RE: Novarg - Stopping .Zip Files

["Bruce Martins" <BMartins () extend COM>]

To be fair Mcafee actually had an EXTRA.DAT file out almost immediately
which did detect the Mydoom Virus which they did indicate on their
Mydoom Virus Information page I know this much as I d/l it and installed
it on all of our machines and server  

-----Original Message-----
From: Tom Milliner [mailto:tom.milliner () verizon net] 
Sent: Wednesday, January 28, 2004 11:14 PM
To: beleguese () yahoo com; incidents () securityfocus com; milliner () gdar org;
Ivan Coric
Subject: Re: Novarg - Stopping .Zip Files

We don't have an email gateway.  With only 30 employees,  it seemed to
make sense to have our ISP provide POP3 email service.  The ISP provides
spam and virus filtering.  For example,  if the ISP provides the service
for $60 a month (possibly bundled with web hosting and/or a T1
connection), the cost is $720 a year with little admin time involved.
That compares favorably to the cost of hardware/software and
administering an email server.

We are looking at IDS/IPS solutions anyway, and I am hoping there are
possibilities which could be affordable and easily administered (we
already run Windows 2003 in a single active directory domain with SQL
and IIS; there are four single person remote offices, and a PC classroom
with 21 PC's).  I would like an IDS/IPS solution which can be either
remotely managed/updated or easily administered by me...for instance,
the Microsoft solution, ISA Server,  can do a lot,  but I would need
more time than I have available right now to master its possibilities.

Sentinel and Netscreen are the two IDS/IPS solutions which I know about
now.  I don't know if they could have been set to drop POP3 .zip file
attachments for the 24 hours between the beginning of MyDoom and
McAfee's virus updates.

Tom Milliner, CPA, MCSE, CNE
2404 Summer Place Dr.
Irving, TX  75062
(972) 255-6308
tom.milliner () verizon net



----- Original Message -----
From: "Ivan Coric" <ivan.coric () workcoverqld com au>
To: <milliner () gdar org>; <incidents () securityfocus com>;
<beleguese () yahoo com>
Sent: Wednesday, January 28, 2004 5:24 PM
Subject: RE: Novarg - Stopping .Zip Files


Tom,
Do you have a email gateway? Is so why don't you block .zip, .pif, .scr,
etc
there?

Kind Regards
Ivan


Ivan Coric, CISSP
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au

> > > "Tom Milliner" <milliner () gdar org> 01/29/04 02:53am >>>

Could someone tell me if there is an IPS solution
which could be quickly programmed to stop .zip
files?  I wish we could have stopped .zip files long
enough for our anti-virus program to get its updates.

Tom Milliner, CPA, MCSE
Director of Information Services
Greater Dallas Assc of Realtors
8201 N. Stemmons Frwy
Dallas,  TX  75247
www.gdar.org
mail to: milliner () gdar org
(214) 540-2741


-----Original Message-----
From: sloppy seconds [mailto:beleguese () yahoo com]
Sent: Tuesday, January 27, 2004 10:32 PM
To: incidents () securityfocus com
Subject: Novarg

To all,

Yes as many of you have noticed Novarg is spreading
fast. I work for a large international corporation and
we have seen extensive infiltration. However, this
worm has not proved to be as "damaging" as some may
claim. The scary part is that our investment in AV
solutions (Trend, Symantec, et al...) has not
protected us. We are now reconsidering our stance on
allowing .ZIP files in Email.

We engineered our own cleaning utility hours before
our AV vendors even had signatures. Infecting lab
clients and using diff tools...etc

> From a network perspective we are watching for the
supposed DOS against SCO.

We have had the outbreak under control just a few
hours after it's inception.

Anyone care to contribute their experience?

Thanks,
Beleguese


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----







************************************************************************
***
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover
Queensland. The
contents of this message are to be used for the intended purpose only
and are to
be kept confidential at all times.
This message may contain privileged information directed only to the
intended
addressee/s. Accidental receipt of this information should be deleted
promptly
and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
----------------------------------------------------------------------------