Security Basics mailing list archives

RE: Analyzing Suspicious Attachment

From: "Brett Kennedy" <Brett.Kennedy () caseware com>
Date: Thu, 17 Jan 2008 13:16:52 -0500


You'd be at risk now of the same things you're always at risk of -
viruses, rootkits and so on. You're just maybe more likely now to have
one of these issues. But, assuming you have good software to check for
these already, you should be able to just run them. They may have
options to run on demand, which you could do now, as opposed to waiting
for them to run on a scheduled basis, if that's how they're configured.
There's also the possibility that sensitive information has already been
transferred to the internet, which you should be able to check with your
logs, or that data has been modified or deleted. Hopefully you can check
that against backups.
Brett


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Albert R. Campa
Sent: January 17, 2008 12:54 PM
To: Al Cooper
Cc: security-basics () securityfocus com
Subject: Re: Analyzing Suspicious Attachment

As far as network, check your IDS and other logs for anything wierd or
a spike in events from these 3 systems.

Saludos

Albert

On Jan 17, 2008 11:18 AM, Al Cooper <cooper () hmcnetworks com> wrote:

We had a user open a suspicious attachment.  The attachment did not

open so

she sent it to two of her colleges.  One of her colleges was also

unable to

open the file, but the third person did successfully open the file.

The

attachment did not match the original email and IT was eventually

called, a

few hours later.  The three computer have been removed from the

network.


I have the attachment.  It is a zip file.  Inside the zip file is one

.scr

file.  The antivirus (Symantec) did not catch anything when the file

was

opened.  The email is an HTML email and there are pictures that can be
downloaded.

Outside of the obvious policy and training issues, what is the best

way to

determine what if any damage has been done to the network?  What tools

do I

need to analysis the attachment to see what it is and how it works?

Thanks for your help,




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
Click the link below to report this message as spam to Caseware E-Mail 
Security Server ESVA. 
http://esva2.caseware.com/cgi-bin/learn-msg.cgi?id=4C2541EC0EB.93140

Current thread:

Analyzing Suspicious Attachment Al Cooper (Jan 17)
- Re: Analyzing Suspicious Attachment Albert R. Campa (Jan 17)
  - RE: Analyzing Suspicious Attachment Brett Kennedy (Jan 17)
    - Remote desktop access policy WALI (Jan 18)
    - RE: Remote desktop access policy Petter Bruland (Jan 18)
    - AW: Remote desktop access policy Johannes Lemmerer (Jan 18)
    - Re: Remote desktop access policy Josh Haft (Jan 18)
    - Re: Remote desktop access policy The Security Community (Jan 18)
    - Re: Remote desktop access policy Kurt Buff (Jan 19)
    - Re: Remote desktop access policy WALI (Jan 21)
    - Re: Remote desktop access policy Kurt Buff (Jan 21)
    - Re: Remote desktop access policy Gleb Paharenko (Jan 18)
    - Re: Remote desktop access policy Kurt Buff (Jan 19)

(Thread continues...)