RE: FortNight Infection
- From: "Quillman Shawn (RBNA/CIT1.1) *" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 2 Sep 2003 09:38:01 -0500
Here's a link to Trend's description of it with more info. Might need to
rebuild the Outlook Express profile or look at the signature settings for
users who are infected.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_FORTNIGHT
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) *
Sent: Tuesday, September 02, 2003 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FortNight Infection
http://www.ISAserver.org
Most javascript viruses/malscripts that I have seen have been in the IE
cache directories. This is typically in C:\Documents and
Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: Accioly, Daniel [mailto:daniel.accioly@xxxxxxxxxxxxx]
Sent: Tuesday, September 02, 2003 9:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] FortNight Infection
http://www.ISAserver.org
Hi gurus,
Although this is not a virus list, I'd like to ask your help dealing with a
specific infection that is happening within a customer network.
He has mainly 98 stations using outlook express (for licensing issues he was
forced to downgrade from 2k). He has almost 200 computers. He is using
Exchange 5.5 as POP server for e-mail in a DMZ protected by a linux ipchains
firewall (argh!).
A virus called JS.Fortnight has entered the internal network. I suspect this
happened because a user opened a message with the virus. The customer is
using SAV Corporate Edition 7.6 and has the virus signatures up to date.
What happens is that I can detect the virus sometimes on the computers using
the SAV client, and I can see it is sending himself over the outlook express
as a javascript. But the problem is that I can't locate the source of
infection on the computers! I keep running full scans and most of the time
the SAV does not detect anything! I have tried house call from Trend too,
and nothing was detected...
I have manually looked for the registry keys and files it usually uses, but
can't find them! As it is a windows 98 I can't look for specific processes.
Since this virus does not replicate over the network using OS
vulnerabilities (so symantec and trend says), where the hell might it be on
the computer!?!?!? Any ideas?
Thanks and sorry for this offtopic question.
Daniel
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: