Security Incidents mailing list archives
RE: Novarg
From: "Duston Sickler" <dustons () charter net>
Date: Wed, 28 Jan 2004 20:51:18 -0600
We have our Symantec Gateway server configured to scan all incoming attachments. It automatically strips all executables and any "encrypted containers". (password protected zips) This and NAV Corp (managed) has kept our organization free from worms for three years running now. Duston Sickler CompTIA A+ Certified "Cedo Nilli" -----Original Message----- From: Jeremy Strachan [mailto:Jeremy.Strachan () ClemengerCommunications co nz] Sent: Wednesday, January 28, 2004 2:31 PM To: 'sloppy seconds' Cc: 'incidents () securityfocus com' Subject: RE: Novarg For what its worth - we use NAV for Exchange, and one of the options is to block certain attachment types, in this case we block .exe attachments. NAV looks inside .ZIP files, see's the .exe inside, and blocks (or deletes) the entire attachment. That means we aren't dependant on a virus signature being released to block this worm (or new variants). Jeremy National IT Manager Clemenger Communications Ltd Microsoft MCSE, Novell CNE, Compaq ASE -----Original Message----- From: sloppy seconds [mailto:beleguese () yahoo com] Sent: Wednesday, 28 January 2004 5:32 p.m. To: incidents () securityfocus com Subject: Novarg To all, Yes as many of you have noticed Novarg is spreading fast. I work for a large international corporation and we have seen extensive infiltration. However, this worm has not proved to be as "damaging" as some may claim. The scary part is that our investment in AV solutions (Trend, Symantec, et al...) has not protected us. We are now reconsidering our stance on allowing .ZIP files in Email. We engineered our own cleaning utility hours before our AV vendors even had signatures. Infecting lab clients and using diff tools...etc
From a network perspective we are watching for the supposed DOS against SCO.
We have had the outbreak under control just a few hours after it's inception. Anyone care to contribute their experience? Thanks, Beleguese __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Novarg - Stopping .Zip Files, (continued)
- Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- Re: Novarg Dave Laird (Jan 28)
- RE: Novarg Wayne S. Ackley (Jan 28)
- Re: Novarg James Riden (Jan 28)
- RE: Novarg Chris Aguilar (Jan 28)
- RE: Novarg Jeremy Strachan (Jan 28)
- RE: Novarg Stephen Warren (Jan 29)
- Re: Novarg Robin Sheat (Jan 30)
- RE: Novarg steve bernacki (Jan 30)
- Re: Novarg Skip Carter (Jan 30)
- RE: Novarg Duston Sickler (Jan 29)
- RE: Novarg sloppy seconds (Jan 30)
- RE: Novarg Stephen Warren (Jan 29)
- RE: Novarg Robert Morales (Jan 28)
- RE: Novarg Rickert Gerhard (rgerhard) (Jan 29)
- Re: Novarg Ivan Coric (Jan 29)
- RE: Novarg Jeremy Hyland (Jan 30)
- RE: Novarg Ivan Coric (Jan 30)
- Re: Novarg Steve Bremer (Jan 30)