RE: Possible Email Virus
Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.comwrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
Ah, with Windows 7 and no admin rights nothing happened. And believe me, our users tried their hardest to execute it... On Fri, Sep 10, 2010 at 9:23 AM, Brown, Larry lc.br...@dplinc.com wrote: That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… *Larry* *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:17 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
What web site did you block? - Original Message - From: Larry Brown lc.br...@dplinc.com To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Friday, September 10, 2010 11:23:06 AM Subject: RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto: john.hornbuc...@taylor.k12.fl.us ] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
In our case the link was: http:// members dot multimania dot co dot uk Roger Wright ___ When it's GOOD there ain't nothin' like it, and when it's BAD there ain't nothin' like it! On Fri, Sep 10, 2010 at 12:27 PM, bzalew...@comcast.net wrote: What web site did you block? - Original Message - From: Larry Brown lc.br...@dplinc.com To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Friday, September 10, 2010 11:23:06 AM Subject: RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… *Larry* *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:17 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.comwrote: Haw – first time I experienced that was when the I Love You virus came out. -- *From:* Brown, Larry [mailto:lc.br...@dplinc.com] *Sent:* Friday, September 10, 2010 9:23 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… *Larry* *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:17 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
I honestly don't know...although I heard them saying it was a web site in the UK...was handled by our Web Sense admins. Larry From: Roger Wright [mailto:rhw...@gmail.com] Sent: Friday, September 10, 2010 1:13 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus In our case the link was: http:// members dot multimania dot co dot uk Roger Wright ___ When it's GOOD there ain't nothin' like it, and when it's BAD there ain't nothin' like it! On Fri, Sep 10, 2010 at 12:27 PM, bzalew...@comcast.netmailto:bzalew...@comcast.net wrote: What web site did you block? - Original Message - From: Larry Brown lc.br...@dplinc.commailto:lc.br...@dplinc.com To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.commailto:exchangelist@lyris.sunbelt-software.com Sent: Friday, September 10, 2010 11:23:06 AM Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.commailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr... Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us http://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
We exmerged the email out of the mailboxes to prevent that... On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.comwrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr… Learned a lot from that little lesson. *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:57 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw – first time I experienced that was when the I Love You virus came out. -- *From:* Brown, Larry [mailto:lc.br...@dplinc.com] *Sent:* Friday, September 10, 2010 9:23 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… *Larry* *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:17 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
Is this the same worm? http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B If so, the article mentions the following sites: http:// www dot sharedocuments dot com / library / PDF_Document21.025542010.pdf http:// www dot sharedmovies dot com / library / SEX21.025542010.wmv - Sean On Fri, Sep 10, 2010 at 10:00 AM, Brown, Larry lc.br...@dplinc.com wrote: I honestly don’t know…although I heard them saying it was a web site in the UK…was handled by our Web Sense admins. *Larry* *From:* Roger Wright [mailto:rhw...@gmail.com] *Sent:* Friday, September 10, 2010 1:13 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus In our case the link was: http:// members dot multimania dot co dot uk Roger Wright ___ When it's GOOD there ain't nothin' like it, and when it's BAD there ain't nothin' like it! On Fri, Sep 10, 2010 at 12:27 PM, bzalew...@comcast.net wrote: What web site did you block? - Original Message - From: Larry Brown lc.br...@dplinc.com To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Friday, September 10, 2010 11:23:06 AM Subject: RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… *Larry* *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:17 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Somehow he still had it in Outlook. I don't remember if it was in a personal folder or what now. I do remember asking him, Why the *heck* do you think the CEO would be sending you an email that said I love you?!? From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 1:09 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus We exmerged the email out of the mailboxes to prevent that... On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.com wrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr... Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us http://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
