Security Incidents mailing list archives

RE: Novarg

From: "Wayne S. Ackley" <wackley () ideorlando org>
Date: Wed, 28 Jan 2004 13:01:59 -0500

Greetings,

We've seen the same symptoms on our outlying networks.
Since yesterday, once we made some minor changes to our
Postfix/Amavis/CLAMAV server, (i.e. updated sigs, etc.) we've seen
Amavis/CLAMAV catch every occurence without a hitch.

We allow certain attachments via SMTP, and with our Amavis/CLAMAV setup we
can scan them easily.

-Wayne

**************************************************
Wayne S. Ackley
IT Manager - Senior Network Engineer
IDEORLANDO Facility
3045 Technology Parkway
Orlando, Florida 32826
321-235-7524
321-235-1484
text pager: page_wayne () ideorlando org
Pager phone: 1-800-946-4646 pin#1431304
**************************************************


-----Original Message-----
From: sloppy seconds [mailto:beleguese () yahoo com]
Sent: Tuesday, January 27, 2004 11:32 PM
To: incidents () securityfocus com
Subject: Novarg


To all,

Yes as many of you have noticed Novarg is spreading
fast. I work for a large international corporation and
we have seen extensive infiltration. However, this
worm has not proved to be as "damaging" as some may
claim. The scary part is that our investment in AV
solutions (Trend, Symantec, et al...) has not
protected us. We are now reconsidering our stance on
allowing .ZIP files in Email.

We engineered our own cleaning utility hours before
our AV vendors even had signatures. Infecting lab
clients and using diff tools...etc

From a network perspective we are watching for the

supposed DOS against SCO.

We have had the outbreak under control just a few
hours after it's inception.

Anyone care to contribute their experience?

Thanks,
Beleguese


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Novarg, (continued)
- - - Re: Novarg Matt Curtin (Jan 30)
  - Re: Novarg Matt Curtin (Jan 29)
- RE: Novarg - Stopping .Zip Files Tom Milliner (Jan 28)
  - Re: Novarg - Stopping .Zip Files Keith W. McCammon (Jan 28)
    - Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
  - RE: Novarg - Stopping .Zip Files jamesworld (Jan 28)
  - Re: Novarg - Stopping .Zip Files Bill Pennington (Jan 28)
    - RE: Novarg - Stopping .Zip Files Timmothy Posey (Jan 30)
    - Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- Re: Novarg Dave Laird (Jan 28)
- RE: Novarg Wayne S. Ackley (Jan 28)
- Re: Novarg James Riden (Jan 28)
- RE: Novarg Chris Aguilar (Jan 28)
- RE: Novarg Jeremy Strachan (Jan 28)
  - RE: Novarg Stephen Warren (Jan 29)
    - Re: Novarg Robin Sheat (Jan 30)
    - RE: Novarg steve bernacki (Jan 30)
    - Re: Novarg Skip Carter (Jan 30)
  - RE: Novarg Duston Sickler (Jan 29)
    - RE: Novarg sloppy seconds (Jan 30)
- RE: Novarg Robert Morales (Jan 28)

(Thread continues...)