The worm within the following news article appears to be coming in strong at this time.

http://story.news.yahoo.com/news?tmpl=story&cid=581&e=3&u=/nm/20040127/tc_nm/tech_internet_worm_dc

Please be sure to have your virus protection software up-to-date and be extra discriminatory concerning which file attachments you open.

Also be aware that due to the mass amounts of these emails making their way into the FutureQuest Network we will need to be actively working with the mail queues to ensure the proper delivery of valid emails. Doing this may or may not require us to block certain accounts that are sending or receiving large quantities of this worm.

This may also be a good time, for those who do not normally receive email attachments to:

a) Visit the domain's CNC (http://www.Example.com/CNC/)

b) Click on Email Manager from the top menu

c) Click on Built-in Filters from within the Global Filters list

d) Click on the Executable Attachment Filter option and follow the instructions from there. Deleting may be the best option for you and us for the short term future, redirecting to an address of your choice is the safest option for you to not lose email, and bouncing may or may not assist with this particular problem.

e) Back at the Built-in Filters main screen select the Attachment Extension Filter opion and fill out the form to do the same for .zip attachments (the majority of these worms..though not all.. do appear to be coming in as .zip files)

Again, we are suggesting that the best defense would be enabling the following filters;

Executable attachments
Attachment Extensions (for .zip)

We are also suggesting that you simply delete any email caught by the above filters and turn off any autoresponders on accounts that may be affected. NOTING, however, that these are suggestions and if enabled valid mail may be caught up in the situation.

Thanks

Deb
- All that is necessary for the triumph of evil is for enough good men to do nothing. - Edmund Burke

Is there a way to know if we are infected, other than anti virus scanning ?

Cordially,
Benj

You really would need up-to-date virus software and a full scan to be sure... These things are never pretty ~#

be sure not to put the period before zip when you do this.

http://2coolfishing.com/screenshot.jpg

Anti-virus software with upto date definitions are definitely the best idea. But if you want to know more about the virus navigate to the removal instructions (http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html) and it explains the Windows registry keys that indicate an infection.

I received a few that had the cmd extention on them. this is a valid NT executable extension and should be added the executables filter. For now, I have put it in my attachments filter.

-g

Why doesn't FQ offer virus filtering at the mail server level? We could enable it in the CNC just like we do for executables, attachments, and such.

-g

thanks for the heads up, Greg. Just adding those 2 file types has really shut the valve down on this.

Wow! What a load-full.

I had 500 which got through and I filtered vigorously even before this. I already had the executable attachments filter on, but I was bouncing. So I changed to blackhole for the time being until the flood is over.

Closed down the rest by adding zip and cmd. It's back down to reasonable for the moment, but I don't like blocking zip files. That's what I've told all of my clients to send me stuff as so it would be able to get through the filters.

I really feel we should have a system level option for filtering viruses - It would make an already outstanding mail offering even better. Those that don't want it, wouldn't have to enable it.

-g
<edit rest is not spelled reset />

load-full that's a polite way of putting it ;)

I have this mental picture of Terra standing in a room full of flying superballs with a baseball bat right now trying to get this thing shut down. I sure wouldn't want to be "dev/null" right at the moment, lol.

I have this mental picture of Terra standing in a room full of flying superballs with a baseball bat right now trying to get this thing shut down. I sure wouldn't want to be "dev/null" right at the moment, lol. That would be Bruce right now, not Terra ;)

There is a big thought process between blocking this bad boy vs allowing the good boys to receive their valid emails -- not an easy decision...not easy at all...

Deb
- Excellence is best described as doing the right things right - selecting the most important things to be done and then accomplishing them 100% correctly.

I set up the CNC filters to bounce executables and zip attachments but also used the message option to include a message explaining why the e-mail has been bounced, and asking legitimate senders to send an email without the attachment explaining that they need to send the file, which will enable me to make some other arrangement with them. Bounced e-mails to bogus virus-mailing addresses will simply result in a delivery failure message -- an annoyance to delete them as they come in, but the up side is that legitimate senders WILL receive the message and at the very least you'll know that you have a legitimate file you need to get. Disabling the filter long enough to get the file is a temporary risk, but hey, it's better than whatever. Maybe someone has an idea of another way to deal with this?

Anyone who exchanges files with AOL users may want to think twice before filtering out zip files on a long-term basis. If they send you more than one attachment in a single message, AOL automatically zips them into one file.

