I use snort IDS (snort.org) and have written rules to block it.. Also.. it is simple to put the body of the message in postfix mail filtering rules.. block it at the mail server leval. Any questions on how I have done this can be directed to epicat_private EPiC hack3r.com ----- Original Message ----- From: "Stan Lee (OBU-MY)" <Stan_Leeat_private> To: "Dom De Vitto" <domat_private> Cc: <vuln-devat_private>; <SECURITY-BASICSat_private> Sent: Thursday, July 26, 2001 10:08 PM Subject: RE: Sircam > Hi all, > > do you guys think that scanning and cleaning is what you need you do for > this virus??? What if i suggest to STOP the coming of this virus at all???? > > You should use a solution that sit on the internet gateway, right after the > firewall, to STOP all troj_sircam.A at the gateway.. > > for more detail please visit Trend Micro's site at : www.antivirus.com > > Stan > > -----Original Message----- > From: Dom De Vitto [mailto:domat_private] > Sent: Friday, July 27, 2001 2:44 AM > Cc: vuln-devat_private; SECURITY-BASICSat_private > Subject: RE: Sircam > > > Can I suggest that everyone vaguely interested go to the Symantec site > and look up the details - it's a complex thing SirCam, and does a lot > in a lot of ways. > > e.g. Scans the Temporary Internet Files for any files containing email > addresses.... > > Dom > -----Original Message----- > From: Kimberly Anne McKinnis [mailto:elfat_private] > Sent: 25 July 2001 21:15 > To: Tom Geldner > Cc: 'Johnson, Greg'; vuln-devat_private; > SECURITY-BASICSat_private > Subject: Re:Sircam > > > >From what I've read, it looks for any email addresses on the system, not > just in address books. So if webmaster@ was posted on a webpage somewhere, > that may be the cause. > > This subject line is causing some peoples mail servers to reject the mail. > Somehow I doubt the real virus is actually going to send with that subject. > > Tom Geldner wrote: > > > >-----Original Message----- > > >From: Johnson, Greg [mailto:JohnsonGat_private] > > > > >Don't let the e-mail tip-off fool you. > > > > > >In our University environment we find this and related worms > > >spread primarily via unprotected writeable Windows shares. It > > >also gets in when a user without up-to-date anti-virus > > >software accesses an e-mail server other than our own which > > >has an anti-virus filter. Bim-ba-boom! > > > > Some of our corporate accounts have been pounded on by a particular user > > on verizon.net. None of those e-mail addresses are from someone's > > address book. They are all things like info@, webmaster@, postmaster@ > > etc. so in our case, someone seems to be trying to propogate it > > deliberately. > > > > Tom > > -- > kimmie mckinnis > http://www.starjewel.org > icq:186072/aol:starbreiz > > > >
This archive was generated by hypermail 2b30 : Sat Jul 28 2001 - 11:46:17 PDT