<<<Just a warning.....Block those Zip, exe, pif and scr files >>>

TheMSsForum.com: The Microsoft Software Forum

New Worm Activity - W32.Novarg.A@mm
Symantec and other anti-virus vendors are reporting a new mass-mailing
worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
through .exe, .pif, .scr, and .zip attachments. Preliminary reports
indicate the worm listens on TCP port 3127. More information will be
posted when it becomes available.

Since about 2 p.m. my pacbell account is getting some zip files [besides
the normal SWENs that it gets regularly] I think they are Novarg. all
about 33 KB in size.

--


--
http://www.sbslinks.com/really.htm
Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Gary

Gary
Mon Jan 26 17:20:15 CST 2004

This one does a nasty little trick: I just got it as an attachment called
BODY.ZIP. If you double-click on it, what shows in the .zip window is a file
that is apparently called BODY.HTM, but that's only what shows in the
default WinZip window. Then I noticed that WinZip thought it was a Screen
Saver. An HTM screen saver? I extended the filename boundary in the WinZip
window, and the filename is actually BODY.HTM
scr. There's so much space between the HTM and the extension that the
default WinZip window didn't show the .SCR.

GaryK

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> New Worm Activity - W32.Novarg.A@mm
> Symantec and other anti-virus vendors are reporting a new mass-mailing
> worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> indicate the worm listens on TCP port 3127. More information will be
> posted when it becomes available.
>
> Since about 2 p.m. my pacbell account is getting some zip files [besides
> the normal SWENs that it gets regularly] I think they are Novarg. all
> about 33 KB in size.
>
> --
>
>
> --
> http://www.sbslinks.com/really.htm
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Les

Les
Mon Jan 26 17:34:48 CST 2004

I don't block .zip, an hour ago the test.zip was getting through (one did).
Since then Trend A/V (scanmail) has started catching them.

Trend auto updates hourly, thank you. And scans .zips.

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !



"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> New Worm Activity - W32.Novarg.A@mm
> Symantec and other anti-virus vendors are reporting a new mass-mailing
> worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> indicate the worm listens on TCP port 3127. More information will be
> posted when it becomes available.
>
> Since about 2 p.m. my pacbell account is getting some zip files [besides
> the normal SWENs that it gets regularly] I think they are Novarg. all
> about 33 KB in size.
>
> --
>
>
> --
> http://www.sbslinks.com/really.htm
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by jann

jann
Mon Jan 26 18:16:09 CST 2004

Er, just to clarify for other users as I was caught out by this a couple of
years ago...

... I had to adjust Trend ScanMail to update hourly - the default was
something like 24 hours (whereby I was caught out...)


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Les

Les
Mon Jan 26 18:41:00 CST 2004

Good point, Jann.

The default now is still something like weekly (could be daily, but I don't
think so), which is clearly not frequent enough.

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !



"jann" <jann@dial.pipex.com> wrote in message
news:OTF6iqG5DHA.2560@TK2MSFTNGP09.phx.gbl...
> Er, just to clarify for other users as I was caught out by this a couple
of
> years ago...
>
> ... I had to adjust Trend ScanMail to update hourly - the default was
> something like 24 hours (whereby I was caught out...)
>
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Andrew

Andrew
Mon Jan 26 21:08:56 CST 2004

I don't block ZIP's but Symantec Mail Security will scan within a
ZIP, so if a ZIP contains an SCR or other blocked attachment then the whole
ZIP is blocked.

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> New Worm Activity - W32.Novarg.A@mm
> Symantec and other anti-virus vendors are reporting a new mass-mailing
> worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> indicate the worm listens on TCP port 3127. More information will be
> posted when it becomes available.
>
> Since about 2 p.m. my pacbell account is getting some zip files [besides
> the normal SWENs that it gets regularly] I think they are Novarg. all
> about 33 KB in size.
>
> --
>
>
> --
> http://www.sbslinks.com/really.htm
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files by Susan

Susan
Mon Jan 26 21:19:17 CST 2004

But keep in mind that this stuff comes out sooooooooo quickly that if
you DAT file is not up to date no scanner in the world is going to help you.