I remember that, too. I was at Walt Disney World with my son. Luckily someone else was on hand to clean up the mess. After that, it became kind of a what's going to happen while Paul's on vacation? (Surprisingly, a primary server did crash while I was gone. Luckily it was one that was supported by DG.) From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 1:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.commailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.commailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Same here. We had it stopped at the boundary, but weren't running anything on the workstations. Then some user brought in an infected diskette to print off a resume for his Mom. That was a 40 hour day. From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, September 10, 2010 1:07 PM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr... Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.commailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.commailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient
Re: Possible Email Virus
Little story... I was new at a Silicon Valley startup... I'd been there maybe 5 months as the Exchange Admin and had managed to stay under the radar for most people. I also had knee surgery about 6 weeks prior. That Friday morning, I was at home (about 8:30-9:00am) and my MOM called me to say honey, I just heard about this virus... as my work cellphone was ringing. Gotta go, mom... and I picked up a frantic call from my boss. He says all hell has broken out and I tell him to shut down the exchange servers... so he pushes the power button on all 3!! ACK!!! After I swallow the vicious comment I was about to make, I headed into the office with a parka, gloves, warm socks and long pants (remember this was May in California and it's normally warm if you dont have to live in the datacenter). After 36 hours of restoring a full standard 16 gb database and catnaps under conference room tables, I finally got to go home having fully restored, upgraded and repaired the crashed DB. Mailboxes were cleaned out and users were educated with my LART! Fast forward to the following Friday... my Jr. Admin all of the sudden freaks out and says It's happening again! which puts me into full out BIATCH mode. I hobble to one end of the building, shouting If you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO NOT OPEN IT and then hobbled to the other end, repeating this bellowed refrain upstairs and down After I got back to my desk and got my breath back, I headed to the datacenter on our floor. My boss had shut things down properly this time, and his boss and he were standing there waiting for me... with my boss's Army Ranger parka in hand because I had taken all my warm stuff home after the last weekend. I composed myself as best as I could (see prior BIATCH mode statement) and I told them I needed to talk to the company at the meeting that was starting in 10 minutes downstairs. They got me to promise I wasn't going to kill anyone and checked me for my LART, then gave permission for me to leave the DC I headed down to the Company-wide meeting in the cafeteria, hobbled over to the President and said I need 5 minutes of this meeting. He looked at me and said... of course and stepped clear. As I am heading to the front of the room, I am seeing all of these 20-somethings looking at me like I have horns, and they are trying to figure out who I am, Ranger parka and all. I am someone of a slightly older generation, shall we say, and I as I was headed up, I kept trying to think of a way not to look like a ranting and raving Lunatic. As I am composing myself, I see UserX and User Y skulk across the back of the room, trying to stay out of my line of sight. I took a breath and thought about how I would talk to my young adult son (then about 20 himself). So here is what I said: Hello, you might not know me but my name is Kat and I manage the email system here. (you could hear the silent intake of whooshed breath at that) I continued: Practicing Safe Email is like practicing Safe Sex: 1. Always know who you are doing it with... 2. Always use protection... 3. and if you don't think you should be doing it, you probably shouldn't!!! And with that I proceeded to hobble back out to the DC, watching their slackened jaws hit the floor in shock and disbelief at what I had just said... but they were still talking about it 7 months later when at the Company Holiday party I was asked where my Ranger Parka was Still one of my crowning glories in corporate history there!! On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.com wrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr… Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw – first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep
Re: Possible Email Virus
