Possible Email Virus

[Kleciak, Clint D A7IT]

Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".





--
CONFIDENTIALITY NOTICE: If you have received this email in error, please 
immediately notify the sender by e-mail at the address shown.  This email 
transmission may contain confidential information.  This information is 
intended only for the use of the individual(s) or entity to whom it is intended 
even if addressed incorrectly.  Please delete it from your files if you are not 
the intended recipient.  Thank you for your compliance.  Copyright 2010 CIGNA
==

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Charles A Ransom]

Just caught some - thanks!

>>> "Kleciak, Clint D  A7IT"  9/9/2010 3:37 PM >>>
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".




---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Don Kuhlman]

Yep it hit here - put a filter on the inbox to delete anything with that 
subject 
while the mail / security team are working it.



- Original Message 
From: Charles A Ransom 
To: MS-Exchange Admin Issues 
Sent: Thu, September 9, 2010 2:44:10 PM
Subject: Re: Possible Email Virus

Just caught some - thanks!

>>> "Kleciak, Clint D      A7IT"  9/9/2010 3:37 PM >>>
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".




---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist


  


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Carol Fee]

Thank you.

CFee
From: Kleciak, Clint D A7IT [mailto:clint.klec...@cigna.com]
Sent: Thursday, September 09, 2010 3:38 PM
To: MS-Exchange Admin Issues
Subject: Possible Email Virus

Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".





---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

--
CONFIDENTIALITY NOTICE: If you have received this email in error, please 
immediately notify the sender by e-mail at the address shown. This email 
transmission may contain confidential information. This information is intended 
only for the use of the individual(s) or entity to whom it is intended even if 
addressed incorrectly. Please delete it from your files if you are not the 
intended recipient. Thank you for your compliance. Copyright 2010 CIGNA
==

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Maglinger, Paul]

>From McCrappy - 

McAfee has received confirmation that some customers have received large 
volumes of spam containing a link to malware, a mass-mailing worm identified as 
VBMania. The symptom reported thus far is that the spam volume is overwhelming 
the email infrastructure. 
Static URLs in the email link to a .SCR file. McAfee recommends that customers 
filter for the URL on gateway and email servers, and block the creation of .SCR 
files on endpoint systems.
McAfee Trusted Source is actively protecting against this threat. Customers 
with McAfee Trusted Source Email Reputation will have the emails blocked. 
Customers with McAfee Trusted Source Web Reputation will have the URL blocked 
from click-through. McAfee Artemis provides protection as well.



-Original Message-
From: Don Kuhlman [mailto:drkuhl...@yahoo.com] 
Sent: Thursday, September 09, 2010 3:08 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

Yep it hit here - put a filter on the inbox to delete anything with that 
subject 
while the mail / security team are working it.



- Original Message 
From: Charles A Ransom 
To: MS-Exchange Admin Issues 
Sent: Thu, September 9, 2010 2:44:10 PM
Subject: Re: Possible Email Virus

Just caught some - thanks!

>>> "Kleciak, Clint D      A7IT"  9/9/2010 3:37 PM >>>
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".




---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist


  


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Campbell, Rob]

Using Forefront, and message tracking logs don't find anything with that 
subject line all day.

From: Doug Rooney [mailto:d...@sonomatilemakers.com]
Sent: Thursday, September 09, 2010 4:10 PM
To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus


I guess I am happy with what I pay Message Labs, we have had zero come in.



Thank You
[Description: file:///S:/Meadow%20Stebbins/Individuals/images/DRooney_01.jpg]

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Thursday, September 09, 2010 2:05 PM
To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus



>From McCrappy -



McAfee has received confirmation that some customers have received large 
volumes of spam containing a link to malware, a mass-mailing worm identified as 
VBMania. The symptom reported thus far is that the spam volume is overwhelming 
the email infrastructure.

Static URLs in the email link to a .SCR file. McAfee recommends that customers 
filter for the URL on gateway and email servers, and block the creation of .SCR 
files on endpoint systems.

McAfee Trusted Source is actively protecting against this threat. Customers 
with McAfee Trusted Source Email Reputation will have the emails blocked. 
Customers with McAfee Trusted Source Web Reputation will have the URL blocked 
from click-through. McAfee Artemis provides protection as well.







-Original Message-

From: Don Kuhlman [mailto:drkuhl...@yahoo.com]

Sent: Thursday, September 09, 2010 3:08 PM

To: MS-Exchange Admin Issues

Subject: Re: Possible Email Virus



Yep it hit here - put a filter on the inbox to delete anything with that 
subject while the mail / security team are working it.







- Original Message 

From: Charles A Ransom 

To: MS-Exchange Admin Issues 

Sent: Thu, September 9, 2010 2:44:10 PM

Subject: Re: Possible Email Virus



Just caught some - thanks!



>>> "Kleciak, Clint D  A7IT" 
>>> mailto:clint.klec...@cigna.com>> 9/9/2010 3:37 PM 
>>> >>>

Reports of an email virus hitting some companies today. It has a link to a .scr

file that looks like a PDF link. When users click it, it begins sending emails

using the GAL or contacts. Not sure of the origin at this point but wanted to

send a heads up. The email subject is "Here you have".









---

To manage subscriptions click here:

http://lyris.sunbelt-software.com/read/my_forums/

or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>

with the body: unsubscribe exchangelist











---

To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>

with the body: unsubscribe exchangelist





---

To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>

with the body: unsubscribe exchangelist



---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist
**
Note: 
The information contained in this message may be privileged and confidential 
and 
protected from disclosure.  If the reader of this message is not the intended  
recipient, or an employee or agent responsible for delivering this message to  
the intended recipient, you are hereby notified that any dissemination,   
distribution or copying of this communication is strictly prohibited. If you  
have received this communication in error, please notify us immediately by  
replying to the message and deleting it from your computer. 
**

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist<>

Re: Possible Email Virus

[Tom Kern]

For those on ex2k7 or ex2k10-



Exchange 2010



*New-TransportRule* *-Name* 'Here you have' *-Comments* '' *-Priority* '0' *
-Enabled* $true *-SubjectContainsWords* 'here you have' *-DeleteMessage*
$true



Exchange 2007



$action = *Get-TransportRuleAction* DeleteMessage

$condition = *Get-TransportRulePredicate* SubjectContains

$condition.Words = @("Here you have")

*New-TransportRule* *-name* "Here you have" -Conditions @($condition)
-Actions @($action) *-Priority* 0





On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
clint.klec...@cigna.com> wrote:

>  Reports of an email virus hitting some companies today. It has a link to
> a .scr file that looks like a PDF link. When users click it, it begins
> sending emails using the GAL or contacts. Not sure of the origin at this
> point but wanted to send a heads up. The email subject is “Here you have”.
>
>
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
>
> --
> CONFIDENTIALITY NOTICE: If you have received this email in error, please
> immediately notify the sender by e-mail at the address shown. This email
> transmission may contain confidential information. This information is
> intended only for the use of the individual(s) or entity to whom it is
> intended even if addressed incorrectly. Please delete it from your files if
> you are not the intended recipient. Thank you for your compliance. Copyright
> 2010 CIGNA
>
> ==
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[messagel...@gmail.com]

Is there a E2k3 version of this rule?



