[windows2000] Re: VIRUS WARNING
- From: "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Mon, 19 May 2003 09:57:36 -0400
Ah, that explains it... I run Exchange 5.5.
For the next few months at least...
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: Chris McEvoy [mailto:chris@xxxxxxxxxxxxxxxxx]
Sent: Monday, May 19, 2003 9:54 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: VIRUS WARNING
The M drive is an Exchange 2000 virtual drive that, if backed up or
AV-scanned, can corrupt your Information Store!
> -----Original Message-----
> From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]=20
> Sent: Monday 19 May 2003 14:55
> To: 'windows2000@xxxxxxxxxxxxx'
> Subject: [windows2000] Re: VIRUS WARNING
>=20
>=20
>=20
> Huh?
>=20
> Not sure what you are talking about... but I am running=20
> Exchange 5.5...
>=20
> Care to elighten me?
>=20
> Glenn Sullivan, MCSE+I MCDBA
> David Clark Company Inc.
>=20
>=20
> -----Original Message-----
> From: Dennis Appelboom [mailto:dennis.appelboom@xxxxxxxxxx]
> Sent: Monday, May 19, 2003 9:52 AM
> To: windows2000@xxxxxxxxxxxxx
> Subject: [windows2000] Re: VIRUS WARNING
>=20
>=20
>=20
> Not to forget the M share...... If you're running AV or a=20
> backup of that =3D
> (virtual) drive, you're likely to get in trouble..
> We have exchange running with Groupshield for Exchange....=20
> Never had =3D problems....
>=20
> Dennis Appelboom
> www.marviQ.com
>=20
>=20
> -----Original Message-----
> From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]
> Sent: maandag 19 mei 2003 15:45
> To: 'windows2000@xxxxxxxxxxxxx'
> Subject: [windows2000] Re: VIRUS WARNING
>=20
>=20
> I am, but have the exchsvr directories excluded. Actually, I=20
> have found that you need to exclude the *data directories and=20
> their subfolders, and that's all.
>=20
> The only time that the file level AV even rears it's head is=20
> when the =3D mail AV quarantines a virus or blocks an attached=20
> file. The file it =3D quarantines to is scanned by the file level AV.
>=20
> Makes it easy to fine blocked non-virus files... look for a=20
> file block without a corresponding file-level log entry. =20
> Then proceed carefully...
>=20
> Glenn Sullivan, MCSE+I MCDBA
> David Clark Company Inc.
>=20
>=20
> -----Original Message-----
> From: Chris McEvoy [mailto:chris@xxxxxxxxxxxxxxxxx]
> Sent: Monday, May 19, 2003 9:39 AM
> To: windows2000@xxxxxxxxxxxxx
> Subject: [windows2000] Re: VIRUS WARNING
>=20
>=20
>=20
> I hope you're not running file AV scanning on an Exchange server!
>=20
> > -----Original Message-----
> > From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]=3D3D20
> > Sent: Monday 19 May 2003 14:40
> > To: 'windows2000@xxxxxxxxxxxxx'
> > Subject: [windows2000] Re: VIRUS WARNING
> >=3D3D20
> >=3D3D20
> >=3D3D20
> > I suppose that some people don't control their mail=20
> servers,=3D3D20 but=20
> >for those of you that do, why would anyone allow .exe or=3D3D20 .pif =
> >files through? =3D3D20
> > I've been blocking a whole list of attachments for a couple=3D3D20
> > years (the Martin list...) and, while I do run file-level AV=3D3D20
> > on the mail server, they are all caught by the attachment=20
> blocking...
> >=3D3D20
> > Glenn Sullivan, MCSE+I MCDBA
> > David Clark Company Inc.
> >=3D3D20
> >=3D3D20
> > -----Original Message-----
> > From: Chris McEvoy [mailto:chris@xxxxxxxxxxxxxxxxx]
> > Sent: Monday, May 19, 2003 9:33 AM
> > To: windows2000@xxxxxxxxxxxxx
> > Subject: [windows2000] Re: VIRUS WARNING
> >=3D3D20
> >=3D3D20
> >=3D3D20
> > Thanks Jim. Do you know if the latest Norton definitions can=3D3D20
> > catch this one?
