[unisog] FWD: [SECURITY] bugbear variant

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Fri Jun 6 14:03:01 GMT 2003

We use Norton Antivirus for client protection, and clients get mail into 
the network from other sources than official uconn.edu mailservers. 
Hotmail and Yahoo being the most common.  Our mail servers (like most of 
yours) do not accept most common "bad" attachment types, and they use 
Sophos which detected this fairly early.

However, to sit back and say "our mailservers are safe, we will not have a 
problem with this" is not accurate.  There are other ways to get mail into 
our networks besides our central mail servers, unless you block HTTP/S or 
all possible webmail sources.  Our desktop clients do not use push 
definition updates - they must pull them down at set intervals (hopefully 
once per day).  If they get this virus through Hotmail before their client 
has pulled down the new defs, they get infected and start to resend the 
virus across the LAN, its own SMTP engine, etc.  If the recipients of that 
mail happen to be @uconn.edu our mail gateway will stop the virus.  If 
they send to the @yahoo.com address of another professor, who executes the 
attachment and does not have current defs pulled down, the virus will 
spread.  Not to mention the people who for whatever reason do not have 
antivirus installed.

Sorry to be so long winded, but yes - I do think you missed something. 
Protecting the mail gateway is a large part of this battle, but not the 
entire battle.


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

Joseph Brennan <brennan at columbia.edu>
06/06/2003 09:28 AM
Please respond to Postmaster

        To:     unisog at sans.org
        Subject:        Re: [unisog] FWD: [SECURITY] bugbear variant

> We got hit with this today before Norton Antivirus came out with the
> definitions.

Or forget the vendors' marketing and just routinely delete email
attachments with names ending .scr, .pif, and .exe.  That's all
it takes to stop this one *and the next one*.  Or am I missing

Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group

More information about the unisog mailing list