Server side filtering.

When a new outbreak of virus’ comes through, I really wish that either I didn’t have a catch all address or that relaying mail servers had antivirus technologies in them. I had 27 emails from myself notifying me that my account was closed and that I would need to contact myself to ensure my account would still be active. The ones that I’ve been getting are varients of the Mytob strain. If it wasn’t illegal it would be tempting to use the backdoor that these virus’s create to open a session to the sending computer, create a file on the desktop that says “OY – YOU HAVE A VIRUS – GET SOME ANTI-VIRUS SOFTWARE – NOW!!!!!”, open it and then shut down the backdoor.
The PIL’s are still getting loads of the latest sober virus’s – I’ve tracked it down to a business in columbus using Road Runner but that could be anyone. The weird thing is that they’ve not had an email from this person in their normal email so I can’t track down who this would be.

New sober virus

Yesterday a new sober varient was discovered and last night the PIL had 4 copies of it in their inbox. Fortunately I had made sure the virus definitions were up to date as part of my reporting to symantec about the update problem (Fat lot of good the reporting did – their response was to just manually update as they didn’t have many pc’s that have been affected with this problem)
I can’t believe that people are STILL opening attachments with “their passwords” in them when they’ve not requested any passwords to be sent to them.

symantec updates

2 of our clients have managed to get corrupt symantec antivirus definitions which means the services stop. As the services are stopped I am unable to update them with the console and I’ve disabled liveupdate. Unfortunately the websites are unavailable (and so was msn search) (even though they are using the akamai network to protect against ddos). In the end I used the ftp service at to download the definitions onto the local pc.
Having said all that I spent about an hour trying various things to fix the client but in the end gave up. I’ve now uninstalled the software and moved across to our new corporate mcafee software instead. I’m not saying this is any better (I doubt it) but we’ll see….
As I write this msn search and symantec are now available again.

Port reporter

One of our users, for the second time in two weeks reported that they had a virus on their pc and Norton had picked it up. The scary thing is that it had got on and infected the pc, despite Norton installed and running on the machine. I think the problem was/is due to the fact that the Symantec Firewall/VPN software is pants and can be configured by the user – therefore if they are not careful it can be left in a wide-open state…and thats what I think happened, although after the last infection I made sure it was in restricted mode (but it wasn’t this morning). If I’d known about the Port Reporter from MS I could have worked out (easily) what ports the virus was supposedly running on. I guess I could have used netstat but not first thing before coffee.

Bloodhounds in my email!

Norton’s went nuts overnight deciding that I had several Bloodhound Exploit 6 occurances in my incoming mail and has quarantined them. Annoyingly its in the log file (which is a .txt file) so I can’t see who sent it to me as its blocked access to the logs. (which incidentally is why you should always exclude the exchange server directory from antivirus scanning!).
Update I got into the logs….
Update 2This one has been written up on codefish

Virus update.

Apparently, according to Symantec, the virus we discovered on the network yesterday is W32.Randex.gen which is a name given to a family of virus’s – which has been around since December 2003, so why on earth did Symantec not pick it up? VERY scary.Update The AV Update that we downloaded at about 10pm last night detected this file and deleted it but I’m still unsure as to why its been available since December. I was going to try doing a heuristic scan on it to see if the av would pick it up but can’t as the new defs have got to the file. I think if I get asked to renew Symantec AV next year I may well be testing different software as this is the third virus get past the detection routines in as many weeks – and we are paying a lot of money for this so called protection.

msclock.exe virus

Just a heads up that there’s likely to be a new virus as msclock.exe in the windows\system32 directory that gets added to hklm\software\microsoft\windows\run and runservice It seems to replicate using common shared folders with weak passwords. msclock.exe looks like internet explorer if you look at the icons and has a description of internet explorer. Not much else is known at the moment. Nav with avdefs of today do not pick it up, neither does panda a/v software.
With msclock.exe running you will not be able to launch regedit or taskmgr. rename these files and then run them…..more details to follow….argh i hate consulting sometimes.


The latest in the round of virus’s is Polybot. At the time of writing (2pm on the 19th), Symantec have two patches – the Virus Definitions updated March 19th (which don’t actually exist if you try to download them, and the Virus Definitions dated March 24th. They can work out how to name a virus and how it spreads (via RPC vulnerabilitys that should have been patched) but no fix yet…..Thankfully we’ve not had any come through via email yet.