Good story! You probably could've just sent a very stern e-mail company wide with the Subject: I love you.they all would've probably read it. - Sean On Fri, Sep 10, 2010 at 10:39 AM, Kat Aylward messagel...@gmail.com wrote: Little story... I was new at a Silicon Valley startup... I'd been there maybe 5 months as the Exchange Admin and had managed to stay under the radar for most people. I also had knee surgery about 6 weeks prior. That Friday morning, I was at home (about 8:30-9:00am) and my MOM called me to say honey, I just heard about this virus... as my work cellphone was ringing. Gotta go, mom... and I picked up a frantic call from my boss. He says all hell has broken out and I tell him to shut down the exchange servers... so he pushes the power button on all 3!! ACK!!! After I swallow the vicious comment I was about to make, I headed into the office with a parka, gloves, warm socks and long pants (remember this was May in California and it's normally warm if you dont have to live in the datacenter). After 36 hours of restoring a full standard 16 gb database and catnaps under conference room tables, I finally got to go home having fully restored, upgraded and repaired the crashed DB. Mailboxes were cleaned out and users were educated with my LART! Fast forward to the following Friday... my Jr. Admin all of the sudden freaks out and says It's happening again! which puts me into full out BIATCH mode. I hobble to one end of the building, shouting If you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO NOT OPEN IT and then hobbled to the other end, repeating this bellowed refrain upstairs and down After I got back to my desk and got my breath back, I headed to the datacenter on our floor. My boss had shut things down properly this time, and his boss and he were standing there waiting for me... with my boss's Army Ranger parka in hand because I had taken all my warm stuff home after the last weekend. I composed myself as best as I could (see prior BIATCH mode statement) and I told them I needed to talk to the company at the meeting that was starting in 10 minutes downstairs. They got me to promise I wasn't going to kill anyone and checked me for my LART, then gave permission for me to leave the DC I headed down to the Company-wide meeting in the cafeteria, hobbled over to the President and said I need 5 minutes of this meeting. He looked at me and said... of course and stepped clear. As I am heading to the front of the room, I am seeing all of these 20-somethings looking at me like I have horns, and they are trying to figure out who I am, Ranger parka and all. I am someone of a slightly older generation, shall we say, and I as I was headed up, I kept trying to think of a way not to look like a ranting and raving Lunatic. As I am composing myself, I see UserX and User Y skulk across the back of the room, trying to stay out of my line of sight. I took a breath and thought about how I would talk to my young adult son (then about 20 himself). So here is what I said: Hello, you might not know me but my name is Kat and I manage the email system here. (you could hear the silent intake of whooshed breath at that) I continued: Practicing Safe Email is like practicing Safe Sex: 1. Always know who you are doing it with... 2. Always use protection... 3. and if you don't think you should be doing it, you probably shouldn't!!! And with that I proceeded to hobble back out to the DC, watching their slackened jaws hit the floor in shock and disbelief at what I had just said... but they were still talking about it 7 months later when at the Company Holiday party I was asked where my Ranger Parka was Still one of my crowning glories in corporate history there!! On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.com wrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr… Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw – first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help
RE: Possible Email Virus
We were not yet on Exchange and were evaluating or had just implemented the gateway AV/AS/filtering system that we use today. The vendor made a point of calling to ensure we were aware of the problem and had implemented a filter to block those in advance of the AV vendor's signature updates. From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Friday, September 10, 2010 11:48 AM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Good story! You probably could've just sent a very stern e-mail company wide with the Subject: I love you.they all would've probably read it. - Sean On Fri, Sep 10, 2010 at 10:39 AM, Kat Aylward messagel...@gmail.commailto:messagel...