But the real reason I came to the forums just now is to warn users of AVG Anti-Virus Free Edition: The update server free.grisoft.cz seems to be down, so your virus definitions may be out of date (mine were). Download the latest update (http://www.grisoft.com/us/us_updt6.php?lng=fe) from their web site, place the file in c:\program files\grisoft\avg6\update, and then run AVG.

If AVG shows a Virus Database release date of 1/27/04, you're protected against Novarg/MyDoom.

Randall

Originally posted by GregJ:
Why doesn't FQ offer virus filtering at the mail server level? We could enable it in the CNC just like we do for executables, attachments, and such.

-g
http://www.clamav.net/ for example is a free option that seems to be filtering out this virus' zip files while allowing legitimate zip files to be unaffected. Not sure if there is an easy way to send mail through it using qmail though.

Some good in-depth info on the Trend Micro site: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

wow, I do understand, I did a test and it was taking at lease 15 minutes just to get a email to get through the servers that was sent one email from one user of the domain to the other.

Unbelievable

It performs a denial of service (DoS) attack against the software business site www.sco.com. A Linux geek created this virus? ~#

Randall

I don't post very often :o but wanted to write a heartfelt thank you to EVERYONE on the FQ team, for looking after all of the screaming details of running a world class host.

I'd noticed all of the infected emails coming in (thank goodness for Norton) and was working on filters when I received the email from FQ letting us know what was going on.

To put it simply ... you guys rock.

Lauran

***************************
When the night is dark,
And the dogs go 'bark';
When the clouds are black,
And the ducks go 'quack';
When the sky is blue,
And the cows go 'moo';
Think of lovely Queenie,
She'll be thinking of you.

I understand about the backdoor to SCO and agree its sad, but who knows for sure who actually kicked this pig or why.

OK, my question is:

Does this virus spoof return addresses with addresses found on the infected machine ala "Sobig"?

-John

Yep. It spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users on infected machines. Randall

Originally posted by Lauran:
...a heartfelt thank you to EVERYONE on the FQ team,
for looking after all of the screaming details of
running a world class host.

You got *that* right.

&likewise[1000];

etLux

Yeah, thank G-d for FutureQuest.

It's not a pretty scene elsewhere on the net today.

One host is claiming that the tied up webservers giving dingbatty responses all day (and some yesterday) are the result of their overwhelmed email servers. Ummm, okayyy . . . tiny little pipeline, there?

:QTdive: :QTwhip: :QThelp:

--
Terra
-- :QTwork: --
FutureQuest

Originally posted by GregJ:
I really feel we should have a system level option for filtering viruses - It would make an already outstanding mail offering even better. Those that don't want it, wouldn't have to enable it. When we first looked at offering server-side virus scanning, we had two choices: unreliable or expensive. Neither was considered a worthwhile option, especially compared to the effectiveness of the no-exe filter.

Due to the ever-changing nature of viruses, doing scanning on known viruses can only start to catch them after they have started to propagate. For example, the latest signature file for the referenced free virus scanner, ClamAV, does not appear to have any referene to MiMail.R, MyDoom, or Novarg, the primary aliases for this virus.

In addition, all of the virus scanning options need to open up all compressed files to examine their content as well. This means building up another scanning infrastructure, like the SpamAssassin scanners, to do virus scanning.

It's worth noting that it appears that ISPs such as Yahoo and BellSouth don't offer anti-virus scanning probably for many of the same reasons.

It's worth noting that it appears that ISPs such as Yahoo and BellSouth don't offer anti-virus scanning probably for many of the same reasons. Yahoo is doing some sort of virus scanning now -- in the past week I've seen a couple messages that they've sanitized (or tried to, since it appears to have broken down yesterday).

How hard would it be to create a system that can do fingerprint-matching on demand during an outbreak like this one? In other words, instead of scanning for every virus known to man, it just looks for the virus du jour. We send you samples of the virus, you feed it into the hopper and now it blackholes incoming messages containing the files in question.

Randall

I have worked with one huge corporation that had a very expensive virus-scanning system, and prolly for the reason Bruce has explained (locking the barn after the horse is gone), it didn't work that well.

