[Dshield] Is Mytob that bad?!?

David Vincent support at sleepdeprived.ca
Sun Jun 5 22:30:43 GMT 2005


hehe, funny story.

i run my own mail server and have for years. it started out as an 
exercise in setting up smtp, but now hosts my main accounts.  over the 
years i've added layers of protection and one of them is blocking a long 
list of attachment types.

my home machine got infected with this virus becuse my wife opened up an 
email with the attachment, not one that went through my mailserver, but 
from her hotmail account.  they declared the file as virus free (mcafee 
engine) and allowed her to download it.  it passed our anti-virus 
(symantec engine) and allowed her to execute the .scr inside.

after she double-clicked it and went "huh, no picture" i asked what she 
was doing.

the next three emails i read were on this list and told me about the 
symantec definition update.  i applied it and nailed the virus.

thanks list for your awesome help, just when i needed it.

it's *always* the vectors you don't handle which will get you.  :)  
tongue firmly in cheek.

since hotmail seems to have finally removed support for account access 
through outlook and outlook express, we'll be dumping those account real 
soon.

cheers.

-d



Tom wrote:

> Stef,
>
> Symantec says:
>
> Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or 
> .zip file extension.
>
> Now why would anyone any more accept naked .bat, .cmd, .exe, .pif, 
> .scr files as attachments or even those files in a zip?
>
> We routinely block all those and more either standalone or 
> encapsulated in a zip or a rar. Therefore, we never see nor have to 
> deal with outbreaks like these and yet blocking as we do, we have 
> never had any issues that would cause us to even consider shutting 
> down mail.
>
> Although I find UPS' position of shutting down mail as an IT 
> department in over-reactive mode, it does point out that solely 
> relying on running AV systems on your incoming mail is bound to be 
> problematic as the virus can always get to you before a detection 
> fingerprint can be built and then distributed and then finally 
> deployed.  Plugging the vectors (eg .pif, .scr, etc.) is much safer.
>
> Tom
>
>
>
>> Here below is a message my company has received from an UPS employee,
>> asking us to fax all orders, until further notice. Assuming a lot of
>> UPS business rely in exchange of information, potentially using
>> attachments, the measure they took implies a level of threat from
>> Mytob much higher than what the regular anti-virus lists seem to
>> associate with this ... is anybody facing a similar issue?!?
>>
>> TIA,
>> Stef
>>
>> ===== UPS message ========================
>>
>> Subject: Attachments Are now being Blocked due to new Virus
>> Variants:
>>       Please inform Users
>>       Importance: High
>>
>>       Stakeholders,
>>
>>       Due to multiple Mytob virus variants being released one after the
>> other
>>       UPS INET and Data Security have placed a block on all email
>> attachments
>>       as of 6/2 4:00pm EST.
>>
>>       This will stop the new variants from spreading. 5 variants in the
>> past
>>       48 hours have been released. Now at Mytob DB, extended version
>> 6/2/2005
>>       rev. 22 or greater are required to detect this threat.
>>
>>       We will let you know when the attachments are allowed again.
>>
>> -------------- Sponsor Message ------------------------------------
>> Join us at SANSFIRE 2005 in Atlanta!
>> The Internet Storm Center Conference.
>> Details: http://www.sans.org/sansfire2005
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see: 
>> http://www.dshield.org/mailman/listinfo/list
>
>
>
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
>
>





More information about the list mailing list