@gmail.com wrote: Little story... I was new at a Silicon Valley startup... I'd been there maybe 5 months as the Exchange Admin and had managed to stay under the radar for most people. I also had knee surgery about 6 weeks prior. That Friday morning, I was at home (about 8:30-9:00am) and my MOM called me to say honey, I just heard about this virus... as my work cellphone was ringing. Gotta go, mom... and I picked up a frantic call from my boss. He says all hell has broken out and I tell him to shut down the exchange servers... so he pushes the power button on all 3!! ACK!!! After I swallow the vicious comment I was about to make, I headed into the office with a parka, gloves, warm socks and long pants (remember this was May in California and it's normally warm if you dont have to live in the datacenter). After 36 hours of restoring a full standard 16 gb database and catnaps under conference room tables, I finally got to go home having fully restored, upgraded and repaired the crashed DB. Mailboxes were cleaned out and users were educated with my LART! Fast forward to the following Friday... my Jr. Admin all of the sudden freaks out and says It's happening again! which puts me into full out BIATCH mode. I hobble to one end of the building, shouting If you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO NOT OPEN IT and then hobbled to the other end, repeating this bellowed refrain upstairs and down After I got back to my desk and got my breath back, I headed to the datacenter on our floor. My boss had shut things down properly this time, and his boss and he were standing there waiting for me... with my boss's Army Ranger parka in hand because I had taken all my warm stuff home after the last weekend. I composed myself as best as I could (see prior BIATCH mode statement) and I told them I needed to talk to the company at the meeting that was starting in 10 minutes downstairs. They got me to promise I wasn't going to kill anyone and checked me for my LART, then gave permission for me to leave the DC I headed down to the Company-wide meeting in the cafeteria, hobbled over to the President and said I need 5 minutes of this meeting. He looked at me and said... of course and stepped clear. As I am heading to the front of the room, I am seeing all of these 20-somethings looking at me like I have horns, and they are trying to figure out who I am, Ranger parka and all. I am someone of a slightly older generation, shall we say, and I as I was headed up, I kept trying to think of a way not to look like a ranting and raving Lunatic. As I am composing myself, I see UserX and User Y skulk across the back of the room, trying to stay out of my line of sight. I took a breath and thought about how I would talk to my young adult son (then about 20 himself). So here is what I said: Hello, you might not know me but my name is Kat and I manage the email system here. (you could hear the silent intake of whooshed breath at that) I continued: Practicing Safe Email is like practicing Safe Sex: 1. Always know who you are doing it with... 2. Always use protection... 3. and if you don't think you should be doing it, you probably shouldn't!!! And with that I proceeded to hobble back out to the DC, watching their slackened jaws hit the floor in shock and disbelief at what I had just said... but they were still talking about it 7 months later when at the Company Holiday party I was asked where my Ranger Parka was Still one of my crowning glories in corporate history there!! On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.commailto:pmaglin...@scvl.com wrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr... Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.commailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus
RE: Possible Email Virus
OUTSTANDING! -Alex -Original Message- From: Kat Aylward [mailto:messagel...@gmail.com] Sent: Friday, September 10, 2010 1:40 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Little story... I was new at a Silicon Valley startup... I'd been there maybe 5 months as the Exchange Admin and had managed to stay under the radar for most people. I also had knee surgery about 6 weeks prior. That Friday morning, I was at home (about 8:30-9:00am) and my MOM called me to say honey, I just heard about this virus... as my work cellphone was ringing. Gotta go, mom... and I picked up a frantic call from my boss. He says all hell has broken out and I tell him to shut down the exchange servers... so he pushes the power button on all 3!! ACK!!! After I swallow the vicious comment I was about to make, I headed into the office with a parka, gloves, warm socks and long pants (remember this was May in California and it's normally warm if you dont have to live in the datacenter). After 36 hours of restoring a full standard 16 gb database and catnaps under conference room tables, I finally got to go home having fully restored, upgraded and repaired the crashed DB. Mailboxes were cleaned out and users were educated with my LART! Fast forward to the following Friday... my Jr. Admin all of the sudden freaks out and says It's happening again! which puts me into full out BIATCH mode. I hobble to one end of the building, shouting If you receive an email from UserX and UserY, DO NOT OPEN IT, I repeat DO NOT OPEN IT and then hobbled to the other end, repeating this bellowed refrain upstairs and down After I got back to my desk and got my breath back, I headed to the datacenter on our floor. My boss had shut things down properly this time, and his boss and he were standing there waiting for me... with my boss's Army Ranger parka in hand because I had taken all my warm stuff home after the last weekend. I composed myself as best as I could (see prior BIATCH mode statement) and I told them I needed to talk to the company at the