RE: Backdoor-CGT

["Security Guy" <securityguy () dslextreme com>]

We've done all that you list below, as much as possible, but I work in a
large enterprise environment with thousands of users - someone will (and
has) clicked on the embedded url.  Despite numerous warnings and threats of
dire consequences, it's just the statistics of human nature.  If it was up
to me, only a very, very few users would even have internet access; but I
just work here!

- SG 

-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
Sent: Thursday, July 15, 2004 5:52 PM
To: incidents () securityfocus com
Subject: Re: Backdoor-CGT

securityguy () dslextreme com wrote:

> McAfee, and several news outlets, are reporting the spread of this 
> trojan horse.  Info at
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=1266
> 81
>
> One of the entries at McAfee is that blocking genmexe.biz prevents 
> dowloading the trojan.  Has anyone seen an ip address for this url?

I believe that site has been taken down, but the same Trojan has been seen
on other sitess.

Why not patch your clients and/or simply block all .EXEs from the web with a
proper content-filtering gateway running in transparent proxy mode?

At least that will give you surer coverage of what to worry about next
rather than having to continually wonder if a new bit of spam with a new
location for that download got through...

And why aren't you asking about the several dozen other similar exploits
being actively spammed and pushed through popups and IM and, and, and...
?????  Are you really sure you have kept on top of all those sites and their
IP addresses and where they moved since yesterday?

Blacklisting is no solution to these kinds of things -- find soemthing
smarter to waste your time on...


Regards,

Nick FitzGerald