This why we have our A/V set to get an update every hour on the hour.

Trend only got this updated signature file THIS AFTERNOON. Thus if you
got this email, this morning, you were not protected.

Conversely, if you only update once a week you may NOT be protected now.

I'll yell for emphasis....

YOU MAY NOT BE PROTECTED UNLESS YOUR A/V SIGNATURE FILE HAS BEEN UPDATED
TO CATCH THIS. Don't assume that you are protected. Go to the vendor's
web site and check what dat file signature protects for this.

YOU MUST BE ON Trend's 743 to get this scanned.

Andrew M. Saucci, Jr. wrote:
> I don't block ZIP's but Symantec Mail Security will scan within a
> ZIP, so if a ZIP contains an SCR or other blocked attachment then the whole
> ZIP is blocked.
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
>
>>New Worm Activity - W32.Novarg.A@mm
>>Symantec and other anti-virus vendors are reporting a new mass-mailing
>>worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
>>through .exe, .pif, .scr, and .zip attachments. Preliminary reports
>>indicate the worm listens on TCP port 3127. More information will be
>>posted when it becomes available.
>>
>>Since about 2 p.m. my pacbell account is getting some zip files [besides
>>the normal SWENs that it gets regularly] I think they are Novarg. all
>>about 33 KB in size.
>>
>>--
>>
>>
>>--
>>http://www.sbslinks.com/really.htm
>>
>
>
>

--
http://www.sbslinks.com/really.htm

Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files by Susan

Susan
Mon Jan 26 21:49:40 CST 2004

This afternoon, antivirus software vendors starting tracking a dangerous
new worm, dubbed MyDoom. Early indications are that MyDoom is spreading
rapidly and clogging up business networks and the Internet. For example,
McAfee has rated the virus as "High-Outbreak" for both corporate and
consumer users. Symantec rates MyDoom "4," it's second highest rating.

The volume of traffic could be much larger than last year's soBig
outbreak, which would make this virus worthy of the name soMuchBigger.
The sophistication of the virus is a reminder that hackers and virus
writers should be treated as criminals and not noble antisocialists.
Like Blaster, which delivered a delay mechanism for attacking
Microsoft?s Windows Update on a certain date, MyDoom has a target: SCO.

MyDoom outbreak may turn out to be one of the more sophisticated viruses
in recent memory. The virus appears to use multiple avenues of attack
(e-mail for certain and possible file-sharing or remote-access programs)
harnesses the multitude of infect computers to attack a single host
(SCO) and protects the binaries with encryption (to thwart quick
antivirus response and damage assessment).

Delivery is via e-mail, typically as a message returned for some error.
It?s almost habit for more experienced users to open such a mail and its
attachment to see which important message got bounced back. The tactic
clearly targets the kind of sophisticated user that normally wouldn?t
open such an e-mail attachment.

Apparently all Windows version from 95 on are susceptible to MyDoom, but
not Linux, Mac OS or Unix. People that use Outlook 2000 SP2 or later are
safest, as long as the default settings--these block the kind of
attachments carrying MyDoom--haven?t been changed. The greater danger
would be businesses running older versions of Outlook or consumer PCs
using e-mail, say, Outlook Express. Microsoft plans to add attachment
blocking to Outlook Express, but that update is months away.

Published warnings from antivirus vendors suggest a dangerous worm
potentially capable of spreading through file sharing or allowing remote
access through a port opened in infected systems. I would strongly
encourage system administrators seeking to eradicate an infection to
shut down all unneeded network services and to search for open ports on
compromised systems. Network administrators should start by checking
port 3127.

I strongly encourage network administrators to quarantine computers and
networks immediately. As a general practice, files with the extensions
.bat, .exe, .htm, .pif, .scr or .vbs should be blocked at the e-mail
client or server.

