[Dshield] Is Mytob that bad?!?
dshield at oitc.com
Sun Jun 5 19:10:10 GMT 2005
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or
.zip file extension.
Now why would anyone any more accept naked .bat, .cmd, .exe, .pif,
.scr files as attachments or even those files in a zip?
We routinely block all those and more either standalone or
encapsulated in a zip or a rar. Therefore, we never see nor have to
deal with outbreaks like these and yet blocking as we do, we have
never had any issues that would cause us to even consider shutting
Although I find UPS' position of shutting down mail as an IT
department in over-reactive mode, it does point out that solely
relying on running AV systems on your incoming mail is bound to be
problematic as the virus can always get to you before a detection
fingerprint can be built and then distributed and then finally
deployed. Plugging the vectors (eg .pif, .scr, etc.) is much safer.
>Here below is a message my company has received from an UPS employee,
>asking us to fax all orders, until further notice. Assuming a lot of
>UPS business rely in exchange of information, potentially using
>attachments, the measure they took implies a level of threat from
>Mytob much higher than what the regular anti-virus lists seem to
>associate with this ... is anybody facing a similar issue?!?
>===== UPS message ========================
>Subject: Attachments Are now being Blocked due to new Virus
> Please inform Users
> Importance: High
> Due to multiple Mytob virus variants being released one after the
> UPS INET and Data Security have placed a block on all email
> as of 6/2 4:00pm EST.
> This will stop the new variants from spreading. 5 variants in the
> 48 hours have been released. Now at Mytob DB, extended version
> rev. 22 or greater are required to detect this threat.
> We will let you know when the attachments are allowed again.
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list