The filters that FQ offers, and which I never bothered to look at until today :o , seem to work very well, since I haven't rec'd a single virus-bearing message since activating them. I feel that this system gives me much more control than one that someone else manages. I get to word a bounce message any way I like, and ackshully choose which extensions I'll accept and which I won't, and from my own point of view, anyway, I think FQ chose an excellent way to go with this.

Due to the ever-changing nature of viruses, doing scanning on known viruses can only start to catch them after they have started to propagate. For example, the latest signature file for the referenced free virus scanner, ClamAV, does not appear to have any referene to MiMail.R, MyDoom, or Novarg, the primary aliases for this virus.
Starting last night, it has caught every one so far and discarded the virus' zip file while letting uninfected zip files through just fine.

I'm sure it would add a bunch of overhead though, and probably add some seconds to email delivery, or minutes on a day like today :(

The original e-mail attachment "document.zip"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Tue Jan 27 16:35:19 2004 the virus scanner said:
document.zip contains Worm.SCO.A

Originally posted by Randall:
Yahoo is doing some sort of virus scanning now -- in the past week I've seen a couple messages that they've sanitized (or tried to, since it appears to have broken down yesterday). Just to be clear Bruce obtained the information regarding Yahoo and BellSouth from me as I have active email accounts on both and in my Email Managers for both services I was unable to locate any indication of anti-virus solutions.

About 1.5 years ago, IIRC, BellSouth announced both anti-spam and anti-virus solutions were coming... They delayed the roll out for "Technical" reasons and about 1 month after they were supposed to be available they did roll out their Mail Guard system for anti-spam purposes however I never heard another word regarding anti-virus email solutions from them.

-Bob

- Bruce takes enough heat, doesn't need mine too :P -

Randall,

re: "Yep"

thanks.

-djr

How hard would it be to create a system that can do fingerprint-matching on demand during an outbreak like this one?
We looked at the raw content of the email, and are finding that the Base64 attachment itself is not constant...

The 'exe' attachment has a somewhat stable signature..,

The 'zip' attachment however, has a changing signature...

Also the Subject, Body, and Attachment names change as well...

There is no centralized quick solution to this, other than site owners looking to use the powerful filtering system we already have in place...

--
Terra
--The magic bullet keeps disappearing--
FutureQuest

bouncesaying "Sorry, today I am rejecting all messages between 32,000 and 36,000 bytes. Please send either a shorter or a longer message."

Sorry, just kidding, and I don't know a quick (shell) test for that anyway.
;)

Thanks FQ for dealing with the flood.
:police:

There is no centralized quick solution to this, other than site owners looking to use the powerful filtering system we already have in place...

...Yes! Before I activated this system I spent half my morning closing Norton virus alert windows and erasing files. Now I wouldn't even know there was a virus attack.

Originally posted by Deb:
The worm within the following news article appears to be coming in strong at this time.Click here (http://securityresponse.symantec.com/avcenter/FxNovarg.exe) to run Symantec's Novarg detection/removal tool. Click Save if you wish to save it and run it, or just click Open to run it immediately.

The 'zip' attachment however, has a changing signature... <idle[nbsp]speculation>
I wonder if the virus is creating the zip files on the fly, using a zip program found on the victim's system? Maybe that would affect the signature -- different datestamps, versions of the program, etc.
</idle[nbsp]speculation>

All virus spammers must die. :*

Randall

So, you can sue McDonald's for making their coffee hot, but you can't sue MS for writing OS's that might bear at least some of the blame for these little gifts that cost businesses billions.

Why is that?

Originally posted by Bruce:
When we first looked at offering server-side virus scanning, we had two choices: unreliable or expensive. Neither was considered a worthwhile option, especially compared to the effectiveness of the no-exe filter.
I've been looking into this since Bruce posted and here is what I found.
1) ClamAV is up-to-date. I just found and checked the data.zip that I let through just for the purpose at
http://www.gietl.com/test-clamav/ and it responded with File is valid, and was successfully uploaded. clamav scans the file ...
Clamav-Output:/tmp/phpAXSlrN: Worm.SCO.A FOUND
And found something: Worm.SCO.A

Since clamav already recognizes the content you submitted there is no reason to resubmit it.

2) it's free.

I note that Jeff responded to this while I was off researching also.


Originally posted by Bruce:
Due to the ever-changing nature of viruses, doing scanning on known viruses can only start to catch them after they have started to propagate. For example, the latest signature file for the referenced free virus scanner, ClamAV, does not appear to have any referene to MiMail.R, MyDoom, or Novarg, the primary aliases for this virus.
That is true of all of the virus check softwares, but they react quickly and even the free ClamAV was in place as of yesterday.

