[windows2000] Re: VIRUS WARNING
- From: "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Mon, 19 May 2003 09:39:33 -0400
I suppose that some people don't control their mail servers, but for those
of you that do, why would anyone allow .exe or .pif files through?
I've been blocking a whole list of attachments for a couple years (the
Martin list...) and, while I do run file-level AV on the mail server, they
are all caught by the attachment blocking...
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: Chris McEvoy [mailto:chris@xxxxxxxxxxxxxxxxx]
Sent: Monday, May 19, 2003 9:33 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: VIRUS WARNING
Thanks Jim. Do you know if the latest Norton definitions can catch this
one?
> -----Original Message-----
> From: Jim Kenzig [mailto:jimkenz@xxxxxxxxxxxxxx]=20
> Sent: Monday 19 May 2003 14:24
> To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx;=20
> brainstem@xxxxxxxxxxxxx
> Subject: [windows2000] VIRUS WARNING
>=20
>=20
>=20
> If you receive an email from Support@xxxxxxxxxxxxx that has=20
> an attachment DO NOT OPEN IT! This is a virus. Delete it=20
> immediately. My mcaffee I updated yesterday is not catching=20
> this one. Watch out! Regards, Jim Kenzig
>=20
>=20
> VIRUS WARNING The Central Command(r) Emergency Virus Response=20
> Team(tm) (EVRT(tm)) has received virus infection reports for the=20
> new Internet Worm/Palyh.A=20
> <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> user/std_adp.p
> hp?p_refno=3D030518-000043>. Due to increased customer inquires=20
> and infection reports the EVRT is issuing a VIRUS ALERT.
>=20
> You are receiving this news letter because you are a=20
> subscriber to the Central Command Virus News mailing list.
>=20
> [ EVRT(tm) Virus Warning issued for Worm/Palyh.A=20
> <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> user/std_adp.p
> hp?p_refno=3D030518-000043> ]
>=20
> Name: Worm/Palyh.A=20
> <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
> user/std_adp.p
> hp?p_refno=3D030518-000043>
> Alias: Win32.Palyh-A
> Type: Internet Worm
> Discovered: May 18, 2003
> Size: 52.955KB
> Platform: Microsoft Windows 9x/ME/NT/2000/XP
>=20
>=20
> Description:
>=20
> Worm/Palyh.A=20
> <http://support.centralcommand.com/cgi-bin/command.cfg/php/end
user/std_adp.p
hp?p_refno=3D030518-000043> is an Internet worm that spreads through
e-mail by using addresses it collects in the files with the following
extensions, .dbx, .eml, .htm, .html, .txt, and .wab.
The worm may arrive in via email in the following format:
From: support@xxxxxxxxxxxxx
Subject: (it will contain one of the following)
- Your Password
- Screensaver
- Re: Movie
- Your details
- Approved (Ref: 38446-263)
- Re: Approved (Ref: 3394-65467)
- Cool screensaver
- Re: My details
- Re: My application
- Re: Movie
Attachment: (it will contain one of the following)
- movie28.pif
- application.pif
- ref-394755.pif
- approved.pif
- doc_details.pif
- your_details.pif
- screen_temp.pif
- screen_doc.pif
- password.pif
If executed, the worm copies itself in the \windows\ directory under the
filename "mscon32.exe".
So that it gets run each time a user restart their computer the
following registry key gets added:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray"=3D"C:\\WINDOWS\\MSCON32.EXE"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
