Re: FYI: Are you still looking for an excuse to block executable attachments?

From: Aaron J. Smith (ASmith_at_WINDOWPRODUCTS.COM)
Date: 01/27/04

Next message: Boring, Andrew: "Re: FYI: Are you still looking for an excuse to block executable attachments?"

Previous message: http-equiv_at_excite.com: "GOOROO CROSSING: File Spoofing Internet Explorer 6"
Maybe in reply to: Russ: "FYI: Are you still looking for an excuse to block executable attachments?"
Next in thread: Boring, Andrew: "Re: FYI: Are you still looking for an excuse to block executable attachments?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 27 Jan 2004 12:52:28 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Russ,
While this isn't a Virus list, I have some information here that may be
of significant use to some of your readers. Specifically, I have direct
experience of one of my clients receiving several thousand copies of the
W32.Novarg.A@mm (MyDoom) worm. Not odd in itself, except this client is
a school.

"Large scale e-mailing: Sends to email addresses found in a specified
set of files. It ignores email addresses that end in .edu." is quoted
from Symantec's write-up. This is blatantly incorrect. in at least one
instance.

Note: The school's domain address is a secondary domain. In other words,
I receive e-mail at account@xyz.123.edu. Worm traffic has been addressed
to a great number of xyz.123.edu addresses, all caught and stripped at
the gateway.

Please forward this where it can do some good in the a/v community, and
to your list if you feel it will dissuade anyone of a false sense of
security.

HTH, and see you in July,
- AJS

Aaron J. Smith
Manager, Info Tech
Window Products, Inc.

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

Next message: Boring, Andrew: "Re: FYI: Are you still looking for an excuse to block executable attachments?"

Previous message: http-equiv_at_excite.com: "GOOROO CROSSING: File Spoofing Internet Explorer 6"
Maybe in reply to: Russ: "FYI: Are you still looking for an excuse to block executable attachments?"
Next in thread: Boring, Andrew: "Re: FYI: Are you still looking for an excuse to block executable attachments?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]