Originally posted by Bruce:
In addition, all of the virus scanning options need to open up all compressed files to examine their content as well. This means building up another scanning infrastructure, like the SpamAssassin scanners, to do virus scanning.

It's worth noting that it appears that ISPs such as Yahoo and BellSouth don't offer anti-virus scanning probably for many of the same reasons.

The reason major ISPs are doing it now is because enough people are Complaining (Had a different word in mind). The ones who aren't tend to be the big, fat, and slow-to-respond ISPs that don't need to worry about it and the too tiny to have the resources. I don't want to be stuck in either of those crowds and I feel certain that FutureQuest doesn't want it either. I understand that it is another scan and I know that it sucks horsepower. But it is a feature that more and more people are going to expect and demand and they will go elsewhere to get it. I'd even be willing to pay a small premium to have my mail filtered for viruses.

I want to be able to offer to my clients the comforting 'yes, we have a virus checker in place'. I know that a virus checker isn't perfect, but simply saying 'you have to bone up on the old filters' just doesn't seem good enough to me when major ISPs are touting on the telly that they have anti-virus and anti-spam features.

-g

it's free.
Yes - the software may be, but the new servers, labor, support, etc costs will skyrocket rather quickly...

It is not easy to swallow when you are building systems to manage domains at the scale we are... The whole 'one-size-fits-all' dilemma rears its ugly head...

I'd even be willing to pay a small premium to have my mail filtered for viruses.
You belong to a very exclusive club, I can assure you... :P


We are still investigating Anti-Virus solutions, however I do not want decisions to be made driven by 'knee-jerk' reactions...

We have taken a lot of (enraged/bitter/etc) heat in the EMS today, with a pile of finger pointing (at us) for allowing such things to happen... Solutions forged from such (intense) 'pressure' usually do not turn out very well... GregJ, that is not to say that is how you are presenting your recommendation... I am mostly bringing forth the behind-scenes EMS activity to the forefront, and to let you know the drumbeat is nearing the point of deafening...

--
Terra
--it is infinitely easy to give - but nigh impossible to take away in the case of it not working well--
FutureQuest

Click here to run Symantec's Novarg detection/removal tool. Click Save if you wish to save it and run it, or just click Open to run it immediately
Don't run it if you've got work open... It'll automatically close all browser windows (IE, at least) and takes long enough to run that I just decided to go take a nap. :\

Didn't detect anything on my computer, though, which is what I expected.

Dan

Terra & all of the FQ team,

Please don't think that I'm demanding something be done and I apologize if that's the way my message seemed. I rather think that Monty's picture with the superballs fairly accurate. I'm sure it is painful there at this time.

Regarding the "2) It's free" is only in response to the cost of the software. Much like Linux is Free. I do recognize that any thing that you have to support comes with all of the attendant overhead costs - the smallest part of which is the cost of the software.

I think a lot of the folks here a FQ belong to that same small club you said I belonged to. FQ offers excellent service and facilities for a reasonable price. Not the cheapest price maybe, but all told, a reasonable one. I've seen often on the forums where that has been borne out by the the folks here. Your service and features compared to price has bought you a high degree of loyalty in a very fickle market. FQ has a LOT to be proud of - even in the midst of trials of this day.

I am very glad to hear that you are investigating anti-virus solutions and know that you will come up with something that will do the job in the most cost-effective manner. It will help me sell turn-key office solutions (something I'm just now trying to get off the ground) in my local community. I already tell them about how the mail features and system reliability are so much better than what they currently experience and adding the security of an anti-virus to the mix will help a lot.

-g
Dedication - when 'two asprin and call me in the morning' won't cut it

Originally posted by cybercrone:
legitimate senders WILL receive the message and at the very least you'll know that you have a legitimate file you need to get. Disabling the filter long enough to get the file is a temporary risk, but hey, it's better than whatever. Maybe someone has an idea of another way to deal with this?
Cybercrone, a simpler and safer approach is to always block zips, and just ask your colleagues to rename their file attachments to a benign extension, then when you receive them rename them.