On Sep 9, 2010, at 2:57 PM, Tom Kern  wrote:

> For those on ex2k7 or ex2k10-
>  
>  
> Exchange 2010
>  
> New-TransportRule -Name 'Here you have' -Comments '' -Priority '0' -Enabled 
> $true -SubjectContainsWords 'here you have' -DeleteMessage $true
>  
> Exchange 2007
>  
> $action = Get-TransportRuleAction DeleteMessage
> $condition = Get-TransportRulePredicate SubjectContains
> $condition.Words = @("Here you have")
> New-TransportRule -name "Here you have" -Conditions @($condition) -Actions 
> @($action) -Priority 0
>  
> 
> 
>  
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
>  wrote:
> Reports of an email virus hitting some companies today. It has a link to a 
> .scr file that looks like a PDF link. When users click it, it begins sending 
> emails using the GAL or contacts. Not sure of the origin at this point but 
> wanted to send a heads up. The email subject is “Here you have”.
>  
>  
>  
>  
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
> 
> --
> CONFIDENTIALITY NOTICE: If you have received this email in error, please 
> immediately notify the sender by e-mail at the address shown. This email 
> transmission may contain confidential information. This information is 
> intended only for the use of the individual(s) or entity to whom it is 
> intended even if addressed incorrectly. Please delete it from your files if 
> you are not the intended recipient. Thank you for your compliance. Copyright 
> 2010 CIGNA
> ==
> 
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Michael B. Smith]

Exchange 2003 is “after the fact”.

See

http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-visal-b.aspx

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: messagel...@gmail.com [mailto:messagel...@gmail.com]
Sent: Thursday, September 09, 2010 6:05 PM
To: MS-Exchange Admin Issues
Cc: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

Is there a E2k3 version of this rule?


On Sep 9, 2010, at 2:57 PM, Tom Kern 
mailto:tpk...@gmail.com>> wrote:
For those on ex2k7 or ex2k10-


Exchange 2010

New-TransportRule -Name 'Here you have' -Comments '' -Priority '0' -Enabled 
$true -SubjectContainsWords 'here you have' -DeleteMessage $true

Exchange 2007

$action = Get-TransportRuleAction DeleteMessage
$condition = Get-TransportRulePredicate SubjectContains
$condition.Words = @("Here you have")
New-TransportRule -name "Here you have" -Conditions @($condition) -Actions 
@($action) -Priority 0




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is “Here you have”.





---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

--
CONFIDENTIALITY NOTICE: If you have received this email in error, please 
immediately notify the sender by e-mail at the address shown. This email 
transmission may contain confidential information. This information is intended 
only for the use of the individual(s) or entity to whom it is intended even if 
addressed incorrectly. Please delete it from your files if you are not the 
intended recipient. Thank you for your compliance. Copyright 2010 CIGNA
==


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Don Ely]

That's what I did for our company...

On Thu, Sep 9, 2010 at 2:57 PM, Tom Kern  wrote:

> For those on ex2k7 or ex2k10-
>
>
>
> Exchange 2010
>
>
>
> *New-TransportRule* *-Name* 'Here you have' *-Comments* '' *-Priority* '0'
> *-Enabled* $true *-SubjectContainsWords* 'here you have' *-DeleteMessage*
> $true
>
>
>
> Exchange 2007
>
>
>
> $action = *Get-TransportRuleAction* DeleteMessage
>
> $condition = *Get-TransportRulePredicate* SubjectContains
>
> $condition.Words = @("Here you have")
>
> *New-TransportRule* *-name* "Here you have" -Conditions @($condition)
> -Actions @($action) *-Priority* 0
>
>
>
>
>
>  On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
>>  Reports of an email virus hitting some companies today. It has a link to
>> a .scr file that looks like a PDF link. When users click it, it begins
>> sending emails using the GAL or contacts. Not sure of the origin at this
>> point but wanted to send a heads up. The email subject is “Here you have”.
>>
>>
>>
>>
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe exchangelist
>>
>> --
>>
>>
>> CONFIDENTIALITY NOTICE: If you have received this email in error, please
>> immediately notify the sender by e-mail at the address shown. This email
>> transmission may contain confidential information. This information is
>> intended only for the use of the individual(s) or entity to whom it is
>> intended even if addressed incorrectly. Please delete it from your files if
>> you are not the intended recipient. Thank you for your compliance. Copyright
>> 2010 CIGNA
>>
>> ==
>>
>>
> ---
>
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[John Hornbuckle]

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".




NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Don Andrews]

Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Friday, September 10, 2010 2:53 AM
To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist



NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Don Ely]

One thing we noticed is that if a user was not running with admin rights,
the virus couldn't run...

On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews wrote:

>  Appears that we had less than 100 copies come in and our AS caught and
> dropped every one of them >:-)
>
>
>  --
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, September 10, 2010 2:53 AM
>
> *To:* MS-Exchange Admin Issues
> *Subject:* RE: Possible Email Virus
>
>
>
> Mitigated, as best as I can tell, by having users run without elevated
> permissions.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
> Reports of an email virus hitting some companies today. It has a link to a
> .scr file that looks like a PDF link. When users click it, it begins sending
> emails using the GAL or contacts. Not sure of the origin at this point but
> wanted to send a heads up. The email subject is “Here you have”.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Brown, Larry]

That wasn't our experience.  Our users do NOT have local admin rights...but the 
virus ran anyway.

Of course...this may depend on OS.  We are still running XP.

Within 10 minutes of the appearance on our network we had the website 
blocked...and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh...

Larry

From: Don Ely [mailto:don@gmail.com]
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...
On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Friday, September 10, 2010 2:53 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us/>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Don Ely]

Ah, with Windows 7 and no admin rights nothing happened.  And believe me,
our users tried their hardest to execute it...

On Fri, Sep 10, 2010 at 9:23 AM, Brown, Larry  wrote:

>  That wasn’t our experience.  Our users do NOT have local admin rights…but
> the virus ran anyway.
>
>
>
> Of course…this may depend on OS.  We are still running XP.
>
>
>
> Within 10 minutes of the appearance on our network we had the website
> blocked…and then started getting calls to the Help Desk complaining about
> the link being blocked.  Sheesh…
>
>
>
> *Larry*
>
>
>
> *From:* Don Ely [mailto:don@gmail.com]
> *Sent:* Friday, September 10, 2010 12:17 PM
>
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> One thing we noticed is that if a user was not running with admin rights,
> the virus couldn't run...
>
> On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
> wrote:
>
> Appears that we had less than 100 copies come in and our AS caught and
> dropped every one of them >:-)
>
>
>  --
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, September 10, 2010 2:53 AM
>
>
> *To:* MS-Exchange Admin Issues
>
> *Subject:* RE: Possible Email Virus
>
>
>
> Mitigated, as best as I can tell, by having users run without elevated
> permissions.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
> Reports of an email virus hitting some companies today. It has a link to a
> .scr file that looks like a PDF link. When users click it, it begins sending
> emails using the GAL or contacts. Not sure of the origin at this point but
> wanted to send a heads up. The email subject is “Here you have”.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[bzalewski]

What web site did you block? 
- Original Message - 
From: "Larry Brown"  
To: "MS-Exchange Admin Issues"  
Sent: Friday, September 10, 2010 11:23:06 AM 
Subject: RE: Possible Email Virus 




That wasn’t our experience.  Our users do NOT have local admin rights…but the 
virus ran anyway.  



