[Dshield] Swen Vs. ISA, Outlook & Norton

Guy Barnum GuyBarnum at Armscole.com
Tue Sep 23 19:42:37 GMT 2003

Has anyone seen where Norton's exchange real time protection (corporate edition 7.6) actually triggers the Swen worm carried in the email message it is attempting to clean?

Or could the time it takes ISA server 2000 to restart after changing filtering rules have left my system open for infection that isn't yet being picked up by Norton's latest virus definitions?

background: Originally I had ISA server 2000 set to forward all incoming emails with 'bad' attachments (.exe .com .bat ...) to an admin account.  Swen traffic increased too high so I changed the ISA rule to delete these.  There was a message from ISA server stating 'after restarting it would be some time before the new changes took affect'.  It's A couple of days later and the incoming emails with bad attachments are not being deleted.

At the same time I changed the ISA rules I updated the Norton virus definitions.  Previous to the ISA and Norton definition changes I could preview the swen email with no virus warning, select the attachment and save it to disk for scanning without any outgoing email being triggered and no Norton warning messages.  Also at no time has the infected attachment been manually run.

Now when I just preview the swen loaded email Norton launches a warning that it has detected a virus (without me opening the attachment), failed to clean it but quarantined the culprit, my system immediately attempts to send an email to: "Security Support" <eskiisvp_kqrftflf at newsletters_ms.net> 
which is blocked by exchange server 2000 due to it being infected, as if the worm was triggered or run regardless of Norton's apparent interception and I still didn't open or even click on the attachment!!

Here is the Norton warning:
Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Worm.Automat.AHB
File:  q879253.exe
Location:  Mail System

So I'm stumped trying to figure out what changed with either ISA, Norton or the worm (since I didn't change any settings in outlook) that is now triggering the attached infected .exe file which attempts to send some part of its email payload, from just previewing the email all done while dodging Norton's scan and ISA's filter.

Is it a 'Super Swen' or am I missing something obvious?  I've started and stopped this post at least 20 times during my fire fighter routine so if it's all messed up or too long plz forgive me.  I would be happy to post any detailed information I should have included, just yell.


More information about the list mailing list