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
I think any that you received before yesterday must've been from the klez virus, which uses the same exploit. I've seen a few of those myself. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 16:22 To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
No, I can see numbers for all of the Klez variations as well (eml = 6, e = 2, h = 58, dam = 4). MIME Exploit = 326. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 4:37 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? I think any that you received before yesterday must've been from the klez virus, which uses the same exploit. I've seen a few of those myself. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 16:22 To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com
RE: Possible New Virus?
That may be true. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 4:52 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? But it couldn't be W32.Frethem.E@mm either, as that one was only discovered yesterday. I haven't seen nearly as many MIME Exploits as you have, but the ones I have seen can be identified as Klez by the distinctive subject lines, and the obviously spoofed from addresses. I think maybe they were Klezes that had their attachments removed by someone else's AV software, leaving the exploit still in place. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 16:43 To: Exchange Discussions Subject: RE: Possible New Virus? No, I can see numbers for all of the Klez variations as well (eml = 6, e = 2, h = 58, dam = 4). MIME Exploit = 326. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 4:37 PM To: Exchange 5.5 List Subject: RE: Possible New Virus? I think any that you received before yesterday must've been from the klez virus, which uses the same exploit. I've seen a few of those myself. -Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 16:22 To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL
RE: Possible New Virus?
Note do not assume the WS product will catch the EXE. If it is in the first layer then yes likely it will. BUT if it happens to be in like 2 or more layers (layer..I mean FW FW..etc) it will miss it...every time But yes GS should then get it...if it's working right ;-) bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 7:22 PM To: Exchange Discussions Subject: RE: Possible New Virus? Webshield SMTP 4.51 MR1a with engine 4160. As far as DAT files, it has been catching it since as far back as the middle of last month (my ePO records do not go back any further.) Even if the engine and DAT files had not been up to date WS would have stopped it due to us blocking all executables. I would assume that GS would have caught it if it had made it that far since it is running the same engine and dat versions. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:55 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? We have been seeing it for a couple of days. McAfee has been reporting it as Exploit-MIME.gen. I just got something from Sophos giving it the name that John reported it as. It has been showing up quite a lot lately. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:23 AM To: Exchange 5.5 List Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
Yup, that's it, thanks. -Peter -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 10:24 To: Exchange Discussions Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http:[EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Possible New Virus?
Curses. Tack an l onto the end of that link and it oughta work. -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:24 PM To: Exchange Discussions Subject: RE: Possible New Virus? Appears to be a Frethem Worm. From Norton: http://securityresponse.symantec.com/avcenter/venc/data/w32.fr [EMAIL PROTECTED] l John J. Steniger Network and Security Manager Familymeds, Inc. Phone: 860-676-1222 X633 Email: [EMAIL PROTECTED] http://www.familymeds.com -Original Message- From: Durkee, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 1:22 PM To: Exchange Discussions Subject: Possible New Virus? Hi All, I've seen several messages coming in this morning with the subject line Re: Your Password!, an attachment named decrypt-password.exe, and the same Content-Type: audio/x-midi that Klez uses to auto-run. The messages are 50k or so in size. Is anyone else seeing this? My usual virus info sources don't have anything on it. -Peter __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
