God I bet virus writers hate people like me...

[narzy]

keepin my virus lists updated and all that rot, and windows updated. I am a security hound, oh ya and did I mention not opening unknown attachments?


Date: 4/29/2002, Time: 16:32:18, Tim Thorpe on NARZY
The email attachment install.exe is infected with the W32.Klez.gen@mm virus.
The file was quarantined.

 

[SoulAssassin]

At work Symantec actually gives us priority access and notifies us before public release anytime new defs are released...I usually throw them on a zip disk before I leave for the day.

 

[RaySun2Be]

It's a never ending battle. :|

Some of the IT staff don't take security quite as seriously as I do. They call me paranoid. :Q

All I say is just because you're paranoid doesn't mean they are not out to get you!

I like the Symantec coporate version with managed clients, where I don't have to rely on users to update their virus defs, and I can trigger a virus sweep across the entire network at will! Muahahahaha!

The only truly secure network is a network no one can access. hehe.

 

[networkman]

Always remember: Just because you're paranoid, it doesn't mean that there aren't people out there trying to get you. :Q

 

[ViRGE]

I prefer the ViRGE method myself; Macs. They can't bite ya if they aren't even for the right OS.

 

[mechBgon]

I've set up all our work systems to check for fresh virus definitions hourly, and delete without notice if they detect anything. About the only option we don't enable is scanning network drives.

It's worth noting that our PCs take a pretty noticable performance hit as a result... I guess there's no such thing as a free lunch. It's really bad on our Pentium133's with 64Mb of RAM and ancient 1Gb hard drives. On the bright side, they're slated for replacement in July, and I get to spec the new systems from scratch.

 

[Smoke]

I think one of my team mates, QB, got the same virus this evening. He called me and I wasn't sure what to tell him and I had to go see my grandson play in a big "T-Ball Game".

It sounded like it came in an e-mail message with an attachment. He didn't click on the attachment, the virus activated when he opened his Outlook Express and the message was at the top of the list in the IN BOX. He is running Norton and it caught it immediately.

But here's the problem, after Norton quarantined it and then deleted it ... the email remains in his IN BOX. Whenever he reopens OE, the virus again is triggered and Norton catches it. He is in a loop.

Knock on wood; I've never had one like that. What is he supposed to do? I told him to go to the Norton site and see if he could find out anything about it. He is not answering his phone so I don't know what his current status is.

 

[Eltano1]

Even in our PIII 1 GHZ the performance goes south down when the "scan network drives "is on. I wonder why.

Eltano

 

[SoulAssassin]

<< Even in our PIII 1 GHZ the performance goes south down when the "scan network drives "is on. I wonder why.

Eltano >>



It doesn't appear that a puddle of sarcasm has dripped all over the floor so I have to ask...are you serious?

You guys should be scheduling scans during off hours and running real time protection 24x7.

 

[mechBgon]

Smokeball, perhaps you can advise him to set his antivirus software to "delete on sight" rather than "quarantine." Another possible solution would be to uninstall Outlook Express completely (use Add/Remove Programs in Control Panel and hit the Windows Setup tab, if it's Win98). Then it could be reinstalled with a quick visit to Windows Update.

Perhaps he could simply delete the message store which contains the Inbox emails... does anyone know what type of file he should look for? It doesn't appear to be a .pst file, since I just installed Outlook Express and it doesn't create a .pst like Outlook does.

With our McAfee antivirus, some extra options are also added to Outlook's "Tools" menu, including being able to set up preferences for a manually-triggered scan of the Inbox. Perhaps Norton has something like that too. It's going to be a bit frustrating trying to help him over the phone, I suppose... good luck!

edit: for the record, our work systems do a daily scan of everything on the hard drive, including the Recycle Bin where Klez may try to set up base, and the reason the network drives aren't included is that the server does a daily scan at 3AM and also checks all files upon read/write/rename/etc, as do all of the client machines. I'd rather be safe than sorry, since we work with very sensitive information (among other things, my co-workers counsel sexual-abuse and rape victims) and Klez has that scary ability to randomly email documents. :Q

 

[narzy]

.eml I think

 

[Smoke]

Thanks for the tips, mechBgon. I just read to him what you wrote.

He has been trying all sorts of things during the last couple of hours. He thinks he has succeeded by Opening OE and tells it (OE) he wants to work OFFLINE? For some reason unknown to me he was able to then delete the file and it went straight to his DELETED folder ... it didn't activate. :Q

Sort of funny at this point, instead of just closing OE where the items in the DELETED folder get removed permanently, he opened the DELETED folder in order to DELETE the message and BAM he got it again. LMAO

So he went through the routine again but the next time he just shut down OE. When he reopened OE the message was gone.

He is running a full virus scan right now to be sure it has gone.

I told him I didn't want any e-mails from him for a while. /He He/ I'm sorta cruel ... aren't I? LOL.

 

[mechBgon]

LOL at the Delete bin suprise Good to hear he's getting somewhere, that must be a relief!

 

[ishmael2k]

One thing I have found with OE is to set it to have no preview pane. That way you can right click on a message and delete it without opening it in any way.

Seems to work well for me.

Rob

 

[Lithium381]

<< I guess there's no such thing as a free lunch. >>



I got a free lunch once! My friend worked there and hooked me up

man, i haven't scanned for virii in years.....heh.....i open almost anything from anywhere....i geuss i'm just asking for it...

 

[IsOs]

Once a computer is infected with this particular worm, it immediately send emails to ALL of the addresses in your address book. I received 2 emails containing this virus. The email generate random message and fictitious sender's name. I traced both emails coming from my boss' computer. I emailed my boss but it's too late. Their virus definition was 1 month old and this worm deactivated Norton AntiVirus. Good thing it didn't erase the harddrive and I was able to clean it out.

There are a good number of invalid email addresses in that address book so the computer received a good number of undeliverable messages containing the virus.

Someone has too much free time in his hands:disgust:

 

[zeruty]

I agree with turning the preview pane off...
although I don't do it myself

 

[IndyJaws]

<< I like the Symantec coporate version with managed clients, where I don't have to rely on users to update their virus defs, and I can trigger a virus sweep across the entire network at will! Muahahahaha! >>



Agreed!

We rarely have any virus problems using Norton corporate. And no system hit either!




<< I agree with turning the preview pane off...although I don't do it myself >>



Same here (on both accounts )

 

[osage]

Smokeball, the removal tools are HERE.

 

[Smoke]

Thank you for that link very much, osage.

I'll save that for myself and forward it to QB.

 

[Evadman]

Man, all of you aer annoying virus writers like me. Stop spreading the info around. And make sure never to say anything about installing the OS on a drive besides C:. That would kill 1/2 the virui' out there.

 

[zodder]

<< like the Symantec coporate version with managed clients, where I don't have to rely on users to update their virus defs, and I can trigger a virus sweep across the entire network at will! Muahahahaha! >>

I agree 100%, too. Norton Corporate has been great so far. The only thing I didn't like about it is that I had to make registry entries to block all .EXE, .SCR, .BAT etc attachments. Hopefully they will incorporate an easier way to do that in the next version.

 

[Jay]

It's not just the Virus Writers Narzy.

 

[narzy]

<< Man, all of you aer annoying virus writers like me. Stop spreading the info around. And make sure never to say anything about installing the OS on a drive besides C:. That would kill 1/2 the virui' out there. >>

hehe ya forgot to mention that, (My windows drive is drive F, and is a slave so if they got smart and wrote it to infect the master drive their still screwed .)

 

[narzy]

<< It's not just the Virus Writers Narzy. >>

you smell funny j/k