Of course…this may depend on OS.  We are still running XP. 



Within 10 minutes of the appearance on our network we had the website 
blocked…and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh… 



Larry 




From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 12:17 PM 
To: MS-Exchange Admin Issues 
Subject: Re: Possible Email Virus 



One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...  


On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews < don.andr...@safeway.com > wrote: 



Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-) 






From: John Hornbuckle [mailto: john.hornbuc...@taylor.k12.fl.us ] 
Sent: Friday, September 10, 2010 2:53 AM 



To: MS-Exchange Admin Issues 


Subject: RE: Possible Email Virus 



Mitigated, as best as I can tell, by having users run without elevated 
permissions. 









John Hornbuckle 

MIS Department 

Taylor County School District 

www.taylor.k12.fl.us 





  


On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT < clint.klec...@cigna.com 
> wrote: 



Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is “Here you have”. 




--- 
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe exchangelist 



--- 
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe exchangelist 

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure. 



--- 
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe exchangelist 

--- 
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/ 
or send an email to listmana...@lyris.sunbeltsoftware.com 
with the body: unsubscribe exchangelist
---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Roger Wright]

In our case the link was:

http:// members dot multimania dot co dot uk


Roger Wright
___

When it's GOOD there ain't nothin' like it, and when it's BAD there ain't
nothin' like it!




On Fri, Sep 10, 2010 at 12:27 PM,  wrote:

> What web site did you block?
>
> - Original Message -
> From: "Larry Brown" 
> To: "MS-Exchange Admin Issues" 
> Sent: Friday, September 10, 2010 11:23:06 AM
> Subject: RE: Possible Email Virus
>
>  That wasn’t our experience.  Our users do NOT have local admin rights…but
> the virus ran anyway.
>
>
>
> Of course…this may depend on OS.  We are still running XP.
>
>
>
> Within 10 minutes of the appearance on our network we had the website
> blocked…and then started getting calls to the Help Desk complaining about
> the link being blocked.  Sheesh…
>
>
>
> *Larry*
>
>
>
> *From:* Don Ely [mailto:don@gmail.com]
> *Sent:* Friday, September 10, 2010 12:17 PM
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> One thing we noticed is that if a user was not running with admin rights,
> the virus couldn't run...
>
> On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
> wrote:
>
> Appears that we had less than 100 copies come in and our AS caught and
> dropped every one of them >:-)
>
>
>  ------
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, September 10, 2010 2:53 AM
>
>
> *To:* MS-Exchange Admin Issues
>
> *Subject:* RE: Possible Email Virus
>
>
>
> Mitigated, as best as I can tell, by having users run without elevated
> permissions.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
> Reports of an email virus hitting some companies today. It has a link to a
> .scr file that looks like a PDF link. When users click it, it begins sending
> emails using the GAL or contacts. Not sure of the origin at this point but
> wanted to send a heads up. The email subject is “Here you have”.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Don Andrews]

Haw - first time I experienced that was when the I Love You virus came out.


From: Brown, Larry [mailto:lc.br...@dplinc.com]
Sent: Friday, September 10, 2010 9:23 AM
To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

That wasn't our experience.  Our users do NOT have local admin rights...but the 
virus ran anyway.

Of course...this may depend on OS.  We are still running XP.

Within 10 minutes of the appearance on our network we had the website 
blocked...and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh...

Larry

From: Don Ely [mailto:don@gmail.com]
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...
On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Friday, September 10, 2010 2:53 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us/>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Don Ely]

I still remember that day very well...  Lot's of queue cleaning that day...

On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews wrote:

>  Haw – first time I experienced that was when the I Love You virus came
> out.
>
>
>  --
>
> *From:* Brown, Larry [mailto:lc.br...@dplinc.com]
> *Sent:* Friday, September 10, 2010 9:23 AM
>
> *To:* MS-Exchange Admin Issues
> *Subject:* RE: Possible Email Virus
>
>
>
> That wasn’t our experience.  Our users do NOT have local admin rights…but
> the virus ran anyway.
>
>
>
> Of course…this may depend on OS.  We are still running XP.
>
>
>
> Within 10 minutes of the appearance on our network we had the website
> blocked…and then started getting calls to the Help Desk complaining about
> the link being blocked.  Sheesh…
>
>
>
> *Larry*
>
>
>
> *From:* Don Ely [mailto:don@gmail.com]
> *Sent:* Friday, September 10, 2010 12:17 PM
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> One thing we noticed is that if a user was not running with admin rights,
> the virus couldn't run...
>
> On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
> wrote:
>
> Appears that we had less than 100 copies come in and our AS caught and
> dropped every one of them >:-)
>
>
>  --
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, September 10, 2010 2:53 AM
>
>
> *To:* MS-Exchange Admin Issues
>
> *Subject:* RE: Possible Email Virus
>
>
>
> Mitigated, as best as I can tell, by having users run without elevated
> permissions.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
> Reports of an email virus hitting some companies today. It has a link to a
> .scr file that looks like a PDF link. When users click it, it begins sending
> emails using the GAL or contacts. Not sure of the origin at this point but
> wanted to send a heads up. The email subject is “Here you have”.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Brown, Larry]

I honestly don't know...although I heard them saying it was a web site in the 
UK...was handled by our Web Sense admins.


Larry

From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Friday, September 10, 2010 1:13 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

In our case the link was:

http:// members dot multimania dot co dot uk


Roger Wright
___

When it's GOOD there ain't nothin' like it, and when it's BAD there ain't 
nothin' like it!



On Fri, Sep 10, 2010 at 12:27 PM, 
mailto:bzalew...@comcast.net>> wrote:
What web site did you block?

- Original Message -
From: "Larry Brown" mailto:lc.br...@dplinc.com>>
To: "MS-Exchange Admin Issues" 
mailto:exchangelist@lyris.sunbelt-software.com>>
Sent: Friday, September 10, 2010 11:23:06 AM
Subject: RE: Possible Email Virus
That wasn't our experience.  Our users do NOT have local admin rights...but the 
virus ran anyway.

Of course...this may depend on OS.  We are still running XP.

Within 10 minutes of the appearance on our network we had the website 
blocked...and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh...

Larry

From: Don Ely [mailto:don@gmail.com<mailto:don@gmail.com>]
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...
On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Friday, September 10, 2010 2:53 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us/>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Maglinger, Paul]

I remember that day too.  Got it mostly cleaned up and a @#%!$ user
opened it up a second time!  Grrr...  Learned a lot from that little
lesson.

 

From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 12:57 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

 

I still remember that day very well...  Lot's of queue cleaning that
day...

On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
wrote:

Haw - first time I experienced that was when the I Love You virus came
out.