> >=3D3D20
> > > -----Original Message-----
> > > From: Jim Kenzig [mailto:jimkenz@xxxxxxxxxxxxxx]=3D3D3D20
> > > Sent: Monday 19 May 2003 14:24
> > > To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx;=3D3D3D20 =
=3D3D20=20
> > >brainstem@xxxxxxxxxxxxx
> > > Subject: [windows2000] VIRUS WARNING
> > >=3D3D3D20
> > >=3D3D3D20
> > >=3D3D3D20
> > > If you receive an email from Support@xxxxxxxxxxxxx that=20
> has=3D3D3D20 =20
> > >=3D
> an =3D3D
>=20
> > >attachment DO NOT OPEN IT! This is a virus. Delete it=3D3D3D20 =
=3D3D20
> > immediately. =3D3D20
> > >My mcaffee I updated yesterday is not catching=3D3D3D20 =20
> this one.=3D3D20
> > Watch out!=3D3D20
> > >Regards, Jim Kenzig =3D3D3D20
> > >=3D3D3D20
> > > VIRUS WARNING The Central Command(r) Emergency Virus=20
> Response=3D3D3D20
> > > Team(tm) (EVRT(tm)) has received virus infection reports for =3D3D
> the=3D3D3D20
> > > new Internet Worm/Palyh.A=3D3D3D20=20
> > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> > > user/std_adp.p
> > > hp?p_refno=3D3D3D3D030518-000043>. Due to increased customer =3D3D
> inquires=3D3D3D20
> > > and infection reports the EVRT is issuing a VIRUS ALERT. =3D3D3D20
> > > You are receiving this news letter because you are a=3D3D3D20
> > > subscriber to the Central Command Virus News mailing list.
> > >=3D3D3D20
> > > [ EVRT(tm) Virus Warning issued for Worm/Palyh.A=3D3D3D20
> > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> > > user/std_adp.p
> > > hp?p_refno=3D3D3D3D030518-000043> ]
> > >=3D3D3D20
> > > Name: Worm/Palyh.A=3D3D3D20
> > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> > > user/std_adp.p
> > > hp?p_refno=3D3D3D3D030518-000043>
> > > Alias: Win32.Palyh-A
> > > Type: Internet Worm
> > > Discovered: May 18, 2003
> > > Size: 52.955KB
> > > Platform: Microsoft Windows 9x/ME/NT/2000/XP
> > >=3D3D3D20
> > >=3D3D3D20
> > > Description:
> > >=3D3D3D20
> > > Worm/Palyh.A=3D3D3D20
> > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> > user/std_adp.p
> > hp?p_refno=3D3D3D3D030518-000043> is an Internet worm that=20
> spreads=3D3D20 =20
> >through e-mail by using addresses it collects in the=20
> files=3D3D20 with=20
> >the following extensions, .dbx, .eml, .htm, .html, .txt,=3D3D20 and=20
> >.wab. =3D3D20
> > The worm may arrive in via email in the following format:
> >=3D3D20
> > From: support@xxxxxxxxxxxxx
> > Subject: (it will contain one of the following)
> >=3D3D20
> > - Your Password
> > - Screensaver
> > - Re: Movie
> > - Your details
> > - Approved (Ref: 38446-263)
> > - Re: Approved (Ref: 3394-65467)
> > - Cool screensaver
> > - Re: My details
> > - Re: My application
> > - Re: Movie
> >=3D3D20
> > Attachment: (it will contain one of the following)
> >=3D3D20
> > - movie28.pif
> > - application.pif
> > - ref-394755.pif
> > - approved.pif
> > - doc_details.pif
> > - your_details.pif
> > - screen_temp.pif
> > - screen_doc.pif
> > - password.pif
> >=3D3D20
> > If executed, the worm copies itself in the \windows\=3D3D20
> > directory under the filename "mscon32.exe".
> >=3D3D20
> > So that it gets run each time a user restart their computer=3D3D20
> > the following registry key gets added:
> >=3D3D20
> > - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > "System Tray"=3D3D3D3D"C:\\WINDOWS\\MSCON32.EXE"
> >=3D3D20
> >=3D3D20
> > =3D3D
> =
=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D=
3D3D3
> D=3D3D3D3D=3D3D=3D
> 3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D=3D3D=20
> 3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3
> > D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D
> > =
=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D3D3D3D=3D=
3D3D3D
> > To Unsubscribe, set digest or vacation
> > mode or view archives use the below link.
> >=3D3D20
> http://thethin.net/win2000list.cfm
>=20
> =
=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D=
3D3D=3D3D3D=3D3
> D3D=3D3D3D=3D3D=3D
> =
3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D=
3D
> =3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>=20
http://thethin.net/win2000list.cfm
=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D=
3D3D=3D3D3D=3D3D3D=3D3D3D=3D3
D=3D
3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D=
3D
=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D=3D3D3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
