|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:37 PM |
|
| I just received the following Email from ntbugtraq.com who suggests creating
the following rule to catch and quarantine all viruses of this sort. I
suggest that users of Outlook 2000 follow these instructions:
(Note material Copyright Russ Cooper and www.NTBUGTRAQ.COM - please refer to
their site for additional information)
ICSA Labs has recently assessed the distribution of the STS Worm, also
called AnnaKournikova because it purports to be a jpeg of here (its type is
jpg.vbs).
This worm is a mass mailer, appears to have originated in Europe over the
weekend, and is now picking up sites in North America.
So far we're unaware of any AV products that can detect it. The worm uses
encryption to fool AV products into letting it pass, so the only sure fire
way of preventing it is to filter on .VBS file types as attachments.
The worm has the following information;
Subject: Here you have, ;o)
Text: Hi:
Check This!
Attachment: AnnaKournikova.jpg.vbs
With Outlook 2000, you can establish a rule which will likely prevent this
from getting to your user's eyes. I'm not familiar myself as to how to push
a new rule out to all of your users, so maybe an email explaining how they
can do this themselves would help mitigate this (and other such) worm(s);
1. Create a new rule
2. Choose "Check messages when they arrive", click Next
3. Choose "with <specific words> in the message header" and place ".jpg.vbs"
in the <specific words>
4. Choose "which has an attachment" to minimize false positives, click Next
5. Choose "move it to a <specified> folder", and create a Public Folder
which you can store all such messages in (or choose "permanently delete" if
you simply don't want to even know they ever arrived). If you establish a
Public Folder, set its permissions appropriately (possibly denying read
rights to your users).
6. Choose "Stop processing more rules", click Finish
This rule will be a server side-rule, preventing your users from seeing the
message at all, and allowing them to be processed whether the client is
connected and running or not. If its not a server-side rule its because the
folder you specified is local and not on their server.
Searching for .jpg.vbs in the message "body" isn't going to work since the
only place the file name exists is in the MIME header. This means that this
type of rule filtering is only available with Outlook 2000 (since its the
first version that can scan the header during rules processing).
More if it warrants it.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|