On the issue of what FQ should do:
One of the best engineering practices is to use the simplest possible solution that actually solves the problem. Personally, I strongly believe FQ has already done this. Reliance on virus scanning leads to a false sense of security which is more dangerous than the current crop of viruses. If we train users to believe that an executable file that passes a virus scan is safe, then we're training them to distribute smart viruses that have delayed activation times.

FQ has given us the tools to block attachments. Let's use our own common sense (uh-oh - I'm using that problematic phrase again!) to teach our own dependant users safe practices such as never sending file attachments without thinking.

[yes, that was a rant, but not one directed at anyone here... more at the media promulgated myths]

P.S. Thanks Deb & Monty for the clear instructions on how to use the excellent, 100% effective tool that FQ already provides.

takes long enough to run that I just decided to go take a nap. :\ Sounds like a good idea on any day. I think a lot of the folks here a FQ belong to that same small club you said I belonged to. Add my name to that list. My other host wants $15 a month for their new spam/virus filtering service -- a little high if you ask me, but I'm sure FQ could do it better and cheaper.

Until now I thought the exe filter was enough, because no one was zipping up viruses. Hadn't seen one of the little beasts in months. I dunno -- maybe it is enough, if you don't work with AOL users. just ask your colleagues to rename their file attachments to a benign extension I need to clarify what I said earlier: AOL's software zips multiple attachments automatically. You don't have a choice, and you can't change the file extension after the fact. (I don't know anyone who zips attachments by choice, because every other email program in the @#$% world knows how to handle multiple attachments.) All you can do is ask them to send everything separately.

It generally helps to ask them nicely -- and not to treat them like children, which is the way these discussions tend to run. :\ Reliance on virus scanning leads to a false sense of security which is more dangerous than the current crop of viruses. We should take the brakes off people's cars and teach everyone to drive 10 mph, because brakes create a false sense of security on icy highways. No one will buy those newfangled anti-lock brakes anyway. ;)

Teach your "dependent" users, but don't take away the tools that could save them in a crisis. We all have bad days, "stupid" days, and days we should never have got out of bed. And if the anti-virus tools aren't perfect, that doesn't mean they can't be improved.

Anyway, AVG's update server is back in operation now.

Randall

Thanks to all of you for your cool, calm & collected support and assists with working through this (which is by no means over...). It is greatly appreciated!!

There are a number of ideas and concepts to be worked through but in the meantime (and even if/when...) keep everything on those local systems up to date :)

I also want to publicly give a big thanks to the team that was on today...Especially Bruce, Bob and Sheila...they really put forth an enormous amount of effort and continued to smile through it all... I, as one who was able to observe on the backside, was rather impressed! We should take the brakes off people's cars and teach everyone to drive 10 mph, because brakes create a false sense of security on icy highways. No one will buy those newfangled anti-lock brakes anyway. ;) Or just http://www.picolio.com/Albums/album54/16_G.gif

That's the answer -- TurtleNet! :D

Let's hope the whole FQ crew gets some well deserved rest when this dies down -- we don't want a repeat of last summer, when it seemed like there was a new plague every week. :\

Randall

Originally posted by Randall:
We should take the brakes off people's cars and teach everyone to drive 10 mph, because brakes create a false sense of security on icy highways. No one will buy those newfangled anti-lock brakes anyway. Actually, speaking of anti-lock brakes, they do produce a false sense of security. According to every report I've seen, people with ABS tend to drive significantly faster in conditions where the ABS can't help them, to the point of putting themselves at more risk than they would have without ABS. In that sense, ABS is a very good analogy for virus scanning: there is no doubt that it does help, at least in some situations, but it can't be blindly trusted the way it is.

In that sense, ABS is a very good analogy for virus scanning: there is no doubt that it does help, at least in some situations, but it can't be blindly trusted the way it is. It's about time I got one of these car analogies right. Sort of. ;)

Randall

Originally posted by Randall:I need to clarify what I said earlier: AOL's software zips multiple attachments automatically.
Randall, yes I should have specifically addressed that excellent point, though as I've :) previously hinted, the thought of any attachment from an AOL user strikes fear into my heart. As you say, asking nicely helps, but I'm sure you'll agree there's a certain type of user who is strongly resistant to change. I do believe that most users can be trained. They're not stupid - it's just that this stuff is complicated and the poor users are deluged with media lies of "user friendly"... and it ain't. I've had good success with even raw novices, but it takes a huge usually one-on-one effort, and requires frequent reminders (hmmmm... sort of like Freedom).

