Neil Micklethwaite

I know it's the wrong place but we had a new virus hit us at work today.

It came as an attachment and was called

SEXOWAN.JPG.VBS

and also

GELOAN.GIF.VBS

However it can come across with any name as it renames itself.

About 60 people ( myself included ) made the mistake of opening the file instead of saving to disk.

The virus then proceeded to

1. Modify the registry ( Needed admin privleges so in NT this did not work ) although it would in Windeow 98, 2000 and Me. It attempted to add startup programs in the startup menu and default pages to IE.

2. Propogate itslef to every .vbs file on every Network drive attached to my machine.

3. E Mail it self out to people in our Global Address list.

One good point was that any machine with anti virus software spotted it and set off alerts. Some quick thinking by our security people stopped it before it took hold.

I have now changed my file associations for vbs ( Visual Basic Script ) files and Java Script files and changed the default option from Open to Edit.

So basically our Exchange server was out of action for most of the day.

The blurb in the virus appears to point to somebody in Colombia and refers to a notorious website for hackers.

This is a warning please heed it !!

sickboy

DOH!

Don't open a vbscript file!

I thought the latest patches for OutlookExpress (prolly not relevant at work) and Exchange stopped this?

I'm surprised it worked under Win2k. Have you got file/logon security enabled?

ChrisB

Opps.

1st rule of e-mail security. Don't open strange attachments.

2nd rule - see rule 1.

If you aren't running a virus scanner or some form of basic attachment filtering on your Exchange Server, then (IMO) you are asking for trouble.

We use NAI GroupShield 4.5 SP1 on Exchange Server and block all VBS, WSH and other script type attachments (regardless of whether they are a virus or not), along with a few other file types. If the file is actually valid, it can be retrieved from the Q'Tine folder quickly and easily.

If you are really paranoid, look at MimeSweeper or GFI Mail Essentials.

Chris.

Dream Weaver

Another rule: Whay would you try and open a file that had both JPG and VBS extensions, or any attachment with vbs extension for that matter????

This is obviously a mutation of the LOVEBUG virus (for which I have the full source code somehow - got it at work and managed to save it as a .txt file )

Thanks for the info anyway Neil

boomer

Dream Weaver,

The problem is that people with the "Hide File Extensions for known file types" setting could _inadvertantly_ click on a bad file.

Even worse is the fact that Windows hides a few dangerous file types by default!! Thus you should NEVER (double)click on a file in an e-mail.

mb

Neil Micklethwaite

Thanks for the advice guys.

I was actually trying to select 'Save' file but missed.

Now set all defaults to edit file instead of open for VB Script and Java Script.

Our virus detection software on the Exchange server picked it up and we avoided ( to some extent ) a really serious problem.

We are on 95 and NT.

The post was just a warning to you all, to avoid any further embarrasments.