Clever Email Virii
Discussion
Just wondering if anyone else is getting these?
My main client has about 400 PC's and even though we have a good AV and a firewall which is embedded in our DSL router, we are still getting mails addressed from "Microsoft Net Client" and "Microsoft Support" and similar, etc.
If these are selected by a PC numpty from the view pane (and most at this place are!) they automaitically run a pop up with 'Install?' Yes / No. Once they run the install it basically lunches the PC. We have AVG A/V and it stops the virus from spreading and sticks in the virus vault but the damage is still done if the bozo presses the YES button. Doh!
My main questions are: How does the mail get delivered to us if the recipient's name is not on the list? and how can I stop this from happening, other than adding to the incoming mail servers blocklist every mail with a dodgy (Microsoft) title on it? I have added over 30 key words to the blocklist today and they ALL have Microsoft in there
Today I removed over 6,800
fake malicious emails from the server, which was running a little slow 
To make matters worse, most of the 'dying' machines are running 95 and 98 (yes, I know) the few new boxes running XP have not been affected after a virus has been caught and killed. The AV company says the problem is because Win 95 and 98 are not supported by MS so the security vulnerabilities are much worse - sounds about right, but I recently spent an hour last month getting my butt toasted, explaining why XP was still better than 95/98 in light of the Blaster Worm!
Any pointers greatly received - other than move the whole platform over to Linux (I am a Unix Sys Admin!)
Incedently their subsystem is all AS400 and uses software emulation called Bosonova, (hence Win 95) so if anyone here knows their stuff, I have plenty of work coming up.
Simon
My main client has about 400 PC's and even though we have a good AV and a firewall which is embedded in our DSL router, we are still getting mails addressed from "Microsoft Net Client" and "Microsoft Support" and similar, etc.
If these are selected by a PC numpty from the view pane (and most at this place are!) they automaitically run a pop up with 'Install?' Yes / No. Once they run the install it basically lunches the PC. We have AVG A/V and it stops the virus from spreading and sticks in the virus vault but the damage is still done if the bozo presses the YES button. Doh!
My main questions are: How does the mail get delivered to us if the recipient's name is not on the list? and how can I stop this from happening, other than adding to the incoming mail servers blocklist every mail with a dodgy (Microsoft) title on it? I have added over 30 key words to the blocklist today and they ALL have Microsoft in there
Today I removed over 6,800
fake malicious emails from the server, which was running a little slow To make matters worse, most of the 'dying' machines are running 95 and 98 (yes, I know) the few new boxes running XP have not been affected after a virus has been caught and killed. The AV company says the problem is because Win 95 and 98 are not supported by MS so the security vulnerabilities are much worse - sounds about right, but I recently spent an hour last month getting my butt toasted, explaining why XP was still better than 95/98 in light of the Blaster Worm! Any pointers greatly received - other than move the whole platform over to Linux (I am a Unix Sys Admin!)
Incedently their subsystem is all AS400 and uses software emulation called Bosonova, (hence Win 95) so if anyone here knows their stuff, I have plenty of work coming up.
Simon
You could just block all emails with Microsoft anywhere in them. The legit Microsoft mails are usually just "propaganda" anyway...
Also, if you are using an email filter system - do not have it send a NDR to the offending system. These return mails can tie up your outbound mail ques and slow your system down because they (the offending servers) are usually invalid...
If your client is using a Windows 2000 server based LAN - I highly recommend Symantec's Antivirus for networks. It allows you to control all AV clients from one console.
ErnestM
Also, if you are using an email filter system - do not have it send a NDR to the offending system. These return mails can tie up your outbound mail ques and slow your system down because they (the offending servers) are usually invalid...
If your client is using a Windows 2000 server based LAN - I highly recommend Symantec's Antivirus for networks. It allows you to control all AV clients from one console.
ErnestM
I agree, unless you are a microsoft partner you are not going to get anything of use from MS. If you are a partner and are getting this spam, then create a new mailbox, change your MS profile to only send email to this mailbox (which is new and therefore won't be on any lists) then ban the word microsoft from everyone elses email.
Works for me.
D.
Have a look at
this stuff here.. for more detail.
>> Edited by davidd on Thursday 2nd October 08:19
Works for me.
D.
Have a look at
this stuff here.. for more detail.
>> Edited by davidd on Thursday 2nd October 08:19
Thanks for your help guys, I have patched the system now and am having a result at last. I had another phonecall early this morning telling me another 6 boxes have gone down 
The new pacthes are available from microsoft here
These clever ba$tards really do my head in writing malicious code like that. If they put their skills to a productive use like writing anti-virus software we would all have better platforms with less bugs. All my under-contract work is taking up all my time and preventing me from earning any real money
The new pacthes are available from microsoft here These clever ba$tards really do my head in writing malicious code like that. If they put their skills to a productive use like writing anti-virus software we would all have better platforms with less bugs. All my under-contract work is taking up all my time and preventing me from earning any real money
Simon said:
"Any pointers greatly received - other than move the whole platform over to Linux (I am a Unix Sys Admin!) "
Why not introduce a Linux based firewall ?
So rather than move the whole (all workstations) to linux you just introduce one linux box to thwart the evil doers.
Check out www.smoothwall.org for one possible solution.
The beauty of linux is you can use a low-spec machine for this task !
The solution is very effective due to linux's built in security capabilities .
>> Edited by RobertUK on Thursday 2nd October 13:51
"Any pointers greatly received - other than move the whole platform over to Linux (I am a Unix Sys Admin!) "
Why not introduce a Linux based firewall ?
So rather than move the whole (all workstations) to linux you just introduce one linux box to thwart the evil doers.
Check out www.smoothwall.org for one possible solution.
The beauty of linux is you can use a low-spec machine for this task !
The solution is very effective due to linux's built in security capabilities .
>> Edited by RobertUK on Thursday 2nd October 13:51
But a Smoothwall or pretty much any other Firewall will not prevent a Virus. (However if you do want a Firewall installing I'm your man). What you need is fully updated AV software and maybe some e-mail filtering software - which it sounds like you have. Do you have any IDS in place to see what else you have running around on the network?
www.get-tuf.com
www.get-tuf.com
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff