Re: Poss Trend breach?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Kevin Weilbacher [SBS-MVP] (kweilbacMVP_at_gte.net)
Date: 07/27/04 

Date: Mon, 26 Jul 2004 21:04:15 -0400

Jann, the "email" you received that was signed 'The (companyname).com
support team" is a standard canned virus/spam/hoax resposne that I see quite
often at different sites. I just had a user (non SBS) just send me the same
form email asking me if he was infected.

Personally, I ignore them. 

-- 
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"
"jann" <jann@dial.pipex.com> wrote in message
news:e%231bZ12cEHA.2384@TK2MSFTNGP09.phx.gbl...
> Sorry, don't wish to scaremonger (especially as situation has not been
fully
> diagnosed) but I am led to believe that a virus has indeed gotten past the
> hourly AV updates on our SBS2000 (ScanMail 6.2, OSCE 5.58, ServProt 5.5)
>
> (See full details on original symptoms at end of this post)
>
> I've just received 2 emails genuinely sent by a user from the SBS2000 box
> that have been diagnosed by my local Norton 2004 as being infected:
> "Norton AntiVirus removed the attachment: lxt.zip.
> The W32.Mydoom.M@mm threat was detected in the attachment."
>
> These emails were in fact forwarded suspicious items, that had been
received
> by the user and had odd text in them, e.g. : (I've anonymised using
> 'companyname.com' but it contained the correct domain name)
>
> "
>
> -----Original Message-----
>
> From: Bounced mail [mailto:noreply@(companyname).com]
>
> Sent: 26 July 2004 16:10
>
> To: Sam Wilson
>
> Subject: Delivery reports about your e-mail
>
> Dear user swilson@(companyname).com,
>
>  administration of (companyname).com would like to
>
> inform you
>
> Your account has been used to send a huge amount of spam during this
>
> week.
>
> Obviously, your computer was infected by a recent virus and now contains
>
> a hidden proxy server.
>
> Please follow the instructions in order to keep your computer safe.
>
> Best regards,
>
> The (companyname).com support team.
>
> "
>
> So, at first sight it would seem that either the original email addressed
to
> Swilson was infected (and then Trend allowed this to be forwarded to me)
or
> else the original was not infected but a virus was attached by our system
on
> its way out.
>
> Either way, the email I recieved externally has a virus attached
(according
> to Norton) despite the AV system being fully patched and with hourly AV
> pattern updates. NB - the earlier 'infected' was syscleaned 2 days ago,
and
> reported as healthy.
>
> I have to say that I have had problems with Trend support in the past
couple
> of weeks. Namely, the previous 'detected' virus that I mentioned earlier -
> TROJ_AGENT.CL - remains undefined in their web database, and the other
> virus - BKDR_URLBOT.A - which was similarly detected, but  undefined,
> finally ended up being fully defined/documented some time after.
>
> However, it looks like the AV definition of BKDR_URLBOT.A itself was only
> belatedly improved to allow for quarantine - by this I mean that -
although
> the V was 'detected' it was not able to be 'quarantined' initially. It was
> only later last week - c Saturday - that Trend OSCE was actually able to
> 'quarantine'. This, perhaps unfairly, leads me to wonder if the AV
detection
> for this virus was not 100% in the early stages.
>
> All very confusing, and alarming. If I have jumped to conclusions, please
> let me know. Trend support has been underwhelming in the UK.
>
> --------------------------------------------------------------------------
--
> --------------
>
> [previous posting re AV messages:]
>
> Virus alert! (can't find any info at Trend or on Google)
>
> User claims he visited a website a fortnight ago, and got this message:
>
> Trend picked up on infection on a client: TROJ_AGENT.CL
>
> Infected file: nslite.dll Compressed: nslite[1].cab
>
> Located in: C:\Documents and Settings\(user name)\Local Settings\Temporary
> Internet Files\Content.IE5\8LEJKLYN\
>
> Msg: Virus successfully detected, cannot perform the Clean action
> (Quarantine)
>
>
>
> - Nothing happened, then today (13 days later)
>
> Virus name: BKDR_URLBOT.A
>
> Infected file: rvnwkgdi.dll
>
> in C:\WINDOWS\System32\
>
> Virus successfully detected, cannot perform the Clean action (Virus
> successfully detected, cannot perform the Quarantine action)
>
> (800 of these messages and climbing)
>
>
>
> Trend OfficeScan on the server has detected that the client has these
> viruses, but when you click on the virus name the Trend site
encyclopeaedia
> has no info on these viruses - Neither TROJ_AGENT.CL or BKDR_URLBOT.A -
> (despite being hyperlinked!)
>
> Any ideas??
>
> Thanks
>
>
>
>
Quantcast