Security Basics mailing list archives

RE: Analyzing Suspicious Attachment

From: "Richard Golodner" <rgolodner () infratection com>
Date: Thu, 17 Jan 2008 19:42:49 -0500

Why do you allow .zip onto your network anyway? Danger Will Robinson. Hope
things this group has suggested have helped you sort it out Al.

      most sincerely, Richard 
      

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Timmothy Lester
Sent: Thursday, January 17, 2008 1:22 PM
To: Al Cooper; security-basics () securityfocus com
Subject: RE: Analyzing Suspicious Attachment

Silly!  Send out a company newsletter stating never to open attachments
from an unidentified source (if you can't walk over and smack them,
don't open the file).  Try the following tools to see if you may have
been compromised: Hijack This, Sbybot Search & Destroy/File_Anayzer
(don't forget about the tools under the advanced view), Sysinternals
"Process Explorer", ADS Spy, Rootkit Revealer.  Sniff your network for
strange traffic.  What are you using to open ZIP files???

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Al Cooper
Sent: Thursday, January 17, 2008 12:18 PM
To: security-basics () securityfocus com
Subject: Analyzing Suspicious Attachment

We had a user open a suspicious attachment.  The attachment did not open
so
she sent it to two of her colleges.  One of her colleges was also unable
to
open the file, but the third person did successfully open the file.  The
attachment did not match the original email and IT was eventually
called, a
few hours later.  The three computer have been removed from the network.


I have the attachment.  It is a zip file.  Inside the zip file is one
.scr
file.  The antivirus (Symantec) did not catch anything when the file was
opened.  The email is an HTML email and there are pictures that can be
downloaded.

Outside of the obvious policy and training issues, what is the best way
to
determine what if any damage has been done to the network?  What tools
do I
need to analysis the attachment to see what it is and how it works?

Thanks for your help,




-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Current thread:

Re: Remote desktop access policy, (continued)
- - - Re: Remote desktop access policy Kurt Buff (Jan 19)
    - Re: Remote desktop access policy WALI (Jan 21)
    - Re: Remote desktop access policy Kurt Buff (Jan 21)
    - Re: Remote desktop access policy Gleb Paharenko (Jan 18)
    - Re: Remote desktop access policy Kurt Buff (Jan 19)
- Re: Analyzing Suspicious Attachment Geoffrey Gowey (Jan 17)
- Re: Analyzing Suspicious Attachment Ali, Saqib (Jan 17)
  - Re: Analyzing Suspicious Attachment brian . bevers (Jan 17)
- RE: Analyzing Suspicious Attachment Nick Vaernhoej (Jan 17)
- RE: Analyzing Suspicious Attachment Timmothy Lester (Jan 17)
  - RE: Analyzing Suspicious Attachment Richard Golodner (Jan 18)
    - Re: Analyzing Suspicious Attachment Josh Haft (Jan 18)
    - RE: Analyzing Suspicious Attachment Petter Bruland (Jan 18)
    - Re: Analyzing Suspicious Attachment Lee Hinman (Jan 18)
    - Re: Analyzing Suspicious Attachment Ansgar -59cobalt- Wiechers (Jan 18)
- Re: Analyzing Suspicious Attachment Dante Signal31 (Jan 18)
- Re: Analyzing Suspicious Attachment zenmasterbob123 (Jan 17)