The best analogy I can think of is AIDS. Education is the only socially viable solution, yet the media harps "treatment" as the "cure". Treatment is necessary, and all we can do for the infected, but does nothing to stop the spread of that horrendous disease.


We should take the brakes off people's cars and teach everyone to drive 10 mph, because brakes create a false sense of security on icy highways. No one will buy those newfangled anti-lock brakes anyway.

Excellent analogy, one with which the governor of North Carolina :) agrees (http://story.news.yahoo.com/news?tmpl=story&cid=578&e=4&u=/nm/20040127/ts_nm/weather_usa_dc):
"Due to icy roads across the state, North Carolina Gov. Mike Easley urged residents to stay home and not to drive unless it was absolutely necessary. Eight motorists have been killed in weather-related accidents, he said."

More seriously, I'm not against virus scanning software. I am against the view that it is a highly reliable means of preventing viruses. We've all seen those nonsense "guaranteed virus free" lies embedded by some popular email virus scanning systems. Geeks understand that's impossible, but novices don't. Yeah, it's a lot more effort to educate users, but it is possible, and the only way we'll stop the onslaught of viruses. Deep down in my heart, I'm an :) optimist... but a :) paranoid one.

My virus nightmare is that a smart one is already out there... and has been there a long time. 9/11 and Nimda taught us that terrorists are smart, well-equipped, and patient. In a couple of hours, any good programmer can write a patient trojan that is undetectable by the majority of anti-virus software (yes, I know this empirically). Folks, scanning that cutesy greeting card your friend sent you can not prove it's virus-free. Choosing not to run it, and never forwarding such things, keeps you and your friends safe.

Originally posted by Bruce:
Actually, speaking of anti-lock brakes, they do produce a false sense of security. According to every report I've seen, people with ABS tend to drive significantly faster in conditions where the ABS can't help them, to the point of putting themselves at more risk than they would have without ABS.
LOL! Thanks Bruce! I was afraid of :) pointing out that it's been my experience that some of the worst (but also some of the best) drivers on the road drive Volvos. Of course, that's if one :) removes all the SUVs and mini-vans.

Chipmunk, I've been meaning to ask you, why do you always put smilies in the middle of sentences? I've been waiting for someone to ask that question. A few days ago Songdog was wondering (http://www.aota.net/forums/showthread.php?postid=104719) who uses the most smilies per post, and I think Chipmunk has earned the title of Smiley King. :sillylol:

Chip, what weirds me out is the way you can go through several (sometimes contradictory) smilies in the course of a single sentence. I have this mental image of you pausing every few words to pop a quick :) and then carrying on with a straight face until the next :) or :( bursts out. Gives your posts an interesting rhythm, but also makes me think that you're seriously brain-addled. :P ...must exterminate all SUVs, especially those driven in snow by people who think four wheel drive is their shield against spin outs. I saw an SUV rolled over on its side this morning -- and that was just a dusting of snow, as opposed to the rampaging horde of white DHMO particles falling on us right now. Tomorrow should be interesting, but my regularly scheduled employment for Wednesday has been moved to Friday this week (purely coincidental), so I won't be there to see it. I've had good success with even raw novices, but it takes a huge usually one-on-one effort, and requires frequent reminders I'm teaching the rawest of raw novices right now. We're just working on reading email at the moment -- attachments will have to wait for the Advanced Course. I'm finding reserves of patience I never knew I had. %) It helps that I never think of her as "stupid," even in private. In a couple of hours, any good programmer can write a patient trojan that is undetectable by the majority of anti-virus software (yes, I know this empirically). Folks, scanning that cutesy greeting card your friend sent you can not prove it's virus-free. And the comparatively benign viruses (please don't hit me, Terra!) we've been experiencing are teaching people to be more careful. My clients are learning -- I've watched it happening. The media you speak so poorly of ;) have made everyone gun shy by screaming every time a new virus breaks loose. Sometimes the fear mongers do serve a useful purpose.

Some people learn more slowly, and others not at all. We need things like virus scanners to help fill the gaps until they catch up. It would just be so much more efficient if this could be done at the network level instead of relying on 100 million people to keep Norton and McAfee up to date. That's what's so unreliable about virus protection -- the programs can fail to update for weeks before anyone notices that there's a problem, subscriptions lapse, and people who thought they were protected get nailed by the Next Big Thug. It's as if the ABS system on your car just stops working for no apparent reason.