meeting that was starting in 10 minutes downstairs. They got me to promise I wasn't going to kill anyone and checked me for my LART, then gave permission for me to leave the DC I headed down to the Company-wide meeting in the cafeteria, hobbled over to the President and said I need 5 minutes of this meeting. He looked at me and said... of course and stepped clear. As I am heading to the front of the room, I am seeing all of these 20-somethings looking at me like I have horns, and they are trying to figure out who I am, Ranger parka and all. I am someone of a slightly older generation, shall we say, and I as I was headed up, I kept trying to think of a way not to look like a ranting and raving Lunatic. As I am composing myself, I see UserX and User Y skulk across the back of the room, trying to stay out of my line of sight. I took a breath and thought about how I would talk to my young adult son (then about 20 himself). So here is what I said: Hello, you might not know me but my name is Kat and I manage the email system here. (you could hear the silent intake of whooshed breath at that) I continued: Practicing Safe Email is like practicing Safe Sex: 1. Always know who you are doing it with... 2. Always use protection... 3. and if you don't think you should be doing it, you probably shouldn't!!! And with that I proceeded to hobble back out to the DC, watching their slackened jaws hit the floor in shock and disbelief at what I had just said... but they were still talking about it 7 months later when at the Company Holiday party I was asked where my Ranger Parka was Still one of my crowning glories in corporate history there!! On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.com wrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr. Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights.but the virus ran anyway. Of course.this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked.and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh. Larry From: Don Ely [mailto:don@gmail.com] Sent: Friday, September
RE: Possible Email Virus
If anyone needs a copy [cid:image001.png@01CB50FF.298E1110] From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 2:09 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus We exmerged the email out of the mailboxes to prevent that... On Fri, Sep 10, 2010 at 11:07 AM, Maglinger, Paul pmaglin...@scvl.commailto:pmaglin...@scvl.com wrote: I remember that day too. Got it mostly cleaned up and a @#%!$ user opened it up a second time! Grrr... Learned a lot from that little lesson. From: Don Ely [mailto:don@gmail.commailto:don@gmail.com] Sent: Friday, September 10, 2010 12:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Haw - first time I experienced that was when the I Love You virus came out. From: Brown, Larry [mailto:lc.br...@dplinc.commailto:lc.br...@dplinc.com] Sent: Friday, September 10, 2010 9:23 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus That wasn't our experience. Our users do NOT have local admin rights...but the virus ran anyway. Of course...this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked...and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh... Larry From: Don Ely [mailto:don@gmail.commailto:don@gmail.com] Sent: Friday, September 10, 2010 12:17 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, September 10, 2010 2:53 AM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us/ On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
From the article: Note: The link does not really point to a PDF document or Windows media movie file. The link directs users to download a copy of the worm from a user account on the domain members.multimania.co.uk as * PDF_Document21_025542010_pdf.scr*. On Fri, Sep 10, 2010 at 2:10 PM, Sean Martin seanmarti...@gmail.com wrote: Is this the same worm? http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B If so, the article mentions the following sites: http:// www dot sharedocuments dot com / library / PDF_Document21.025542010.pdf http:// www dot sharedmovies dot com / library / SEX21.025542010.wmv - Sean On Fri, Sep 10, 2010 at 10:00 AM, Brown, Larry lc.br...@dplinc.comwrote: I honestly don’t know…although I heard them saying it was a web site in the UK…was handled by our Web Sense admins. *Larry* *From:* Roger Wright [mailto:rhw...@gmail.com] *Sent:* Friday, September 10, 2010 1:13 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus In our case the link was: http:// members dot multimania dot co dot uk Roger Wright ___ When it's GOOD there ain't nothin' like it, and when it's BAD there ain't nothin' like it! On Fri, Sep 10, 2010 at 12:27 PM, bzalew...@comcast.net wrote: What web site did you block? - Original Message - From: Larry Brown lc.br...@dplinc.com To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Friday, September 10, 2010 11:23:06 AM Subject: RE: Possible Email Virus That wasn’t our experience. Our users do NOT have local admin rights…but the virus ran anyway. Of course…this may depend on OS. We are still running XP. Within 10 minutes of the appearance on our network we had the website blocked…and then started getting calls to the Help Desk complaining about the link being blocked. Sheesh… *Larry* *From:* Don Ely [mailto:don@gmail.com] *Sent:* Friday, September 10, 2010 12:17 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Possible Email Virus One thing we noticed is that if a user was not running with admin rights, the virus couldn't run... On Fri, Sep 10, 2010 at 8:41 AM, Don Andrews don.andr...