Re: Win32.Sircam.Worm Alert.....
From: Pete Sherwood (petersherwood@home.com)Date: 07/27/01
- Previous message: Craig Sprout: "Re: Sircam"
- In reply to: Meritt James: "Re: Win32.Sircam.Worm Alert....."
- Next in thread: Anthony Carnemolla: "Re: Win32.Sircam.Worm Alert....."
- Next in thread: thin-line@ftb.com: "RE: Win32.Sircam.Worm Alert....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <016d01c116dd$d96bf900$0d01a8c0@sherwood> From: "Pete Sherwood" <petersherwood@home.com> To: "Meritt James" <meritt_james@bah.com> Subject: Re: Win32.Sircam.Worm Alert..... Date: Fri, 27 Jul 2001 16:51:02 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There are a few joke programs and hoaxes that have the double extensions.
I can't remember the names as they tend to get crowded out by the [can I
say this?] legitimate malware.
Pete Sherwood
613-260-0612 (home/office)
613-591-8900 ext. 525 (voice-mail)
PGP and Thawte digital keys available @
http://members.home.net/petersherwood/
- ----- Original Message -----
From: "Meritt James" <meritt_james@bah.com>
To: "Juanita Fernando" <jsscn@optushome.com.au>
Cc: "Kyle Plate" <kyle@CLASSIFIEDTECHNOLOGIES.COM>;
<vuln-dev@securityfocus.com>; <SECURITY-BASICS@securityfocus.com>
Sent: Friday, July 27, 2001 12:15 PM
Subject: Re: Win32.Sircam.Worm Alert.....
> Quite a few add the extension as a way of "hiding" what is going on, not
> just Sircam. If you get an attachment with THREE groupings, assume it
> is a 'bad thing' and act appropriately. Has anyone seen a three-group
> attachment and it been ok?
>
> V/R
>
> Jim
>
> Juanita Fernando wrote:
> >
> > Hi,
> >
> > We were caught by surprise by the virus.. it affected 200 workstations
> > before we "caught" it. Vet is on top of it now. As a matter of
> > interest, the way we identified suspect file attachments was that those
> > affected seem to have two file extensions - eg. "word.doc.bat". This
> > signature enabled us to get users involved in its control prior to the
> > VET patch installation which deletes it from the server and affected
> > workstations.
> >
> > Cheers
> >
> > Juanita
> > ----- Original Message -----
> > From: "Kyle Plate" <kyle@CLASSIFIEDTECHNOLOGIES.COM>
> > To: <vuln-dev@securityfocus.com>; <SECURITY-BASICS@securityfocus.com>
> > Sent: Thursday, July 26, 2001 8:04 AM
> > Subject: RE: Win32.Sircam.Worm Alert.....
> >
> > > FYI:
> > >
> > > Using Symantec's NAV for Exchange (Virus def: 7/18/01 12:00am) has
> > > been successful for us in detecting and moving to quarantine all
> > > Sircam
> > infected
> > > messages that have been sent to our server.
> > >
> > > -----Original Message-----
> > > From: Jeremy Rodriguez [mailto:jrodriguez@intellinet-tech.com]
> > > Sent: Wednesday, July 25, 2001 9:19 AM
> > > To: Tom Geldner; 'Johnson, Greg'; vuln-dev@securityfocus.com;
> > > SECURITY-BASICS@securityfocus.com
> > > Subject: RE: Win32.Sircam.Worm Alert.....
> > >
> > > Yesterday the worm infected 3 of our systems. Just to test I
> > > downloaded
> > it,
> > > save it a specific folder and scanned it with Norton's (using the
> > > latest defs) and to my suprise it did not pick it up.
> > > The fix Symantec has:
> > > http://www.sarc.com/avcenter/FixSirc.com
> > >
> > > Did find the worm and repair it.
> > >
> > >
>
> --
> James W. Meritt, CISSP, CISA
> Booz, Allen & Hamilton
phone: (410) 684-6566
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO2HUGbomytMtxLfsEQI27wCgh9SFwPSJfySOe6xLByK8epwC9vsAoN4/
DDzsGLuUQacEn/aWE+TTB1Eq
=MPQg
-----END PGP SIGNATURE-----
- Previous message: Craig Sprout: "Re: Sircam"
- In reply to: Meritt James: "Re: Win32.Sircam.Worm Alert....."
- Next in thread: Anthony Carnemolla: "Re: Win32.Sircam.Worm Alert....."
- Next in thread: thin-line@ftb.com: "RE: Win32.Sircam.Worm Alert....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