I hate computers.

Randall

Oh darn, the sky really has fallen... :P

--
Terra
--"My God, it's full of stars"--
FutureQuest

Update: New Mydoom worm discovered :@

There's a second flavor of this worm just discovered that's meaner than the first. The second one (MyDoom.b) modifies your host file to block you from getting your antivirus updates, plus some other nasty things. It also directs the DOS attack against Microsoft. Time will tell if it becomes a threat. ComputerWorld has a decent article on it:

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89494,00.html

Not to be a spoilsport or killjoy, but can we please stay on topic? I'm very interested in this virus alert and how it may affect my clients; thus, I look to the FQ "Server News" forum for good info on it.

Thanks.

Agreed... Though it was an ugly split..I've tried to clean up the thread a bit by moving the misbehaved folks over to the back corner on your right...

http://aota.net/forums/showthread.php?s=&threadid=16357

8}

Buy a Mac and you wont have all these virus problems. :P

Originally posted by dan:
Buy a Mac and you wont have all these virus problems. :P Unfortunately, however, we Mac people still have to deal with being slammed with the e-mail messages, which if you think about it, is the worst part of the virus. :mad:

Just another way that the rest of us have to cope with the negative byproducts of the Windows world...

MC

Just say no to email.

If it's important enough they'll get a hold of you :D

-- Does not apply to people conducting business online, unless they really don't care --

And Mac people are getting their email from the same overwhelmed servers as Windows people, so in that sense they do have to worry. It's bogging down all the same.

Hi, so what's the consensus so far about the best way to filter all these messages? I added "zip cmd" to my Built-In Filters for Attachments but at this point most of the messages contain weird attachments that don't neatly fit into any category: "document," "zgupl," "text" and others. Or do we just keep putting up with it?

I added the following text phrases into the EFM banned text filter.

- has been sent as a binary attachment
- mail transaction failed
- message cannot be represented in 7-bit ascii
- message contains unicode characters

These are some of the text lines in the virus-laden message. Between the default executable attachment filter, the addition of "cmd" and "zip" as attachment extensions, and EFM, I haven't gotten a single virus message for the past several days. My biggest problem now is all the erroneous bounce-back messages that various ISPs are sending my way.

For the type of email I get, I can live with the non-delivery of any message (virus-based or not) with these text lines. Your mileage may vary.

I did pretty much the same thing, Rick, and also blocked doc.zip, message.zip, readme.zip and text.zip.

The DOS on sco.com supposedly begins tomorrow (2/1), and then on February 12th, they say the worm will stop spreading on its own. Maybe then I can remove the extra blocking measures and we can move on.

OK, pardon my stupidity but what is "the EFM banned text filter?" I was afraid to ask, but I haven't found out what it is yet...

f2sys, for more information on EFM take a look at this thread:

http://www.aota.net/forums/showthread.php?s=&threadid=16177

Thanks. It seems like the spam traffic has started to wane lately...

Originally posted by frankc:
Click here (http://securityresponse.symantec.com/avcenter/FxNovarg.exe) to run Symantec's Novarg detection/removal tool. Click Save if you wish to save it and run it, or just click Open to run it immediately.
Has anyone found this tool to not catch the worm? I'm curious because I'm looking at a computer that was turned off by the ISP for supposedly having the mydoom virus, but the Symantec checker found nothing and now that the ISP has reconnected I'm not seeing any unusal traffic.

Been thinking about the ".zip" issue some more. As Randall pointed out, there are cases where the users do not have control over sending of zips, plus for the rest of us, it's an annoying nuisance to do the rename kludge that I mentioned above.

I have a suggestion for a better solution:

The file contents of a Zip are stored in a non-encrypted header, which takes very little processing to extract and examine for "naughty" file extensions. The file attachment would still need to be unencoded, but the two operations would be much simpler (i.e. cheaper) than doing a dubious virus scan.

Anyone see any flaws in that approach?

FQ's got lots on their plates, so if they (Arthur & Bruce ?) don't have the time to add that now, perhaps it could be added to EFM. Sheila, how complicated would it be to add file attachment decoding to EFM? If it's easy and it's easy to access the raw actual file (i.e. post unencoding), then it would be straight forward to add something that examines the file directory within a zip, and filters accordingly. By straight forward, I mean I'd be willing to try my hand at some :) real Python coding, with suitable hand-holding from you.


Hey, Randall, I thought of :) another car analogy! Virus scanning software is to Good Practices, as airbags are to seatbelts. Too many drivers and passengers think that airbags are magic bullets that will protect them from all harm, and get sloppy in their use of seatbelts. I say this as someone whose life was saved by a seatbelt, but who received extra hit points from the air bag. No, I'm not bashing airbags (though my face did) - use every tool you have. Off-topic responses directed to the death-to-bad-SUV-drivers thread.

The file contents of a Zip are stored in a non-encrypted header, which takes very little processing to extract and examine for "naughty" file extensions. D'oh! I was going to suggest something like that (didn't know you could extract the file names without decoding the entire contents of the zip). But then I swerved to avoid running over a chipmunk and forgot all about it. :P Hey, Randall, I thought of :) another car analogy! Virus scanning software is to Good Practices, as airbags are to seatbelts. I'd say that it's more like ... as seatbelts and airbags are to not driving like a @#$% maniac. But we still need protection from the maniacs. :rolleyes:

Randall

Originally posted by Randall:
But then I swerved to avoid running over a chipmunk and forgot all about it.
That gives you a Chipmunk Geek Point (see question #92 on the official test)! Ya get another one if you :) share your score (q #105).

Back on topic:
As I recall, the file contents directory is usually at the beginning of the file, so a software checker could just unencode part of a potentially huge zip.

I agree completely with your "maniac" addition, however :) several posters felt that educating most computer users would be unlikely.

Originally posted by Chipmunk:
... perhaps it could be added to EFM. Sheila, how complicated would it be to add file attachment decoding to EFM? If it's easy and it's easy to access the raw actual file (i.e. post unencoding), then it would be straight forward to add something that examines the file directory within a zip, and filters accordingly. By straight forward, I mean I'd be willing to try my hand at some :) real Python coding, with suitable hand-holding from you. I need to correct something incorrect hat has been recently posted. EFM does not decode all message contents. Specifically, it does NOT decode binary attachments. And I feel it would be a very bad idea to include that in EFM. It already is a heavy-duty enough filter and that would be too much stuff to add to it. Every binary attachment...every .gif, .jpg etc file received to an account decoded? No. sorry. too server intensive. I cannot support that for EFM.

EFM only decodes text and HTML parts at this time.

Sheila - sorry for the bad wording on my part! Is that the second time this month that I've caused an FQ heart attack?

My thought is that only the very first part of an attachment needs to be decoded. I had the (mistaken) notion you were considering adding some decoding to EFM, but since that's not so, then perhaps a standalone solution would be best.

I'm seriously thinking of setting up a Linux dev machine, and playing with Kylix, so if the zip thing isn't practical for FQ to do any time soon, I'd be interested in having a go at it. My company has some formal requests for a port of one of our Windows products, so it would be good for me to :) experiment with something small, plus then I wouldn't feel guilty asking lame Linux newbie questions here.

I do think a standalone solution would be best.

I guess there was a misunderstanding somewhere, because I have not considered adding decoding for binary attachments. What I was going to do was not scan the raw, encoded binary parts (as is currently being done) for the "banned words" filters.

;)

Last night I took a quick pass at writing just the zip code for the filter suggested above.

The bad news is that I was wrong about all the file contents being just at the very beginning of the file. In fact, each file has a separate header at the beginning of its data, so, for example, a one meg zip containing a dozen files would have headers in a dozen places throughout the one meg file (i.e. the whole thing would have to be read in).

The good news is that I ran my little command line wrapper against about 30 actual zipped viruses, and all but one of them contained just one file.

What I'm thinking is that I'll set it up to, by default, just check the first filename, which only requires looking at the zip's first 30 bytes for the header, plus the length of the filename.

I still need to write the email message handling stuff, including unencoding, plus the system level stuff (I'm thinking an EFM style rejection log is a Good Thing), but most of that is pretty straightforward. The biggest time sync will be :) setting up a Linux machine, but that's Character Building.

Dang, forgot to mention that the :) main reason for the post above is that I wanted to do a sanity check on the one-virus-per-zip theory! Has anyone noticed many exceptions to this?

[ Yeah, I know it would be easy for the viral vermin to write something that bundles a few random files ahead of the virus - my aim is to stop the most common cases, using the least (while effective) effort. ]