Antivirus companies are still investigating MyDoom, but what they have
found so far indicates the worm will be a tough clean-up. MyDoom changes
Windows Registry settings and dumps files in the KaZaA download
directory on computers with the peer-to-peer software installed.

http://www.microsoftmonitor.com/archives/002217.html


Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> New Worm Activity - W32.Novarg.A@mm
> Symantec and other anti-virus vendors are reporting a new mass-mailing
> worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> indicate the worm listens on TCP port 3127. More information will be
> posted when it becomes available.
>
> Since about 2 p.m. my pacbell account is getting some zip files [besides
> the normal SWENs that it gets regularly] I think they are Novarg. all
> about 33 KB in size.
>

--
http://www.sbslinks.com/really.htm

Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Rick

Rick
Mon Jan 26 23:40:06 CST 2004

I use Symantec and it start catching this the moment it started coming in
without the newest definitions. Since I already block these type of
attachments, it was detecting the attachments before even knowing if it was
a virus or not and did what my rule is set to do, Delete it. I updated my
virus defs anyways but because of the blocking policies already in place, I
have not been affected in a big way....other than my admin mailbox with
hundreds of notifications that it deleted the email.

Rick in the Midwest
P.S. thanks for the article, this virus is interesting indeed.

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eZ7lgRI5DHA.1292@TK2MSFTNGP11.phx.gbl...
> But keep in mind that this stuff comes out sooooooooo quickly that if
> you DAT file is not up to date no scanner in the world is going to help
you.
>
> This why we have our A/V set to get an update every hour on the hour.
>
> Trend only got this updated signature file THIS AFTERNOON. Thus if you
> got this email, this morning, you were not protected.
>
> Conversely, if you only update once a week you may NOT be protected now.
>
> I'll yell for emphasis....
>
> YOU MAY NOT BE PROTECTED UNLESS YOUR A/V SIGNATURE FILE HAS BEEN UPDATED
> TO CATCH THIS. Don't assume that you are protected. Go to the vendor's
> web site and check what dat file signature protects for this.
>
> YOU MUST BE ON Trend's 743 to get this scanned.
>
> Andrew M. Saucci, Jr. wrote:
> > I don't block ZIP's but Symantec Mail Security will scan
within a
> > ZIP, so if a ZIP contains an SCR or other blocked attachment then the
whole
> > ZIP is blocked.
> >
> > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> > wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> >
> >>New Worm Activity - W32.Novarg.A@mm
> >>Symantec and other anti-virus vendors are reporting a new mass-mailing
> >>worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> >>through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> >>indicate the worm listens on TCP port 3127. More information will be
> >>posted when it becomes available.
> >>
> >>Since about 2 p.m. my pacbell account is getting some zip files [besides
> >>the normal SWENs that it gets regularly] I think they are Novarg. all
> >>about 33 KB in size.
> >>
> >>--
> >>
> >>
> >>--
> >>http://www.sbslinks.com/really.htm
> >>
> >
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by CZ

CZ
Tue Jan 27 00:30:48 CST 2004

>> Since I already block these type of attachments

Rick:

Are you using an ISA Content Gp to block the zip attachment?

TIA


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Rick

Rick
Tue Jan 27 06:58:51 CST 2004

Not that I am aware of. I wasn't aware that Content Groups actually block
those attachments, I thought it merely knew how to deal with MIME for such
said attachments.

Rick itM

"CZ" <CZ@no99spam.com> wrote in message
news:%23Nmti8J5DHA.2572@TK2MSFTNGP09.phx.gbl...
> >> Since I already block these type of attachments
>
> Rick:
>
> Are you using an ISA Content Gp to block the zip attachment?
>
> TIA
>
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by David

David
Tue Jan 27 08:07:56 CST 2004

Hi all,

Our Officescan updated itself as noted below [UK time] - set to update each
hour:
739-741 @ 18:23 26 Jan
741-743 @ 23:22 26 Jan
743-745 @ 07:22 27 Jan

Just to confirm that its up there and available.