@safeway.com wrote: Appears that we had less than 100 copies come in and our AS caught and dropped every one of them :-) -- *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] *Sent:* Friday, September 10, 2010 2:53 AM *To:* MS-Exchange Admin Issues *Subject:* RE: Possible Email Virus Mitigated, as best as I can tell, by having users run without elevated permissions. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage
RE: Possible Email Virus
Yep, May 4, 2000 … when I was still ‘ham boy’ grin We had monitored the list and were headed to the server room to shut down the smtp gateway when the president of the company was so thrilled that someone loved him he clicked the link. That sucker was fast. We took the server offline for a few hours to clean the queues but otherwise no damage. Good times J Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Don Ely [mailto:don@gmail.com] Sent: Friday, September 10, 2010 1:57 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus I still remember that day very well... Lot's of queue cleaning that day... On Fri, Sep 10, 2010 at 10:55 AM, Don Andrews don.andr...@safeway.com wrote: Haw – first time I experienced that was when the I Love You virus came out. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Practicing Safe Email is like practicing Safe Sex: 1. Always know who you are doing it with... 2. Always use protection... 3. and if you don't think you should be doing it, you probably shouldn't!!! Cute ... I may have to borrow this g Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' -Original Message- From: Kat Aylward [mailto:messagel...@gmail.com] Sent: Friday, September 10, 2010 2:40 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Little story... --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
hehehe - I have told that story (in it's entirety because I just cant start 1/2 way in) to probably 20-30 different groups over the last 10 years, and every one of them has had that same reaction!! You are welcome, just attribute properly (some woman in BIATCH-mode told me this once)!! :-) On Fri, Sep 10, 2010 at 4:06 PM, Erik Goldoff egold...@gmail.com wrote: Practicing Safe Email is like practicing Safe Sex: 1. Always know who you are doing it with... 2. Always use protection... 3. and if you don't think you should be doing it, you probably shouldn't!!! Cute ... I may have to borrow this g Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' -Original Message- From: Kat Aylward [mailto:messagel...@gmail.com] Sent: Friday, September 10, 2010 2:40 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Little story... --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist -- Kat Aylward --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
Just caught some - thanks! Kleciak, Clint D A7IT clint.klec...@cigna.com 9/9/2010 3:37 PM Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
Yep it hit here - put a filter on the inbox to delete anything with that subject while the mail / security team are working it. - Original Message From: Charles A Ransom rans...@gao.gov To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Thu, September 9, 2010 2:44:10 PM Subject: Re: Possible Email Virus Just caught some - thanks! Kleciak, Clint D A7IT clint.klec...@cigna.com 9/9/2010 3:37 PM Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Thank you. CFee From: Kleciak, Clint D A7IT [mailto:clint.klec...@cigna.com] Sent: Thursday, September 09, 2010 3:38 PM To: MS-Exchange Admin Issues Subject: Possible Email Virus Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist -- CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright 2010 CIGNA == --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
From McCrappy - McAfee has received confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure. Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems. McAfee Trusted Source is actively protecting against this threat. Customers with McAfee Trusted Source Email Reputation will have the emails blocked. Customers with McAfee Trusted Source Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well. -Original Message- From: Don Kuhlman [mailto:drkuhl...@yahoo.com] Sent: Thursday, September 09, 2010 3:08 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Yep it hit here - put a filter on the inbox to delete anything with that subject while the mail / security team are working it. - Original Message From: Charles A Ransom rans...@gao.gov To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Thu, September 9, 2010 2:44:10 PM Subject: Re: Possible Email Virus Just caught some - thanks! Kleciak, Clint D A7IT clint.klec...@cigna.com 9/9/2010 3:37 PM Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Using Forefront, and message tracking logs don't find anything with that subject line all day. From: Doug Rooney [mailto:d...