 



From: Brown, Larry [mailto:lc.br...@dplinc.com] 
Sent: Friday, September 10, 2010 9:23 AM 


To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

 

That wasn't our experience.  Our users do NOT have local admin
rights...but the virus ran anyway.  

 

Of course...this may depend on OS.  We are still running XP.

 

Within 10 minutes of the appearance on our network we had the website
blocked...and then started getting calls to the Help Desk complaining
about the link being blocked.  Sheesh...

 

Larry

 

From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

 

One thing we noticed is that if a user was not running with admin
rights, the virus couldn't run...  

On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
wrote:

Appears that we had less than 100 copies come in and our AS caught and
dropped every one of them >:-) 

 



From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, September 10, 2010 2:53 AM 


To: MS-Exchange Admin Issues

Subject: RE: Possible Email Virus

 

Mitigated, as best as I can tell, by having users run without elevated
permissions.

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us <http://www.taylor.k12.fl.us/> 

 



 

On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT
 wrote:

Reports of an email virus hitting some companies today. It has a link to
a .scr file that looks like a PDF link. When users click it, it begins
sending emails using the GAL or contacts. Not sure of the origin at this
point but wanted to send a heads up. The email subject is "Here you
have".

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Don Ely]

We exmerged the email out of the mailboxes to prevent that...

On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul wrote:

>  I remember that day too.  Got it mostly cleaned up and a @#%!$ user
> opened it up a second time!  Grrr…  Learned a lot from that little lesson.
>
>
>
> *From:* Don Ely [mailto:don@gmail.com]
> *Sent:* Friday, September 10, 2010 12:57 PM
>
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> I still remember that day very well...  Lot's of queue cleaning that day...
>
> On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
> wrote:
>
> Haw – first time I experienced that was when the I Love You virus came out.
>
>
>  --
>
> *From:* Brown, Larry [mailto:lc.br...@dplinc.com]
> *Sent:* Friday, September 10, 2010 9:23 AM
>
>
> *To:* MS-Exchange Admin Issues
> *Subject:* RE: Possible Email Virus
>
>
>
> That wasn’t our experience.  Our users do NOT have local admin rights…but
> the virus ran anyway.
>
>
>
> Of course…this may depend on OS.  We are still running XP.
>
>
>
> Within 10 minutes of the appearance on our network we had the website
> blocked…and then started getting calls to the Help Desk complaining about
> the link being blocked.  Sheesh…
>
>
>
> *Larry*
>
>
>
> *From:* Don Ely [mailto:don@gmail.com]
> *Sent:* Friday, September 10, 2010 12:17 PM
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> One thing we noticed is that if a user was not running with admin rights,
> the virus couldn't run...
>
> On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
> wrote:
>
> Appears that we had less than 100 copies come in and our AS caught and
> dropped every one of them >:-)
>
>
>  --
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, September 10, 2010 2:53 AM
>
>
> *To:* MS-Exchange Admin Issues
>
> *Subject:* RE: Possible Email Virus
>
>
>
> Mitigated, as best as I can tell, by having users run without elevated
> permissions.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
> Reports of an email virus hitting some companies today. It has a link to a
> .scr file that looks like a PDF link. When users click it, it begins sending
> emails using the GAL or contacts. Not sure of the origin at this point but
> wanted to send a heads up. The email subject is “Here you have”.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Sean Martin]

Is this the same worm?

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B

If so, the article mentions the following sites:


http:// www dot sharedocuments dot com / library /
PDF_Document21.025542010.pdf

http:// www dot sharedmovies dot com / library / SEX21.025542010.wmv

- Sean
On Fri, Sep 10, 2010 at 10:00 AM, Brown, Larry  wrote:

>  I honestly don’t know…although I heard them saying it was a web site in
> the UK…was handled by our Web Sense admins.
>
>
>
>
>
> *Larry*
>
>
>
> *From:* Roger Wright [mailto:rhw...@gmail.com]
> *Sent:* Friday, September 10, 2010 1:13 PM
>
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> In our case the link was:
>
>
>
> http:// members dot multimania dot co dot uk
>
>
>
>
>
> Roger Wright
> ___
>
> When it's GOOD there ain't nothin' like it, and when it's BAD there ain't
> nothin' like it!
>
>
>
>  On Fri, Sep 10, 2010 at 12:27 PM,  wrote:
>
> What web site did you block?
>
>
> - Original Message -
> From: "Larry Brown" 
>  To: "MS-Exchange Admin Issues" 
> Sent: Friday, September 10, 2010 11:23:06 AM
> Subject: RE: Possible Email Virus
>
>   That wasn’t our experience.  Our users do NOT have local admin
> rights…but the virus ran anyway.
>
>
>
> Of course…this may depend on OS.  We are still running XP.
>
>
>
> Within 10 minutes of the appearance on our network we had the website
> blocked…and then started getting calls to the Help Desk complaining about
> the link being blocked.  Sheesh…
>
>
>
> *Larry*
>
>
>
> *From:* Don Ely [mailto:don@gmail.com]
> *Sent:* Friday, September 10, 2010 12:17 PM
> *To:* MS-Exchange Admin Issues
> *Subject:* Re: Possible Email Virus
>
>
>
> One thing we noticed is that if a user was not running with admin rights,
> the virus couldn't run...
>
> On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
> wrote:
>
> Appears that we had less than 100 copies come in and our AS caught and
> dropped every one of them >:-)
>
>
>  --
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Friday, September 10, 2010 2:53 AM
>
>
> *To:* MS-Exchange Admin Issues
>
> *Subject:* RE: Possible Email Virus
>
>
>
> Mitigated, as best as I can tell, by having users run without elevated
> permissions.
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
> clint.klec...@cigna.com> wrote:
>
> Reports of an email virus hitting some companies today. It has a link to a
> .scr file that looks like a PDF link. When users click it, it begins sending
> emails using the GAL or contacts. Not sure of the origin at this point but
> wanted to send a heads up. The email subject is “Here you have”.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
>
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Maglinger, Paul]

Somehow he still had it in Outlook.  I don't remember if it was in a
personal folder or what now.  I do remember asking him, "Why the *heck*
do you think the CEO would be sending you an email that said "I love
you"?!?"

 

From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 1:09 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

 

We exmerged the email out of the mailboxes to prevent that...

On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul 
wrote:

I remember that day too.  Got it mostly cleaned up and a @#%!$ user
opened it up a second time!  Grrr...  Learned a lot from that little
lesson.

 

From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 12:57 PM 


To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

 

I still remember that day very well...  Lot's of queue cleaning that
day...

On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
wrote:

Haw - first time I experienced that was when the I Love You virus came
out.

 



From: Brown, Larry [mailto:lc.br...@dplinc.com] 
Sent: Friday, September 10, 2010 9:23 AM 


To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

 

That wasn't our experience.  Our users do NOT have local admin
rights...but the virus ran anyway.  

 

Of course...this may depend on OS.  We are still running XP.

 

Within 10 minutes of the appearance on our network we had the website
blocked...and then started getting calls to the Help Desk complaining
about the link being blocked.  Sheesh...

 

Larry

 

From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

 

One thing we noticed is that if a user was not running with admin
rights, the virus couldn't run...  