Cheers,



David


"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eZ7lgRI5DHA.1292@TK2MSFTNGP11.phx.gbl...
> But keep in mind that this stuff comes out sooooooooo quickly that if
> you DAT file is not up to date no scanner in the world is going to help
you.
>
> This why we have our A/V set to get an update every hour on the hour.
>
> Trend only got this updated signature file THIS AFTERNOON. Thus if you
> got this email, this morning, you were not protected.
>
> Conversely, if you only update once a week you may NOT be protected now.
>
> I'll yell for emphasis....
>
> YOU MAY NOT BE PROTECTED UNLESS YOUR A/V SIGNATURE FILE HAS BEEN UPDATED
> TO CATCH THIS. Don't assume that you are protected. Go to the vendor's
> web site and check what dat file signature protects for this.
>
> YOU MUST BE ON Trend's 743 to get this scanned.
>
> Andrew M. Saucci, Jr. wrote:
> > I don't block ZIP's but Symantec Mail Security will scan
within a
> > ZIP, so if a ZIP contains an SCR or other blocked attachment then the
whole
> > ZIP is blocked.
> >
> > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> > wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> >
> >>New Worm Activity - W32.Novarg.A@mm
> >>Symantec and other anti-virus vendors are reporting a new mass-mailing
> >>worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> >>through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> >>indicate the worm listens on TCP port 3127. More information will be
> >>posted when it becomes available.
> >>
> >>Since about 2 p.m. my pacbell account is getting some zip files [besides
> >>the normal SWENs that it gets regularly] I think they are Novarg. all
> >>about 33 KB in size.
> >>
> >>--
> >>
> >>
> >>--
> >>http://www.sbslinks.com/really.htm
> >>
> >
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Dave

Dave
Tue Jan 27 10:37:16 CST 2004

That's pretty much what happened with me, but the message came from a
trusted source and appeared to be a legitimate document. That's why I've
been spending this morning virus-scanning and cleaning my workstation, which
is hopefully what you're doing too - I don't know what point in the process
installs this virus, but I got it pretty much as you describe.


"Gary Karasik" <gkarasik2fea.net> wrote in message
news:ukOS2LG5DHA.2760@TK2MSFTNGP09.phx.gbl...
> This one does a nasty little trick: I just got it as an attachment called
> BODY.ZIP. If you double-click on it, what shows in the .zip window is a
file
> that is apparently called BODY.HTM, but that's only what shows in the
> default WinZip window. Then I noticed that WinZip thought it was a Screen
> Saver. An HTM screen saver? I extended the filename boundary in the WinZip
> window, and the filename is actually BODY.HTM
> scr. There's so much space between the HTM and the extension that the
> default WinZip window didn't show the .SCR.
>
> GaryK
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> > New Worm Activity - W32.Novarg.A@mm
> > Symantec and other anti-virus vendors are reporting a new mass-mailing
> > worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> > through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> > indicate the worm listens on TCP port 3127. More information will be
> > posted when it becomes available.
> >
> > Since about 2 p.m. my pacbell account is getting some zip files [besides
> > the normal SWENs that it gets regularly] I think they are Novarg. all
> > about 33 KB in size.
> >
> > --
> >
> >
> > --
> > http://www.sbslinks.com/really.htm
> >
>
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Gary

Gary
Tue Jan 27 11:48:01 CST 2004

Yes. This machine has Norton Antivirus installed standalone, and I found the
Norton instructions to be inaccurate. Norton wouldn't delete SHIGAPI.DLL
automatically, so I had to delete it manually via the Recovery Console; also
the virus broke AutoProtect so once I got rid of it, I had to
remove/reinstall the whole program, always a scary procedure with any
Symantec product.

All's well now. Hope you're back up.

GaryK

"Dave Nickason" <gwdibble@NOSPAM.frontiernet.net> wrote in message
news:eUODJPP5DHA.2392@TK2MSFTNGP10.phx.gbl...
> That's pretty much what happened with me, but the message came from a
> trusted source and appeared to be a legitimate document. That's why I've
> been spending this morning virus-scanning and cleaning my workstation,
which
> is hopefully what you're doing too - I don't know what point in the
process
> installs this virus, but I got it pretty much as you describe.
>
>
> "Gary Karasik" <gkarasik2fea.net> wrote in message
> news:ukOS2LG5DHA.2760@TK2MSFTNGP09.phx.gbl...
> > This one does a nasty little trick: I just got it as an attachment
called
> > BODY.ZIP. If you double-click on it, what shows in the .zip window is a
> file
> > that is apparently called BODY.HTM, but that's only what shows in the
> > default WinZip window. Then I noticed that WinZip thought it was a
Screen
> > Saver. An HTM screen saver? I extended the filename boundary in the
WinZip
> > window, and the filename is actually BODY.HTM
> > scr. There's so much space between the HTM and the extension that the
> > default WinZip window didn't show the .SCR.
> >
> > GaryK
> >
> > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> > wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> > > New Worm Activity - W32.Novarg.A@mm
> > > Symantec and other anti-virus vendors are reporting a new mass-mailing
> > > worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> > > through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> > > indicate the worm listens on TCP port 3127. More information will be
> > > posted when it becomes available.
> > >
> > > Since about 2 p.m. my pacbell account is getting some zip files
[besides
> > > the normal SWENs that it gets regularly] I think they are Novarg.
all
> > > about 33 KB in size.
> > >
> > > --
> > >
> > >
> > > --
> > > http://www.sbslinks.com/really.htm
> > >
> >
> >
>
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Dave

Dave
Tue Jan 27 15:05:05 CST 2004

The scary thing with me is that CA must have updated virus definitions twice
yesterday - I was on what I thought was the current version when I got the
virus, and I actually scanned the attachment before infecting myself with
it. Then I found that there was another update, and that one found it
immediately. I had gotten suspicious because the taskmon.exe process was
using 100% CPU, so I did a Trend online scan followed by a CA online scan
(both caught it). The second CA signature update supposedly cured it, but a
full local scan caught several remnants this morning - in system restore
files and the recycle bin.


"Gary Karasik" <gkarasik2fea.net> wrote in message
news:u87f32P5DHA.1816@TK2MSFTNGP12.phx.gbl...
> Yes. This machine has Norton Antivirus installed standalone, and I found
the
> Norton instructions to be inaccurate. Norton wouldn't delete SHIGAPI.DLL
> automatically, so I had to delete it manually via the Recovery Console;
also
> the virus broke AutoProtect so once I got rid of it, I had to
> remove/reinstall the whole program, always a scary procedure with any
> Symantec product.
>
> All's well now. Hope you're back up.
>
> GaryK
>
> "Dave Nickason" <gwdibble@NOSPAM.frontiernet.net> wrote in message
> news:eUODJPP5DHA.2392@TK2MSFTNGP10.phx.gbl...
> > That's pretty much what happened with me, but the message came from a
> > trusted source and appeared to be a legitimate document. That's why
I've
> > been spending this morning virus-scanning and cleaning my workstation,
> which
> > is hopefully what you're doing too - I don't know what point in the
> process
> > installs this virus, but I got it pretty much as you describe.
> >
> >
> > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > news:ukOS2LG5DHA.2760@TK2MSFTNGP09.phx.gbl...
> > > This one does a nasty little trick: I just got it as an attachment
> called
> > > BODY.ZIP. If you double-click on it, what shows in the .zip window is
a
> > file
> > > that is apparently called BODY.HTM, but that's only what shows in the
> > > default WinZip window. Then I noticed that WinZip thought it was a
> Screen
> > > Saver. An HTM screen saver? I extended the filename boundary in the
> WinZip
> > > window, and the filename is actually BODY.HTM
> > > scr. There's so much space between the HTM and the extension that the
> > > default WinZip window didn't show the .SCR.
> > >
> > > GaryK
> > >
> > > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@pacbell.net>
> > > wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> > > > New Worm Activity - W32.Novarg.A@mm
> > > > Symantec and other anti-virus vendors are reporting a new
mass-mailing
> > > > worm called W32.Novarg.A@mm. Initial reports indicate the worm
spreads
> > > > through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> > > > indicate the worm listens on TCP port 3127. More information will be
> > > > posted when it becomes available.
> > > >
> > > > Since about 2 p.m. my pacbell account is getting some zip files
> [besides
> > > > the normal SWENs that it gets regularly] I think they are Novarg.
> all
> > > > about 33 KB in size.
> > > >
> > > > --
> > > >
> > > >
> > > > --
> > > > http://www.sbslinks.com/really.htm
> > > >
> > >
> > >
> >
> >
>
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Andrew

Andrew
Tue Jan 27 18:39:38 CST 2004

I would never update that quickly. Too much danger of downloading a
half-baked update. I simply cannot risk having all my servers (maybe
workstations too) crash all at once. I feel safe enough updating once a day
(let everyone else be the beta testers) and blocking EXE, COM, BAT, PIF,
SCR, JS, VBS, REG, and SHS files. I'd rather chance a virus getting in
through an unusual avenue (those file attachments probably account for the
lion's share of threats these days) than chance downloading a bad update
onto all the servers all at once. I know that's a value judgment but it
seems most sensible for my situation, and I have downloaded bad updates that
affected the operation of the server. As long as the virus, worm, or trojan
is contained in one of the blocked attachment types, I don't have to worry
about updates at all. And with SBS 2003, if SBS doesn't catch it, my
Symantec Mail Security setup will, because it blocks the same attachments,
so I'm doubly protected. In fact, what has been happening with me is that
SBS 2003 grabs it on account of the extension and then SAV CE actually scans
it from the Blocked Attachments folder and quarantines it. Anyway, you can't
count on A/V vendors to update fast enough. If you're really paranoid, you
use ISA to block all known webmail sites so that they don't bypass the mail
scanners.

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eZ7lgRI5DHA.1292@TK2MSFTNGP11.phx.gbl...
> But keep in mind that this stuff comes out sooooooooo quickly that if
> you DAT file is not up to date no scanner in the world is going to help
you.
>
> This why we have our A/V set to get an update every hour on the hour.
>
> Trend only got this updated signature file THIS AFTERNOON. Thus if you
> got this email, this morning, you were not protected.
>
> Conversely, if you only update once a week you may NOT be protected now.
>
> I'll yell for emphasis....
>
> YOU MAY NOT BE PROTECTED UNLESS YOUR A/V SIGNATURE FILE HAS BEEN UPDATED
> TO CATCH THIS. Don't assume that you are protected. Go to the vendor's
> web site and check what dat file signature protects for this.
>
> YOU MUST BE ON Trend's 743 to get this scanned.
>
> Andrew M. Saucci, Jr. wrote:
> > I don't block ZIP's but Symantec Mail Security will scan
within a
> > ZIP, so if a ZIP contains an SCR or other blocked attachment then the
whole
> > ZIP is blocked.
> >
> > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> > wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> >
> >>New Worm Activity - W32.Novarg.A@mm
> >>Symantec and other anti-virus vendors are reporting a new mass-mailing
> >>worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> >>through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> >>indicate the worm listens on TCP port 3127. More information will be
> >>posted when it becomes available.
> >>
> >>Since about 2 p.m. my pacbell account is getting some zip files [besides
> >>the normal SWENs that it gets regularly] I think they are Novarg. all
> >>about 33 KB in size.
> >>
> >>--
> >>
> >>
> >>--
> >>http://www.sbslinks.com/really.htm
> >>
> >
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>


Top

Re: <<<Just a warning.....Block those Zip, exe, pif and scr files >>> by Les

Les
Tue Jan 27 22:14:21 CST 2004

Honestly, in about 5 years of using Trend A/V products, I think I have seen
1, 2 at most, updates that caused any kind of problem. I have no experience
with other A/V products, other than from posts it appears that not all are
as reliable as Trend.

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !



"Andrew M. Saucci, Jr." <spam-only@2000computer.com> wrote in message
news:eZTg5cT5DHA.2540@TK2MSFTNGP11.phx.gbl...
> I would never update that quickly. Too much danger of downloading
a
> half-baked update. I simply cannot risk having all my servers (maybe
> workstations too) crash all at once. I feel safe enough updating once a
day
> (let everyone else be the beta testers) and blocking EXE, COM, BAT, PIF,
> SCR, JS, VBS, REG, and SHS files. I'd rather chance a virus getting in
> through an unusual avenue (those file attachments probably account for the
> lion's share of threats these days) than chance downloading a bad update
> onto all the servers all at once. I know that's a value judgment but it
> seems most sensible for my situation, and I have downloaded bad updates
that
> affected the operation of the server. As long as the virus, worm, or
trojan
> is contained in one of the blocked attachment types, I don't have to worry
> about updates at all. And with SBS 2003, if SBS doesn't catch it, my
> Symantec Mail Security setup will, because it blocks the same attachments,
> so I'm doubly protected. In fact, what has been happening with me is that
> SBS 2003 grabs it on account of the extension and then SAV CE actually
scans
> it from the Blocked Attachments folder and quarantines it. Anyway, you
can't
> count on A/V vendors to update fast enough. If you're really paranoid, you
> use ISA to block all known webmail sites so that they don't bypass the
mail
> scanners.
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:eZ7lgRI5DHA.1292@TK2MSFTNGP11.phx.gbl...
> > But keep in mind that this stuff comes out sooooooooo quickly that if
> > you DAT file is not up to date no scanner in the world is going to help
> you.
> >
> > This why we have our A/V set to get an update every hour on the hour.
> >
> > Trend only got this updated signature file THIS AFTERNOON. Thus if you
> > got this email, this morning, you were not protected.
> >
> > Conversely, if you only update once a week you may NOT be protected now.
> >
> > I'll yell for emphasis....
> >
> > YOU MAY NOT BE PROTECTED UNLESS YOUR A/V SIGNATURE FILE HAS BEEN UPDATED
> > TO CATCH THIS. Don't assume that you are protected. Go to the vendor's
> > web site and check what dat file signature protects for this.
> >
> > YOU MUST BE ON Trend's 743 to get this scanned.
> >
> > Andrew M. Saucci, Jr. wrote:
> > > I don't block ZIP's but Symantec Mail Security will scan
> within a
> > > ZIP, so if a ZIP contains an SCR or other blocked attachment then the
> whole
> > > ZIP is blocked.
> > >
> > > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@pacbell.net>
> > > wrote in message news:eAqCC5F5DHA.2740@TK2MSFTNGP09.phx.gbl...
> > >
> > >>New Worm Activity - W32.Novarg.A@mm
> > >>Symantec and other anti-virus vendors are reporting a new mass-mailing
> > >>worm called W32.Novarg.A@mm. Initial reports indicate the worm spreads
> > >>through .exe, .pif, .scr, and .zip attachments. Preliminary reports
> > >>indicate the worm listens on TCP port 3127. More information will be
> > >>posted when it becomes available.
> > >>
> > >>Since about 2 p.m. my pacbell account is getting some zip files
[besides
> > >>the normal SWENs that it gets regularly] I think they are Novarg.
all
> > >>about 33 KB in size.
> > >>
> > >>--
> > >>
> > >>
> > >>--
> > >>http://www.sbslinks.com/really.htm
> > >>
> > >
> > >
> > >
> >
> > --
> > http://www.sbslinks.com/really.htm
> >
>
>


Top