Answer to proxy question and logging

[SecurityGauntlet <securitygauntlet () snet net>]

This is in response Thomas Nilsen posting to snort users group


This Worm sets up an SMTP server utilizing the MIME exploit in IE and 
connecting to Outlook Express on the desktop. Even if the Express is not 
configed. The proxy will ONLY log the port for which you have proxy set to 
such as 8080. This exploit is taken advantage of when a person goes to an 
infected site. If you load up NortonsAV with the latest def and then go to 
one of these sites (URL provided on request). Nortons will activate upon 
browsing to theses sites and give you an "Access denied" error message when 
the site tries to send a Java script to your machine. This script sets up 
the Worm and the exploit.

Good luck all. This is a VERY VERY VERY nasty Worm. Most cases one needs to 
burn down and rebuild ANY infected machines especially IIS servers. Just no 
real way to clean ALL the Junk effectively. This is a recommendation from 
TruSecure who runs a World Class Research lab for this stuff.

Wayne T Work
Manager of Information Systems Security
Cybergnostic.net, Inc
(O) 203.331.4417
(C) 203.217.5004
<http://wwork () cybergnostic com/>wwork@cybergnostic.<http://wwork () cybergnostic com/>com