@sonomatilemakers.com] Sent: Thursday, September 09, 2010 4:10 PM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus I guess I am happy with what I pay Message Labs, we have had zero come in. Thank You [Description: file:///S:/Meadow%20Stebbins/Individuals/images/DRooney_01.jpg] -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, September 09, 2010 2:05 PM To: MS-Exchange Admin Issues Subject: RE: Possible Email Virus From McCrappy - McAfee has received confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure. Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems. McAfee Trusted Source is actively protecting against this threat. Customers with McAfee Trusted Source Email Reputation will have the emails blocked. Customers with McAfee Trusted Source Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well. -Original Message- From: Don Kuhlman [mailto:drkuhl...@yahoo.com] Sent: Thursday, September 09, 2010 3:08 PM To: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Yep it hit here - put a filter on the inbox to delete anything with that subject while the mail / security team are working it. - Original Message From: Charles A Ransom rans...@gao.gov To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Thu, September 9, 2010 2:44:10 PM Subject: Re: Possible Email Virus Just caught some - thanks! Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com 9/9/2010 3:37 PM Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is Here you have. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelistinline: image001.jpg
Re: Possible Email Virus
For those on ex2k7 or ex2k10- Exchange 2010 *New-TransportRule* *-Name* 'Here you have' *-Comments* '' *-Priority* '0' * -Enabled* $true *-SubjectContainsWords* 'here you have' *-DeleteMessage* $true Exchange 2007 $action = *Get-TransportRuleAction* DeleteMessage $condition = *Get-TransportRulePredicate* SubjectContains $condition.Words = @(Here you have) *New-TransportRule* *-name* Here you have -Conditions @($condition) -Actions @($action) *-Priority* 0 On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist -- CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright 2010 CIGNA == --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
Is there a E2k3 version of this rule? On Sep 9, 2010, at 2:57 PM, Tom Kern tpk...@gmail.com wrote: For those on ex2k7 or ex2k10- Exchange 2010 New-TransportRule -Name 'Here you have' -Comments '' -Priority '0' -Enabled $true -SubjectContainsWords 'here you have' -DeleteMessage $true Exchange 2007 $action = Get-TransportRuleAction DeleteMessage $condition = Get-TransportRulePredicate SubjectContains $condition.Words = @(Here you have) New-TransportRule -name Here you have -Conditions @($condition) -Actions @($action) -Priority 0 On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist -- CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright 2010 CIGNA == --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Possible Email Virus
Exchange 2003 is “after the fact”. See http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-visal-b.aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: messagel...@gmail.com [mailto:messagel...@gmail.com] Sent: Thursday, September 09, 2010 6:05 PM To: MS-Exchange Admin Issues Cc: MS-Exchange Admin Issues Subject: Re: Possible Email Virus Is there a E2k3 version of this rule? On Sep 9, 2010, at 2:57 PM, Tom Kern tpk...@gmail.commailto:tpk...@gmail.com wrote: For those on ex2k7 or ex2k10- Exchange 2010 New-TransportRule -Name 'Here you have' -Comments '' -Priority '0' -Enabled $true -SubjectContainsWords 'here you have' -DeleteMessage $true Exchange 2007 $action = Get-TransportRuleAction DeleteMessage $condition = Get-TransportRulePredicate SubjectContains $condition.Words = @(Here you have) New-TransportRule -name Here you have -Conditions @($condition) -Actions @($action) -Priority 0 On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.commailto:clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist -- CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright 2010 CIGNA == --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Possible Email Virus
That's what I did for our company... On Thu, Sep 9, 2010 at 2:57 PM, Tom Kern tpk...@gmail.com wrote: For those on ex2k7 or ex2k10- Exchange 2010 *New-TransportRule* *-Name* 'Here you have' *-Comments* '' *-Priority* '0' *-Enabled* $true *-SubjectContainsWords* 'here you have' *-DeleteMessage* $true Exchange 2007 $action = *Get-TransportRuleAction* DeleteMessage $condition = *Get-TransportRulePredicate* SubjectContains $condition.Words = @(Here you have) *New-TransportRule* *-name* Here you have -Conditions @($condition) -Actions @($action) *-Priority* 0 On Thu, Sep 9, 2010 at 3:37 PM, Kleciak, Clint D A7IT clint.klec...@cigna.com wrote: Reports of an email virus hitting some companies today. It has a link to a .scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. Not sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist -- CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright 2010 CIGNA == --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist