[unisog] FWD: [SECURITY] bugbear variant

Arnold, Jamie harnold at binghamton.edu
Fri Jun 6 17:52:28 GMT 2003

In an Exchange environment, one of the nice things is that even if the user
adds multiple, outside IMS connections...all that mail ends up in the
Exchange database and has to cross the IMC to get there.  It all gets
scanned no matted where it comes from. 

-----Original Message-----
From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu] 
Sent: Friday, June 06, 2003 10:03 AM
To: unisog at sans.org

We use Norton Antivirus for client protection, and clients get mail into the
network from other sources than official uconn.edu mailservers. 
Hotmail and Yahoo being the most common.  Our mail servers (like most of
yours) do not accept most common "bad" attachment types, and they use Sophos
which detected this fairly early.

However, to sit back and say "our mailservers are safe, we will not have a
problem with this" is not accurate.  There are other ways to get mail into
our networks besides our central mail servers, unless you block HTTP/S or
all possible webmail sources.  Our desktop clients do not use push
definition updates - they must pull them down at set intervals (hopefully
once per day).  If they get this virus through Hotmail before their client
has pulled down the new defs, they get infected and start to resend the
virus across the LAN, its own SMTP engine, etc.  If the recipients of that
mail happen to be @uconn.edu our mail gateway will stop the virus.  If they
send to the @yahoo.com address of another professor, who executes the
attachment and does not have current defs pulled down, the virus will
spread.  Not to mention the people who for whatever reason do not have
antivirus installed.

Sorry to be so long winded, but yes - I do think you missed something. 
Protecting the mail gateway is a large part of this battle, but not the
entire battle.


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

Joseph Brennan <brennan at columbia.edu>
06/06/2003 09:28 AM
Please respond to Postmaster

        To:     unisog at sans.org
        Subject:        Re: [unisog] FWD: [SECURITY] bugbear variant

> We got hit with this today before Norton Antivirus came out with the 
> definitions.

Or forget the vendors' marketing and just routinely delete email attachments
with names ending .scr, .pif, and .exe.  That's all it takes to stop this
one *and the next one*.  Or am I missing something?

Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group

More information about the unisog mailing list