Most javascript viruses/malscripts that I have seen have been in the IE cache directories. This is typically in C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\ -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Accioly, Daniel [mailto:daniel.accioly@xxxxxxxxxxxxx] Sent: Tuesday, September 02, 2003 9:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] FortNight Infection http://www.ISAserver.org Hi gurus, Although this is not a virus list, I'd like to ask your help dealing with a specific infection that is happening within a customer network. He has mainly 98 stations using outlook express (for licensing issues he was forced to downgrade from 2k). He has almost 200 computers. He is using Exchange 5.5 as POP server for e-mail in a DMZ protected by a linux ipchains firewall (argh!). A virus called JS.Fortnight has entered the internal network. I suspect this happened because a user opened a message with the virus. The customer is using SAV Corporate Edition 7.6 and has the virus signatures up to date. What happens is that I can detect the virus sometimes on the computers using the SAV client, and I can see it is sending himself over the outlook express as a javascript. But the problem is that I can't locate the source of infection on the computers! I keep running full scans and most of the time the SAV does not detect anything! I have tried house call from Trend too, and nothing was detected... I have manually looked for the registry keys and files it usually uses, but can't find them! As it is a windows 98 I can't look for specific processes. Since this virus does not replicate over the network using OS vulnerabilities (so symantec and trend says), where the hell might it be on the computer!?!?!? Any ideas? Thanks and sorry for this offtopic question. Daniel ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')