On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
wrote:

Appears that we had less than 100 copies come in and our AS caught and
dropped every one of them >:-) 

 



From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, September 10, 2010 2:53 AM 


To: MS-Exchange Admin Issues

Subject: RE: Possible Email Virus

 

Mitigated, as best as I can tell, by having users run without elevated
permissions.

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us <http://www.taylor.k12.fl.us/> 

 



 

On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT
 wrote:

Reports of an email virus hitting some companies today. It has a link to
a .scr file that looks like a PDF link. When users click it, it begins
sending emails using the GAL or contacts. Not sure of the origin at this
point but wanted to send a heads up. The email subject is "Here you
have".

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written
communications to or from this entity are public records that will be
disclosed to the public and the media upon request. E-mail
communications may be subject to public disclosure.

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

 

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Chinnery, Paul]

I remember that,  too.  I was at Walt Disney World with my son.   Luckily 
someone else was on hand to clean up the mess.
After that, it became kind of a "what's going to happen while Paul's on 
vacation?"  (Surprisingly, a primary server did crash while I was gone. Luckily 
it was one that was supported by DG.)


From: Don Ely [mailto:don@gmail.com]
Sent: Friday, September 10, 2010 1:57 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

I still remember that day very well...  Lot's of queue cleaning that day...
On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Haw - first time I experienced that was when the I Love You virus came out.


From: Brown, Larry [mailto:lc.br...@dplinc.com<mailto:lc.br...@dplinc.com>]
Sent: Friday, September 10, 2010 9:23 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

That wasn't our experience.  Our users do NOT have local admin rights...but the 
virus ran anyway.

Of course...this may depend on OS.  We are still running XP.

Within 10 minutes of the appearance on our network we had the website 
blocked...and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh...

Larry

From: Don Ely [mailto:don@gmail.com<mailto:don@gmail.com>]
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...
On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Friday, September 10, 2010 2:53 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us/>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Campbell, Rob]

Same here.  We had it stopped at the boundary, but weren't running anything on 
the workstations.  Then some user brought in an infected diskette "to print off 
a resume for his Mom".

That was a 40 hour day.

From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Friday, September 10, 2010 1:07 PM
To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

I remember that day too.  Got it mostly cleaned up and a @#%!$ user opened it 
up a second time!  Grrr...  Learned a lot from that little lesson.

From: Don Ely [mailto:don@gmail.com]
Sent: Friday, September 10, 2010 12:57 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

I still remember that day very well...  Lot's of queue cleaning that day...
On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Haw - first time I experienced that was when the I Love You virus came out.


From: Brown, Larry [mailto:lc.br...@dplinc.com<mailto:lc.br...@dplinc.com>]
Sent: Friday, September 10, 2010 9:23 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

That wasn't our experience.  Our users do NOT have local admin rights...but the 
virus ran anyway.

Of course...this may depend on OS.  We are still running XP.

Within 10 minutes of the appearance on our network we had the website 
blocked...and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh...

Larry

From: Don Ely [mailto:don@gmail.com<mailto:don@gmail.com>]
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...
On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Friday, September 10, 2010 2:53 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us/>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist
**
Note: 
The information contained in this message may be privileged and confidential 
and 
pro

Re: Possible Email Virus

[Kat Aylward]

Little story...

I was new at a Silicon Valley startup... I'd been there maybe 5 months
as the Exchange Admin and had managed to stay under the radar for most
people.  I also had knee surgery about 6 weeks prior.  That Friday
morning, I was at home (about 8:30-9:00am) and my MOM called me to say
"honey, I just heard about this virus..." as my work cellphone was
ringing.  "Gotta go, mom..." and I picked up a frantic call from my
boss.  He says all hell has broken out and I tell him to shut down the
exchange servers... so he pushes the power button on all 3!!  ACK!!!
After I swallow the vicious comment I was about to make, I headed into
the office with a parka, gloves, warm socks and long pants (remember
this was May in California and it's normally warm if you dont have to
live in the datacenter).  After 36 hours of restoring a full standard
16 gb database and catnaps under conference room tables, I finally got
to go home having fully restored, upgraded and repaired the crashed
DB.  Mailboxes were cleaned out and users were "educated" with my
LART!

Fast forward to the following Friday... my Jr. Admin all of the sudden
freaks out and says "It's happening again!" which puts me into full
out "BIATCH mode".  I hobble to one end of the building, shouting "If
you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO
NOT OPEN IT and then hobbled to the other end, repeating this
"bellowed refrain" upstairs and down   After I got back to my desk
and got my breath back, I headed to the datacenter on our floor.  My
boss had shut things down properly this time, and his boss and he were
standing there waiting for me... with my boss's Army Ranger parka in
hand because I had taken all my warm stuff home after the last
weekend.  I composed myself as best as I could (see prior BIATCH mode
statement) and I told them I needed to talk to the company at the
meeting that was starting in 10 minutes downstairs.  They got me to
promise I wasn't going to kill anyone and checked me for my LART, then
gave permission for me to leave the DC

I headed down to the Company-wide meeting in the cafeteria, hobbled
over to the President and said "I need 5 minutes of this meeting".  He
looked at me and said... "of course" and stepped clear.   As I am
heading to the front of the room, I am seeing all of these
20-somethings looking at me like I have horns, and they are trying to
figure out who I am, Ranger parka and all.  I am someone of a slightly
older generation, shall we say, and I as I was headed up, I kept
trying to think of a way not to look like a ranting and raving
Lunatic.  As I am composing myself, I see UserX and User Y skulk
across the back of the room, trying to stay out of my line of
sight.  I took a breath and thought about how I would talk to my
young adult son (then about 20 himself).  So here is what I said:

Hello, you might not know me but my name is Kat and I manage the email
system here.  (you could hear the silent intake of whooshed breath at
that)

I continued:

Practicing Safe Email is like practicing Safe Sex:
1. Always know who you are doing it with...
2. Always use protection...
3. and if you don't think you should be doing it, you probably shouldn't!!!

And with that I proceeded to hobble back out to the DC, watching their
slackened jaws hit the floor in shock and disbelief at what I had just
said... but they were still talking about it 7 months later when at
the Company Holiday party I was asked where my Ranger Parka was

Still one of my crowning glories in corporate history there!!

On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul  wrote:
> I remember that day too.  Got it mostly cleaned up and a @#%!$ user opened
> it up a second time!  Grrr…  Learned a lot from that little lesson.
>
>
>
> From: Don Ely [mailto:don@gmail.com]
> Sent: Friday, September 10, 2010 12:57 PM
>
> To: MS-Exchange Admin Issues
> Subject: Re: Possible Email Virus
>
>
>
> I still remember that day very well...  Lot's of queue cleaning that day...
>
> On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
> wrote:
>
> Haw – first time I experienced that was when the I Love You virus came out.
>
>
>
> ____
>
> From: Brown, Larry [mailto:lc.br...@dplinc.com]
> Sent: Friday, September 10, 2010 9:23 AM
>
> To: MS-Exchange Admin Issues
> Subject: RE: Possible Email Virus
>
>
>
> That wasn’t our experience.  Our users do NOT have local admin rights…but
> the virus ran anyway.
>
>
>
> Of course…this may depend on OS.  We are still running XP.
>
>
>
> Within 10 minutes of the appearance on our network we had the website
> blocked…and then started getting calls to the Help Desk complaining about
> the link being blocked.  Sheesh…
>

Re: Possible Email Virus

[Sean Martin]

Good story!

You probably could've just sent a very stern e-mail company wide with the
Subject: "I love you".they all would've probably read it.

- Sean

On Fri, Sep 10, 2010 at 10:39 AM, Kat Aylward  wrote:

> Little story...
>
> I was new at a Silicon Valley startup... I'd been there maybe 5 months
> as the Exchange Admin and had managed to stay under the radar for most
> people.  I also had knee surgery about 6 weeks prior.  That Friday
> morning, I was at home (about 8:30-9:00am) and my MOM called me to say
> "honey, I just heard about this virus..." as my work cellphone was
> ringing.  "Gotta go, mom..." and I picked up a frantic call from my
> boss.  He says all hell has broken out and I tell him to shut down the
> exchange servers... so he pushes the power button on all 3!!  ACK!!!
> After I swallow the vicious comment I was about to make, I headed into
> the office with a parka, gloves, warm socks and long pants (remember
> this was May in California and it's normally warm if you dont have to
> live in the datacenter).  After 36 hours of restoring a full standard
> 16 gb database and catnaps under conference room tables, I finally got
> to go home having fully restored, upgraded and repaired the crashed
> DB.  Mailboxes were cleaned out and users were "educated" with my
> LART!
>
> Fast forward to the following Friday... my Jr. Admin all of the sudden
> freaks out and says "It's happening again!" which puts me into full
> out "BIATCH mode".  I hobble to one end of the building, shouting "If
> you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO
> NOT OPEN IT and then hobbled to the other end, repeating this
> "bellowed refrain" upstairs and down   After I got back to my desk
> and got my breath back, I headed to the datacenter on our floor.  My
> boss had shut things down properly this time, and his boss and he were
> standing there waiting for me... with my boss's Army Ranger parka in
> hand because I had taken all my warm stuff home after the last
> weekend.  I composed myself as best as I could (see prior BIATCH mode
> statement) and I told them I needed to talk to the company at the
> meeting that was starting in 10 minutes downstairs.  They got me to
> promise I wasn't going to kill anyone and checked me for my LART, then
> gave permission for me to leave the DC
>
> I headed down to the Company-wide meeting in the cafeteria, hobbled
> over to the President and said "I need 5 minutes of this meeting".  He
> looked at me and said... "of course" and stepped clear.   As I am
> heading to the front of the room, I am seeing all of these
> 20-somethings looking at me like I have horns, and they are trying to
> figure out who I am, Ranger parka and all.  I am someone of a slightly
> older generation, shall we say, and I as I was headed up, I kept
> trying to think of a way not to look like a ranting and raving
> Lunatic.  As I am composing myself, I see UserX and User Y skulk
> across the back of the room, trying to stay out of my line of
> sight.  I took a breath and thought about how I would talk to my
> young adult son (then about 20 himself).  So here is what I said:
>
> Hello, you might not know me but my name is Kat and I manage the email
> system here.  (you could hear the silent intake of whooshed breath at
> that)
>
> I continued:
>
> Practicing Safe Email is like practicing Safe Sex:
> 1. Always know who you are doing it with...
> 2. Always use protection...
> 3. and if you don't think you should be doing it, you probably shouldn't!!!
>
> And with that I proceeded to hobble back out to the DC, watching their
> slackened jaws hit the floor in shock and disbelief at what I had just
> said... but they were still talking about it 7 months later when at
> the Company Holiday party I was asked where my Ranger Parka was
>
> Still one of my crowning glories in corporate history there!!
>
> On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul 
> wrote:
>  > I remember that day too.  Got it mostly cleaned up and a @#%!$ user
> opened
> > it up a second time!  Grrr…  Learned a lot from that little lesson.
> >
> >
> >
> > From: Don Ely [mailto:don@gmail.com]
> > Sent: Friday, September 10, 2010 12:57 PM
> >
> > To: MS-Exchange Admin Issues
> > Subject: Re: Possible Email Virus
> >
> >
> >
> > I still remember that day very well...  Lot's of queue cleaning that
> day...
> >
> > On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
> > wrote:
> >
> > Haw – first time I experienced that was when the I

RE: Possible Email Virus

[Don Andrews]

We were not yet on Exchange and were evaluating or had just implemented the 
gateway AV/AS/filtering system that we use today.  The vendor made a point of 
calling to ensure we were aware of the problem and had implemented a filter to 
block those in advance of the AV vendor's signature updates.


From: Sean Martin [mailto:seanmarti...@gmail.com]
Sent: Friday, September 10, 2010 11:48 AM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

Good story!

You probably could've just sent a very stern e-mail company wide with the 
Subject: "I love you".they all would've probably read it.

- Sean
On Fri, Sep 10, 2010 at 10:39 AM, Kat Aylward 
mailto:messagel...@gmail.com>> wrote:
Little story...

I was new at a Silicon Valley startup... I'd been there maybe 5 months
as the Exchange Admin and had managed to stay under the radar for most
people.  I also had knee surgery about 6 weeks prior.  That Friday
morning, I was at home (about 8:30-9:00am) and my MOM called me to say
"honey, I just heard about this virus..." as my work cellphone was
ringing.  "Gotta go, mom..." and I picked up a frantic call from my
boss.  He says all hell has broken out and I tell him to shut down the
exchange servers... so he pushes the power button on all 3!!  ACK!!!
After I swallow the vicious comment I was about to make, I headed into
the office with a parka, gloves, warm socks and long pants (remember
this was May in California and it's normally warm if you dont have to
live in the datacenter).  After 36 hours of restoring a full standard
16 gb database and catnaps under conference room tables, I finally got
to go home having fully restored, upgraded and repaired the crashed
DB.  Mailboxes were cleaned out and users were "educated" with my
LART!

Fast forward to the following Friday... my Jr. Admin all of the sudden
freaks out and says "It's happening again!" which puts me into full
out "BIATCH mode".  I hobble to one end of the building, shouting "If
you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO
NOT OPEN IT and then hobbled to the other end, repeating this
"bellowed refrain" upstairs and down   After I got back to my desk
and got my breath back, I headed to the datacenter on our floor.  My
boss had shut things down properly this time, and his boss and he were
standing there waiting for me... with my boss's Army Ranger parka in
hand because I had taken all my warm stuff home after the last
weekend.  I composed myself as best as I could (see prior BIATCH mode
statement) and I told them I needed to talk to the company at the
meeting that was starting in 10 minutes downstairs.  They got me to
promise I wasn't going to kill anyone and checked me for my LART, then
gave permission for me to leave the DC

I headed down to the Company-wide meeting in the cafeteria, hobbled
over to the President and said "I need 5 minutes of this meeting".  He
looked at me and said... "of course" and stepped clear.   As I am
heading to the front of the room, I am seeing all of these
20-somethings looking at me like I have horns, and they are trying to
figure out who I am, Ranger parka and all.  I am someone of a slightly
older generation, shall we say, and I as I was headed up, I kept
trying to think of a way not to look like a ranting and raving
Lunatic.  As I am composing myself, I see UserX and User Y skulk
across the back of the room, trying to stay out of my line of
sight.  I took a breath and thought about how I would talk to my
young adult son (then about 20 himself).  So here is what I said:

Hello, you might not know me but my name is Kat and I manage the email
system here.  (you could hear the silent intake of whooshed breath at
that)

I continued:

Practicing Safe Email is like practicing Safe Sex:
1. Always know who you are doing it with...
2. Always use protection...
3. and if you don't think you should be doing it, you probably shouldn't!!!

And with that I proceeded to hobble back out to the DC, watching their
slackened jaws hit the floor in shock and disbelief at what I had just
said... but they were still talking about it 7 months later when at
the Company Holiday party I was asked where my Ranger Parka was

Still one of my crowning glories in corporate history there!!

On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul 
mailto:pmaglin...@scvl.com>> wrote:
> I remember that day too.  Got it mostly cleaned up and a @#%!$ user opened
> it up a second time!  Grrr...  Learned a lot from that little lesson.
>
>
>
> From: Don Ely [mailto:don@gmail.com<mailto:don@gmail.com>]
> Sent: Friday, September 10, 2010 12:57 PM
>
> To: MS-Exchange Admin Issues
> Subject: Re: Possible Email Virus
>
>
>
> I still remember that day very well...  Lot&

RE: Possible Email Virus

[Alex Robinson]

OUTSTANDING!

-Alex

-Original Message-
From: Kat Aylward [mailto:messagel...@gmail.com] 
Sent: Friday, September 10, 2010 1:40 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

Little story...

I was new at a Silicon Valley startup... I'd been there maybe 5 months
as the Exchange Admin and had managed to stay under the radar for most
people.  I also had knee surgery about 6 weeks prior.  That Friday
morning, I was at home (about 8:30-9:00am) and my MOM called me to say
"honey, I just heard about this virus..." as my work cellphone was
ringing.  "Gotta go, mom..." and I picked up a frantic call from my
boss.  He says all hell has broken out and I tell him to shut down the
exchange servers... so he pushes the power button on all 3!!  ACK!!!
After I swallow the vicious comment I was about to make, I headed into
the office with a parka, gloves, warm socks and long pants (remember
this was May in California and it's normally warm if you dont have to
live in the datacenter).  After 36 hours of restoring a full standard
16 gb database and catnaps under conference room tables, I finally got
to go home having fully restored, upgraded and repaired the crashed
DB.  Mailboxes were cleaned out and users were "educated" with my
LART!

Fast forward to the following Friday... my Jr. Admin all of the sudden
freaks out and says "It's happening again!" which puts me into full
out "BIATCH mode".  I hobble to one end of the building, shouting "If
you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO
NOT OPEN IT and then hobbled to the other end, repeating this
"bellowed refrain" upstairs and down   After I got back to my desk
and got my breath back, I headed to the datacenter on our floor.  My
boss had shut things down properly this time, and his boss and he were
standing there waiting for me... with my boss's Army Ranger parka in
hand because I had taken all my warm stuff home after the last
weekend.  I composed myself as best as I could (see prior BIATCH mode
statement) and I told them I needed to talk to the company at the
meeting that was starting in 10 minutes downstairs.  They got me to
promise I wasn't going to kill anyone and checked me for my LART, then
gave permission for me to leave the DC

I headed down to the Company-wide meeting in the cafeteria, hobbled
over to the President and said "I need 5 minutes of this meeting".  He
looked at me and said... "of course" and stepped clear.   As I am
heading to the front of the room, I am seeing all of these
20-somethings looking at me like I have horns, and they are trying to
figure out who I am, Ranger parka and all.  I am someone of a slightly
older generation, shall we say, and I as I was headed up, I kept
trying to think of a way not to look like a ranting and raving
Lunatic.  As I am composing myself, I see UserX and User Y skulk
across the back of the room, trying to stay out of my line of
sight.  I took a breath and thought about how I would talk to my
young adult son (then about 20 himself).  So here is what I said:

Hello, you might not know me but my name is Kat and I manage the email
system here.  (you could hear the silent intake of whooshed breath at
that)

I continued:

Practicing Safe Email is like practicing Safe Sex:
1. Always know who you are doing it with...
2. Always use protection...
3. and if you don't think you should be doing it, you probably shouldn't!!!

And with that I proceeded to hobble back out to the DC, watching their
slackened jaws hit the floor in shock and disbelief at what I had just
said... but they were still talking about it 7 months later when at
the Company Holiday party I was asked where my Ranger Parka was

Still one of my crowning glories in corporate history there!!

On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul  wrote:
> I remember that day too.  Got it mostly cleaned up and a @#%!$ user opened
> it up a second time!  Grrr.  Learned a lot from that little lesson.
>
>
>
> From: Don Ely [mailto:don@gmail.com]
> Sent: Friday, September 10, 2010 12:57 PM
>
> To: MS-Exchange Admin Issues
> Subject: Re: Possible Email Virus
>
>
>
> I still remember that day very well...  Lot's of queue cleaning that day...
>
> On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
> wrote:
>
> Haw - first time I experienced that was when the I Love You virus came out.
>
>
>
> ____
>
> From: Brown, Larry [mailto:lc.br...@dplinc.com]
> Sent: Friday, September 10, 2010 9:23 AM
>
> To: MS-Exchange Admin Issues
> Subject: RE: Possible Email Virus
>
>
>
> That wasn't our experience.  Our users do NOT have local admin rights.but
> the virus ran anyway.
>
>
>
> Of course.this may depend on OS.  We are still running XP.
>
&

RE: Possible Email Virus

[PRamatowski]

If anyone needs a copy

[cid:image001.png@01CB50FF.298E1110]



From: Don Ely [mailto:don@gmail.com]
Sent: Friday, September 10, 2010 2:09 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

We exmerged the email out of the mailboxes to prevent that...
On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul 
mailto:pmaglin...@scvl.com>> wrote:
I remember that day too.  Got it mostly cleaned up and a @#%!$ user opened it 
up a second time!  Grrr...  Learned a lot from that little lesson.

From: Don Ely [mailto:don@gmail.com<mailto:don@gmail.com>]
Sent: Friday, September 10, 2010 12:57 PM

To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

I still remember that day very well...  Lot's of queue cleaning that day...
On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Haw - first time I experienced that was when the I Love You virus came out.


From: Brown, Larry [mailto:lc.br...@dplinc.com<mailto:lc.br...@dplinc.com>]
Sent: Friday, September 10, 2010 9:23 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

That wasn't our experience.  Our users do NOT have local admin rights...but the 
virus ran anyway.

Of course...this may depend on OS.  We are still running XP.

Within 10 minutes of the appearance on our network we had the website 
blocked...and then started getting calls to the Help Desk complaining about the 
link being blocked.  Sheesh...

