[unisog] Auto AV Notification ( was Re: New virus)

Bill Martin bmartin at luc.edu
Thu Nov 24 04:34:59 GMT 2005


As a result of these little buggers, and their spoofing of the sender, we receive thousands of notifications that mail to xxx failed to deliver... or the mail you sent contains a virus.. etc...

Is there really any point in this?  Think about it, replying to these is usually pointless.  The people that these bounce back to usually did not send the initial the e-mail... sending notifications creates more work for everyone and their SMTP gateways and mail systems, etc...

So, I simply would like to ask if auto notifications are really needed?  If not, please, PLEASE shut the blasted things off.... the solution is creating almost as much of a problem as the problem itself IMHO . . .
-bill-

-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago
bmartin at luc.edu
>>> pgoverts at sjfc.edu 11/23/05 7:50 AM >>>
Symantec reported to us mid-morning yesterday that it was a variant of
the W32.Mytob virus.  They provided updated definitions that now capture
the virus.

Paul

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

"Ask yourself - Where are you going?  Who is going with you?"  -- "Col."
Gordon Shay
-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Russell Fulton
Sent: Tuesday, November 22, 2005 3:05 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] New virus

both sober and mytob have launched a number of new versions over the
last few days.  Our executable filters have been quite busy...

Russell

Goverts IV, Paul wrote:
> I was wondering if anyone had seen anything like this today....
> 
>  
> 
> We have been seeing a new virus going around this morning that is
coming
> in via an email appearing to be from "webmaster" "register" and
"admin"
> @(WhateverDomainIsBeingTargeted).  It tells users to click on the
> attachment which is an .scr file disguised as an .htm file (inside a
zip
> file).  When the attachment is run, the virus disables Symantec
> Antivirus, Task Manager, and Ethereal.  It then runs a program
> (C:\Windows\system32\Win32IMAPSVR.EXE) which opens a connection to
> 208.57.228.66:27999 apparently to wait for instructions.  Our GFI
> antivirus on our mail servers didn't start filtering this out until
> about 8:30am this morning, and the latest definitions from Symantec
> (11/21/05 rev 6) do not detect this yet. Anyone else seeing this?
> 
>  
> 
> Paul
> 
>  
> 
> Paul Goverts IV
> Computer Services
> St. John Fisher College
> Rochester, NY 14618
> /
> //"Ask yourself - Where are you going?  Who is going with you?"  --
> "Col." Gordon Shay///
> 
>  
> 
> 
>
------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list