Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 2 of 2 < 1 2
Topic Options
#175687 - 19/08/2003 21:18 Re: Viral Hell [Re: tman]
Daria
carpal tunnel

Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
He wants to read his mail really fast, of course.


Top
#175688 - 19/08/2003 21:23 Re: Viral Hell [Re: mlord]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
Apparently the virus uses a spammer trick to send out hundreds of emails at once, making things spread faster.

Top
#175689 - 20/08/2003 06:27 Re: Viral Hell [Re: pgrzelak]
lopan
old hand

Registered: 28/01/2002
Posts: 970
Loc: Manassas VA
Trust me. We installed the patch. We are behind a firewall. Unfortunately, it only takes a few clueless individuals (and in a huge corporation, there are plenty) to get infected badly enough to bring down a rather large and complex network.

I hear ya, we've been spending the last 3 days fixing up a group of 20 peoples computers... you know the kind of user that swears they need admin rights on their machine, make a big office stink so your forced to give it to them, only to find 3 months later that they like to disable virus scan becuase they claim it makes their computers run slow.... so each and every one of the stupid bastards had "lovegate", "lovesan" and some new variant called "Nachi".... So their office products simply didn't work which was probably a good thing, being that this made it hard for some of the other viruses to send out mail and stuff....
_________________________
Brett 60Gb MK2a with Led's

Top
#175690 - 20/08/2003 11:17 Re: Viral Hell [Re: lopan]
BleachLPB
enthusiast

Registered: 01/11/2001
Posts: 354
Loc: Maryland
Good to see other people are having as much fun as I am with this one. The last week has been miserable.

I thought our firewall finally died. I logged onto our router (which was working OK) and the prompts displayed slowly - very odd. I sniffed the network and logged about 17000 pings in less than 3 seconds. And we can't have more than 70 hosts on the network. Had to patch each one. Probably some boob plugged in their infected laptop - which I sent multiple messages out advising against this last week.

I tried writing a script that applies the fixes then removes the worm - but apparently vbscript isn't case sensitive when telling a computer to terminate the svchost.exe process. The worm's svchost appears as SVCHOST.EXE while the legit svchost.exe is all lower case.

As a side effect - because the firewall was swamped - email slowed to about nothing yesterday - possibly preventing the spread of the new sobig worm. Either way, sobig's payload (.scr, .pif, etc) are blocked and tossed in the bit bucket at the firewall.

Then - while patching workstations - a transformer blew up outside our office - all the server upses screamed but the power never did go out. I was crossing my fingers that it would go out.

It has been an interesting week!
_________________________
BleachLPB ------------- NewFace MK2a

Top
#175691 - 20/08/2003 18:51 Re: Viral Hell [Re: BleachLPB]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
It's days like this that make people understand that admins are worth the money. I mean, given that if we do our jobs correctly, things don't go wrong, It's nice when the world is going crazy except for your litle island and you can point this out to your boss.

Does that make sense?

Top
#175692 - 20/08/2003 19:04 Re: Viral Hell [Re: lectric]
BleachLPB
enthusiast

Registered: 01/11/2001
Posts: 354
Loc: Maryland
Try telling that to MY boss.
_________________________
BleachLPB ------------- NewFace MK2a

Top
#175693 - 21/08/2003 06:14 Re: Viral Hell [Re: BleachLPB]
ashmoore
addict

Registered: 24/08/1999
Posts: 564
Loc: TX
We are evaluating ZoneAlarm Integrity right now.
Centrally managed "endpoint" (AKA user/computer) firewall. Just like regular Zonealarm at home, just centrally managed with enforced policies, AV definition checking, web based jakarta/tomcat management interface etc etc.
Very cool product.
We also use Symantec AntiVirus Corporate edition to centrally manage the desktop AV and set policies etc.
Its things like that which save our asses every day, even more so now.

Actually, my vote for the best value security product is Guinevere.
Its an email AV gateway and costs <500 bucks, that really has saved our ass since Sunday evening when sobig hit. It only works on Groupwise, but at least to date there are ZERO viruses written for groupwise
_________________________
========================== the chewtoy for the dog of Life

Top
#175694 - 21/08/2003 06:35 Re: Viral Hell [Re: ashmoore]
jmwking
old hand

Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
I (mostly) love Groupwise.

But do you have trouble with users who access Groupwise with Outlook? I constantly have to beat them up...

Also, if you're using Web Access, I think viruses bypass Guinevere, and can knock around in the POs.

-jk

Top
#175695 - 21/08/2003 13:42 Re: Viral Hell [Re: pca]
MinerTwoFour
journeyman

Registered: 10/02/2003
Posts: 78
Loc: St. Louis, MO
I happened to get a few messages returned from AOL that claimed that I was sending them out. The text file that was attached had the actual infected username at the top, then my address in the from: line. That was a quick way to pinpoint it.

The first actual virus e-mail I got came from someone in Lebanon. mts@lebanon-online.com.lb, or something like that. Don't know of anyone there, or anyone who would.

And this has probably been brought up before, but the infected might not have you in their address book. The address that has been receiving all these virii and fake messages, is my work address. No one has it in their contact list but my sister, who wasn't infected, so it apparently came off of a forwarded message that she had sent to the infected user with my address in it. Tricky.

Top
#175696 - 21/08/2003 13:45 Re: Viral Hell [Re: MinerTwoFour]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Yeah, this latest batch of viruses scans your hard disk for anything remotely resembling an email address. So things like pages in your IE cache or document files could be fodder. Ick.
_________________________
Tony Fabris

Top
#175697 - 21/08/2003 17:25 Re: Viral Hell [Re: jmwking]
ashmoore
addict

Registered: 24/08/1999
Posts: 564
Loc: TX
yeah, the problem is that webaccess in groupwise is pretty darn good as well.
I will stop worrying when we get Integrity rolled out, you can stop people accessing your network if they don't meet base criteria such as virus defs etc. Way cool.
_________________________
========================== the chewtoy for the dog of Life

Top
#175698 - 21/08/2003 17:25 Re: Viral Hell [Re: jmwking]
ashmoore
addict

Registered: 24/08/1999
Posts: 564
Loc: TX
yeah, the problem is that webaccess in groupwise is pretty darn good as well.
I will stop worrying when we get Integrity rolled out, you can stop people accessing your network if they don't meet base criteria such as virus defs etc. Way cool.
_________________________
========================== the chewtoy for the dog of Life

Top
#175699 - 25/08/2003 07:31 Stoopid CNN comments. [Re: tfabris]
genixia
Carpal Tunnel

Registered: 08/02/2002
Posts: 3411
So CNN were discussing Sobig this morning. Apparantly their regular geek chose this week to go on vacation, so they had a stand in 'expert' talking with the anchor. Although at first she appeared to know what she was talking about, I soon suspected that she was little more than a pretty face with a good ability to act a role.

This was confirmed by her answer to the anchor's last question, "How do you avoid being hit?" ;
"Only open email with "From:" addresses that you know. If you didn't open email from strangers then Sobig wouldn't have affected you." (paraphrased).

Aaargh. I can accept that comments such as these may come from small local outfits with few resources, but from CNN? No wonder half the population remains clueless about email virii.

Let's review;
1) Most virii send copies of themselves to contacts in your address book. Many of whom are likely to be friends and family who know you.
2) In Sobig's case, it apparantly used one of the contacts email addresses to spoof the 'From' header. Although that means that many copies of the virii would appear to come from strangers, some copies will also appear to come from mutual friends, so her statement is still wrong.



_________________________
Mk2a 60GB Blue. Serial 030102962 sig.mp3: File Format not Valid.

Top
Page 2 of 2 < 1 2