Larry

From: Don Ely [mailto:don@gmail.com<mailto:don@gmail.com>]
Sent: Friday, September 10, 2010 12:17 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

One thing we noticed is that if a user was not running with admin rights, the 
virus couldn't run...
On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
mailto:don.andr...@safeway.com>> wrote:
Appears that we had less than 100 copies come in and our AS caught and dropped 
every one of them >:-)


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Friday, September 10, 2010 2:53 AM

To: MS-Exchange Admin Issues
Subject: RE: Possible Email Virus

Mitigated, as best as I can tell, by having users run without elevated 
permissions.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us/>




On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT 
mailto:clint.klec...@cigna.com>> wrote:
Reports of an email virus hitting some companies today. It has a link to a .scr 
file that looks like a PDF link. When users click it, it begins sending emails 
using the GAL or contacts. Not sure of the origin at this point but wanted to 
send a heads up. The email subject is "Here you have".


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe exchangelist


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailt

Re: Possible Email Virus

[Richard Stovall]

>From the article:

Note: The link does not really point to a PDF document or Windows media
movie file. The link directs users to download a copy of the worm from a
user account on the domain "members.multimania.co.uk" as "*
PDF_Document21_025542010_pdf.scr*".

On Fri, Sep 10, 2010 at 2:10 PM, Sean Martin  wrote:

> Is this the same worm?
>
>
> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B
>
> If so, the article mentions the following sites:
>
>
> http:// www dot sharedocuments dot com / library /
> PDF_Document21.025542010.pdf
>
> http:// www dot sharedmovies dot com / library / SEX21.025542010.wmv
>
> - Sean
> On Fri, Sep 10, 2010 at 10:00 AM, Brown, Larry wrote:
>
>>  I honestly don’t know…although I heard them saying it was a web site in
>> the UK…was handled by our Web Sense admins.
>>
>>
>>
>>
>>
>> *Larry*
>>
>>
>>
>> *From:* Roger Wright [mailto:rhw...@gmail.com]
>> *Sent:* Friday, September 10, 2010 1:13 PM
>>
>> *To:* MS-Exchange Admin Issues
>> *Subject:* Re: Possible Email Virus
>>
>>
>>
>> In our case the link was:
>>
>>
>>
>> http:// members dot multimania dot co dot uk
>>
>>
>>
>>
>>
>> Roger Wright
>> ___
>>
>> When it's GOOD there ain't nothin' like it, and when it's BAD there ain't
>> nothin' like it!
>>
>>
>>
>>  On Fri, Sep 10, 2010 at 12:27 PM,  wrote:
>>
>> What web site did you block?
>>
>>
>> - Original Message -
>> From: "Larry Brown" 
>>  To: "MS-Exchange Admin Issues" 
>> Sent: Friday, September 10, 2010 11:23:06 AM
>> Subject: RE: Possible Email Virus
>>
>>   That wasn’t our experience.  Our users do NOT have local admin
>> rights…but the virus ran anyway.
>>
>>
>>
>> Of course…this may depend on OS.  We are still running XP.
>>
>>
>>
>> Within 10 minutes of the appearance on our network we had the website
>> blocked…and then started getting calls to the Help Desk complaining about
>> the link being blocked.  Sheesh…
>>
>>
>>
>> *Larry*
>>
>>
>>
>> *From:* Don Ely [mailto:don@gmail.com]
>> *Sent:* Friday, September 10, 2010 12:17 PM
>> *To:* MS-Exchange Admin Issues
>> *Subject:* Re: Possible Email Virus
>>
>>
>>
>> One thing we noticed is that if a user was not running with admin rights,
>> the virus couldn't run...
>>
>> On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews 
>> wrote:
>>
>> Appears that we had less than 100 copies come in and our AS caught and
>> dropped every one of them >:-)
>>
>>
>>  --
>>
>> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
>> *Sent:* Friday, September 10, 2010 2:53 AM
>>
>>
>> *To:* MS-Exchange Admin Issues
>>
>> *Subject:* RE: Possible Email Virus
>>
>>
>>
>> Mitigated, as best as I can tell, by having users run without elevated
>> permissions.
>>
>>
>>
>>
>>
>>
>>
>> John Hornbuckle
>>
>> MIS Department
>>
>> Taylor County School District
>>
>> www.taylor.k12.fl.us
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT <
>> clint.klec...@cigna.com> wrote:
>>
>> Reports of an email virus hitting some companies today. It has a link to a
>> .scr file that looks like a PDF link. When users click it, it begins sending
>> emails using the GAL or contacts. Not sure of the origin at this point but
>> wanted to send a heads up. The email subject is “Here you have”.
>>
>>
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe exchangelist
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe exchangelist
>>
>> NOTICE: Florida has a broad public records law. Most written communications 
>> to or from this entity are public records that will be disclosed to the 
>> public and the media upon request. E-mail communications may be subject to 
>> public disclosure.
>

RE: Possible Email Virus

[Erik Goldoff]

Yep, May 4, 2000 … when I was still ‘ham boy’   We had monitored the
list and were headed to the server room to shut down the smtp gateway when
the president of the company was so thrilled that someone loved him he
clicked the link.  That sucker was fast.  We took the server offline for a
few hours to clean the queues but otherwise no damage.

Good times  J 

 

Erik Goldoff

IT  Consultant

Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '

From: Don Ely [mailto:don@gmail.com] 
Sent: Friday, September 10, 2010 1:57 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

 

I still remember that day very well...  Lot's of queue cleaning that day...

On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews 
wrote:

Haw – first time I experienced that was when the I Love You virus came out.

 


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

RE: Possible Email Virus

[Erik Goldoff]

Practicing Safe Email is like practicing Safe Sex:
1. Always know who you are doing it with...
2. Always use protection...
3. and if you don't think you should be doing it, you probably shouldn't!!!


Cute ... I may have to borrow this 

Erik Goldoff
IT  Consultant
Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '



-Original Message-
From: Kat Aylward [mailto:messagel...@gmail.com] 
Sent: Friday, September 10, 2010 2:40 PM
To: MS-Exchange Admin Issues
Subject: Re: Possible Email Virus

Little story...


---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist

Re: Possible Email Virus

[Kat Aylward]

hehehe - I have told that story (in it's entirety because I just cant
start 1/2 way in) to probably 20-30 different groups over the last 10
years, and every one of them has had that same reaction!!  You are
welcome, just attribute properly ("some woman in BIATCH-mode told me
this once")!!  :-)

On Fri, Sep 10, 2010 at 4:06 PM, Erik Goldoff  wrote:
> Practicing Safe Email is like practicing Safe Sex:
> 1. Always know who you are doing it with...
> 2. Always use protection...
> 3. and if you don't think you should be doing it, you probably shouldn't!!!
>
>
> Cute ... I may have to borrow this 
>
> Erik Goldoff
> IT  Consultant
> Systems, Networks, & Security
>
> '  Security is an ongoing process, not a one time event ! '
>
>
>
> -Original Message-
> From: Kat Aylward [mailto:messagel...@gmail.com]
> Sent: Friday, September 10, 2010 2:40 PM
> To: MS-Exchange Admin Issues
> Subject: Re: Possible Email Virus
>
> Little story...
>
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe exchangelist
>



-- 
Kat Aylward

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist