[Dshield] Is Mytob that bad?!?

Tom dshield at oitc.com
Sun Jun 5 19:10:10 GMT 2005


Symantec says:

Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or 
.zip file extension.

Now why would anyone any more accept naked .bat, .cmd, .exe, .pif, 
.scr files as attachments or even those files in a zip?

We routinely block all those and more either standalone or 
encapsulated in a zip or a rar. Therefore, we never see nor have to 
deal with outbreaks like these and yet blocking as we do, we have 
never had any issues that would cause us to even consider shutting 
down mail.

Although I find UPS' position of shutting down mail as an IT 
department in over-reactive mode, it does point out that solely 
relying on running AV systems on your incoming mail is bound to be 
problematic as the virus can always get to you before a detection 
fingerprint can be built and then distributed and then finally 
deployed.  Plugging the vectors (eg .pif, .scr, etc.) is much safer.


>Here below is a message my company has received from an UPS employee,
>asking us to fax all orders, until further notice. Assuming a lot of
>UPS business rely in exchange of information, potentially using
>attachments, the measure they took implies a level of threat from
>Mytob much higher than what the regular anti-virus lists seem to
>associate with this ... is anybody facing a similar issue?!?
>===== UPS message ========================
>Subject: Attachments Are now being Blocked due to new Virus
>       Please inform Users
>       Importance: High
>       Stakeholders,
>       Due to multiple Mytob virus variants being released one after the
>       UPS INET and Data Security have placed a block on all email
>       as of 6/2 4:00pm EST.
>       This will stop the new variants from spreading. 5 variants in the
>       48 hours have been released. Now at Mytob DB, extended version
>       rev. 22 or greater are required to detect this threat.
>       We will let you know when the attachments are allowed again.
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>Details: http://www.sans.org/sansfire2005
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list