[unisog] New virus - not caught by central servers (fwd)

Frank Bulk bulkf at dordt.edu
Tue Jul 27 00:04:56 GMT 2004


Has anyone considered a policy such that if a virus alert is medium or
higher, to shut down email flow (or, at least let it queue up at the
edge) until the virus definitions for the campus' email antivirus
solution has been updated?
 
Regards,
 
Frank

>>> brennan at columbia.edu Monday, July 26, 2004 4:15:39 pm >>>
Yes, something started happening this morning.

Stopped by rejecting mail with executables and zip files.

Stopped by rejecting mail with envelope sender set to
<postmaster at yourdomain> and <mailer-daemon at yourdomain>. E.g. we
reject mail claiming to be from < postmaster at columbia.edu > and
< mailer-daemon at columbia.edu >. This has caught several Mydoom
variants and some other fakery-- worth doing.

The one thing we are seeing here is bounces of mail from
non-columbia.edu hosts that were willing to relay mail e.g.
from postmaster at columbia.edu to an address here; we reject
the mail from postmaster but then postmaster gets the bounce.

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York




--On Monday, July 26, 2004 12:40 PM -0500 Brian Haskell 
< haskell at tc.umn.edu > wrote:

>> From the U Minnesota computer gurus:
>
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:22:31 -0500 (CDT)
> Subject: New virus - not caught by central servers
>
>
> Hey all,
>
> There's a new virus out, which isn't yet caught by the central
servers.
> Please don't open any attachments you're not expecting! More details
> below.
>
> ---------- Forwarded message ----------
> Date: Mon, 26 Jul 2004 11:14:21 -0500
> From: Brian Eckman < eckman at umn.edu >
> Reply-To: "umn-antivirus: Forum for exchanging information about
fighting
> computer viruses" < UMN-ANTIVIRUS at LISTS.UMN.EDU >
> To: UMN-ANTIVIRUS at LISTS.UMN.EDU 
> Subject: [Fwd: Counterpane Internet Security; Virus Alert; MyDoom.M;
> CIS20040726-1]
>
> We are starting to see this on campus. AFAIK, the central servers
cannot
> detect this as virus signatures don't seem to have been released
yet....
>
>
> Brian
>
> COUNTERPANE REFERENCE CIS20040726-1
>
>
> TITLE MyDoom.M
>
>
> DATE DISCOVERED July 13, 2004
>
>
> VULNERABILITY/EVENT SUMMARY
>
> Counterpane has received information pertaining to a Windows-based
> variant of the MyDoom worm, known as MyDoom.M, that spreads via
email
> using SMTP. The variant harvests recipient email addresses from the
> infected system and also fake's the sender address using the same
> harvested list. This worm is being called 'MyDoom.o' by McAfee.
>
>
> THREAT CLASSIFICATION
>
> Virus/Worm
>
>
> ANALYSIS
>
> The MyDoom variant is currently being sent through the mail systems
> utilizing the following Subject lines:
>
> The original message was included as attachment The/Your
> m/Message could not be delivered
> hello
> hi error
> status
> test
> report
> delivery failed
> Message could not be delivered
> Mail System Error - Returned Mail
> Delivery reports about your e-mail
> Returned mail: see transcript for details
> Returned mail: Data format error
>
> The variant also contains an attachment that comes in the form of a
> .zip, .com, .scr, .exe, .pif, or .bat file. The filename is
> delivered as a variation of the destination domain. (i.e. an
> attachment being sent to help at yourdomain.org could appear as
> help at yourdomain.zip , yourdomain.exe or some other variation of this
> naming scheme)
>
> Review the links provided below for updated information as
additional
> details become available.
>
>
> POSSIBLE MITIGATION
>
> Ensure that all systems are deploying updated virus protection
> software.
>
>
> REFERENCE INFORMATION/VENDOR/CVE/BUGTRAQ
>
> http://vil.nai.com/vil/content/v_127033.htm 
> http://www.f-secure.com/v-descs/mydoom_m.shtml 
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_M

> YDOOM.M
>
>
> COUNTERPANE RESPONSE
>
> Counterpane is continuing to monitor this situation. Counterpane has
> seen minimal impact across the customer base at the time of
> publication. For customer's using Counterpane's Firewall/IDS Device
> Management, or Active Response, configurations have been verified or
> updated based on business guidelines that are in place.
>
> Counterpane Internet Security is happy to answer any questions you
> may have regarding this report, and we thank you for your continued
> support.
>
> Counterpane Customer Service: 1-888-710-8171
>
>
> LEGAL NOTICES
>
> Copyright (c) 2004 Counterpane Internet Security
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of Counterpane. If you wish to reprint the whole or
> any part of this alert in any other medium other than
electronically,
> please email customerservice at counterpane.com for permission.
>
> Disclaimer: The information contained within this Security Alert is
> provided for informational purposes and without warranty.
Counterpane
> recommends consulting your security policy when responding to this
or
> any security-related event. Counterpane also recommends testing any
> vendor-recommended countermeasures prior to their deployment in a
> production environment. The information in the advisory is believed
> to be accurate at the time of publishing based on currently
available
> information. Use of the information constitutes acceptance for use
in
> an AS IS condition. There are no warranties with regard to this
> information. Neither the author nor the publisher accepts any
> liability for any direct, indirect, or consequential loss or damage
> arising from use of, or reliance on, this information.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBQQUtDy1c2J4oiDLuEQI1hgCgrYqueKXBOtKwSYX6Ci1brnFOgJsAoMxs
> KD5bgM9Lv9UB+NArVq1YSLB+
> =P6Gd
> -----END PGP SIGNATURE-----
>
>
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
>
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/unisog 


_______________________________________________
unisog mailing list
unisog at lists.sans.org 
http://www.dshield.org/mailman/listinfo/unisog 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20040726/c188132c/attachment.htm


More information about the unisog mailing list