mydoom

[Terry D]

Received about six mails today with attachments presumably containing
'mydoom' . My Outlook Express is set not to open suspicious attachments and
all were picked up by AVG anyway. Please take precautions -set Outlook
Express not to open attachments and make sure that you anti-virus software
is up to date. This worm is a serious threat - it will access your address
book and spread itself

Terry D.

 

[Damjan]

Received about six mails today with attachments presumably containing

'mydoom' . My Outlook Express is set not to open suspicious attachments and
all were picked up by AVG anyway. Please take precautions -set Outlook
Express not to open attachments and make sure that you anti-virus software
is up to date. This worm is a serious threat - it will access your address
book and spread itself

Nice solution is too for example ZoneAlarm firewall that have email
protection and put attachments in quarantine before they can executable
itself.

Greets
D

 

[Duane Arnold]

Nice solution is too for example ZoneAlarm firewall that have email
protection and put attachments in quarantine before they can
executable itself.

Greets
D

Better yet, take OE or Outlook out of their automatic Send/Recv emails
at start-up or on a timed basis mode. Set them up to to use the Send/Recv
button at your command to send or recv emails.

Use something like Mailwasher to review emails at the ISP's email server
and delete any ones that are not wanted at the email server.

Then pull the emails into the INBOX that are good. The infected emails
never reach the machine that way.

This also sets a mode that all emails are held at the Outbox and the
Send/Recv button must be used to send them. This could alert someone that
the machine could infected my something trying to send emails out, since
there would be a build up of unknown emails in the OUTBOX.

Duane

 

[Heather]

Better yet, take OE or Outlook out of their automatic Send/Recv emails
at start-up or on a timed basis mode. Set them up to to use the Send/Recv
button at your command to send or recv emails.

Use something like Mailwasher to review emails at the ISP's email server
and delete any ones that are not wanted at the email server.

Then pull the emails into the INBOX that are good. The infected emails
never reach the machine that way.

This also sets a mode that all emails are held at the Outbox and the
Send/Recv button must be used to send them. This could alert someone that
the machine could infected my something trying to send emails out, since
there would be a build up of unknown emails in the OUTBOX.

All very good points, Duane......I use Mailwasher and often put it on to
auto download and take that utility off OE. Particularly lately as the
spam is horrendous!! Mostly from Asia and Brazil.

One more safe hex thing to add to your post.......make a Message Rule to
divert any mail with an attachment to its own folder.....then you can
drop the preview pane and check it. I don't use my antivirus for that
sort of stuff.

Cheers......Heather

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

Use something like Mailwasher to review emails at the ISP's email server
and delete any ones that are not wanted at the email server.

Simple filter ruleset for Mailwasher Pro to catch all harmful email and
most spam too and mark for deletion:
In Notepad copy this:
---begin---
[enabled],Attachment,Filtered,0,OR,Delete,EntireHeader,contains,multipart,EntireHeader,contains,base64,Body,contains,multipart,Body,contains,base64
[enabled],HTML,Filtered,0,OR,Delete,EntireHeader,contains,html,Body,contains,html
[enabled],HTTP,Filtered,0,OR,Delete,Body,contains,http,Body,contains,www,Body,contains,@,Body,contains,ç
---end---
If it wraps, unwrap it so that the word [enabled] precedes each of the
three lines, then save as "Filters.txt" and copy it into your Mailwasher
Pro program folder. (replace the existing one)
You will want to look to see if any friends (that sent HTML etc) have
gotten caught and put them in the whitelist before you process your
mail.

 

[Duane Arnold]

All very good points, Duane......I use Mailwasher and often put it on to
auto download and take that utility off OE. Particularly lately as the
spam is horrendous!! Mostly from Asia and Brazil.

I always run MW in auto load mode, and the only way I can get to Outlook
is through MW. MW is in the Start-up folder and all Outlook and OE short-
cuts are removed from the machines. This method has worked well for me.

One more safe hex thing to add to your post.......make a Message Rule to
divert any mail with an attachment to its own folder.....then you can
drop the preview pane and check it. I don't use my antivirus for that
sort of stuff.

I got that preview pane tip from you when I read one of your post(s) a
few months back. It made sense to me and the preview pane is always
disbaled on my machines. <g>

Duane

 

[me]

I always run MW in auto load mode, and the only way I can get to Outlook
is through MW. MW is in the Start-up folder and all Outlook and OE short-
cuts are removed from the machines. This method has worked well for me.

I got that preview pane tip from you when I read one of your post(s) a
few months back. It made sense to me and the preview pane is always
disbaled on my machines. <g>

Duane

Shouldn't that be disballed? ;-)

J

 

[FromTheRafters]

This also sets a mode that all emails are held at the Outbox and the
Send/Recv button must be used to send them. This could alert someone that
the machine could infected my something trying to send emails out, since
there would be a build up of unknown emails in the OUTBOX.

For those rare occasions where the malware uses OE to send.

 

[Duane Arnold]

In Message-ID:<[email protected]> posted on

Use something like Mailwasher to review emails at the ISP's email
server and delete any ones that are not wanted at the email server.

Simple filter ruleset for Mailwasher Pro to catch all harmful email
and most spam too and mark for deletion:
In Notepad copy this:
---begin---
[enabled],Attachment,Filtered,0,OR,Delete,EntireHeader,contains,multipa
rt,EntireHeader,contains,base64,Body,contains,multipart,Body,contains,b
ase64
[enabled],HTML,Filtered,0,OR,Delete,EntireHeader,contains,html,Body,con
tains,html
[enabled],HTTP,Filtered,0,OR,Delete,Body,contains,http,Body,contains,ww
w,Body,contains,@,Body,contains,ç ---end---
If it wraps, unwrap it so that the word [enabled] precedes each of the
three lines, then save as "Filters.txt" and copy it into your
Mailwasher Pro program folder. (replace the existing one)
You will want to look to see if any friends (that sent HTML etc) have
gotten caught and put them in the whitelist before you process your
mail.

I have yet to pay the man the $20 so I wonder if this will work on that
version.

Duane

 

[Duane Arnold]

For those rare occasions where the malware uses OE to send.

I don't know how rear it is to use OE or Outlook to send emails. I also know
it can be done with SMTP, which I have downloaded VB code from CodeHound.com
and used.

Duane

 

[Sugien]

Received about six mails today with attachments presumably containing
'mydoom' . My Outlook Express is set not to open suspicious attachments and
all were picked up by AVG anyway. Please take precautions -set Outlook
Express not to open attachments and make sure that you anti-virus software
is up to date. This worm is a serious threat - it will access your address
book and spread itself

It is only a threat to those that *still* have not learned to never
open attachments
--
http://home.adelphia.net/~dinosoft
/}
@###{ ]:::::ino-Soft Software::::::>
\}
live web cam http://www.dino-soft.org/cam
live web cam fixed and active 12 hours a day minimum

 

[Jan Il]

Better yet, take OE or Outlook out of their automatic Send/Recv emails
at start-up or on a timed basis mode. Set them up to to use the Send/Recv
button at your command to send or recv emails.

Use something like Mailwasher to review emails at the ISP's email server
and delete any ones that are not wanted at the email server.

Then pull the emails into the INBOX that are good. The infected emails
never reach the machine that way.

This also sets a mode that all emails are held at the Outbox and the
Send/Recv button must be used to send them. This could alert someone that
the machine could infected my something trying to send emails out, since
there would be a build up of unknown emails in the OUTBOX.

In addition to the above with OE, I have cable, and can also access my
account with Webmail. So I access my e-mails there first, delete all the
ones that I don't want, then go to OE and download the ones I left on
server. That way, none of the garbage is ever loaded to my machine. Perhaps
others have, or can get, Webmail, or some other type of access to check
their e-mails before down loading. At least that way there is less to deal
with.

Jan

 

[steve]

Received about six mails today with attachments presumably containing
'mydoom' .

I noticed that my Agent filters had caught 617 this morning. No
viruses ever get through my filters because I only accept plain text
messages less than 20KB that are sent directly to me.


Steve

 

[Conor]

Received about six mails today with attachments presumably containing
'mydoom' . My Outlook Express is set not to open suspicious attachments and
all were picked up by AVG anyway. Please take precautions -set Outlook
Express not to open attachments and make sure that you anti-virus software
is up to date. This worm is a serious threat - it will access your address
book and spread itself

Also untick "Hide extensions for known types" too and you'll see the
double extension.


--
Conor

"The vast majority of Iraqis want to live in a peaceful, free world.
And we will find these people and we will bring them to justice."
- George Bush

 

[Gabriele Neukam]

On that special day, Duane Arnold, ([email protected]) said...

This could alert someone that
the machine could infected my something trying to send emails out, since
there would be a build up of unknown emails in the OUTBOX.

The problem is that many recent worms don't use OE for sending mails,
but have their own "mailing engine" (a few Telnet commands) "on board",
so that they may use an already existing connection (watching the
winsock activities), and add their own traffic to the one created by the
user, without the latter noticing it all (a few more blinkenlights on
the "connection" icon don't tell much).

Only a netstat -a done at the right moment, or a net activity logger
might show several additional open ports which aren't only waiting but
connected.


Gabriele Neukam

(e-mail address removed)

 

[TNS]

Would Software- Active Ports" help you?
It's freeware ... http://www.ntutility.com/freeware.html

---TNS

 

[BoB]

I noticed that my Agent filters had caught 617 this morning. No
viruses ever get through my filters because I only accept plain text
messages less than 20KB that are sent directly to me.

Same here. I have one spam filter following my 'pre-approved'
address filter:

Content-Type: text/html & Content-Transfer-Encoding: base64
| text/html | multipart/alternative | multipart/mixed

I developed it when I was getting 200 spam/day under my old email
address. Since I no longer show an email address on my NG postings,
I get <half dozen/day for my new, now one-year old, email address.

 

[Duane Arnold]

On that special day, Duane Arnold, ([email protected]) said...


The problem is that many recent worms don't use OE for sending mails,
but have their own "mailing engine" (a few Telnet commands) "on
board", so that they may use an already existing connection (watching
the winsock activities), and add their own traffic to the one created
by the user, without the latter noticing it all (a few more
blinkenlights on the "connection" icon don't tell much).

Only a netstat -a done at the right moment, or a net activity logger
might show several additional open ports which aren't only waiting but
connected.


Gabriele Neukam

(e-mail address removed)

If one suspects someting like that, then I would suggest using Ethtereal
packet sniffer and also on XP there is a packet sniffer as well. Of
course Netstat is ok but I perfer to use Active Ports that allows one to
view inbound and outbound connections.

Duane

 

[Gabriele Neukam]

On that special day, Duane Arnold, ([email protected]) said...

If one suspects someting like that, then I would suggest using Ethtereal
packet sniffer and also on XP there is a packet sniffer as well. Of
course Netstat is ok but I perfer to use Active Ports that allows one to
view inbound and outbound connections.

Of course these tools you mentioned are ranked lightyears above the
basic stuff that Windows provides; what I described was only an ad hoc
solution to get any preliminary info as fast as possible. To be sure
about what's actually going on, the systernals tools are definitely the
better choice.


Gabriele Neukam

(e-mail address removed)