Page 1 of 1 1
Topic Options
#51908 - 2000-10-23 07:46 PM It hit the fan.... The fan was oscillating....
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3164
Loc: Houston TX
***totally un-kix related rant, sorry about the off topic post***

By "it", I mean the type of "it" with a "sh" in fount of it.

Why yes, we were hit by the veryfunny.vbs thing this morning.

A set of circumstances, that only the great administrator in the sky could bring about, was the cause of my new ulcer.

1. Some how an attachment got past our exchange server at 12:03am (central time), I am still looking into that.

2. We have virus scan on all the computer (500+) to handle this very thing.

3. On 6 of those computers (all win9x) they were in the middle of upgrading. Mcafee was not running when they ran the virus...

2000+, and climbing, virus/email latter, the email server is still paying catchup and i won't hook it back up for at least another 3 hours.

On the 6 users... I never installed WSH/VBS, they did it on their own.

I want their heads on a pike!

As a side note we normally get about 5-10 incoming virus hits a week. Email server is set to scan all attachments. I am suspecting a Yahoo type mail account was the security hole.


Bryce

Top
#51909 - 2000-10-23 10:45 PM Re: It hit the fan.... The fan was oscillating....
kholm Offline
Korg Regular
*****

Registered: 2000-06-19
Posts: 714
Loc: Randers, Denmark
Bryce!

I read your scripts as a virusvarning.

I have no help for you, but when you get the time please reply to this:

I am using Norton-antivirus, so i might get some alerts you don't receive and vica versa.
I have never heard of "veryfunny.vbs" and i am very sure that Norton(Symantec) has given it another name.

We where hit by the LoveLetter virus some time ago. After that i disabled WSH/VBS on all workstations via the logon-script.
But if you don't do that at every logon, then if your users update IExplorer they can include WSH/VBS in the update whithout knowing what it is used for, so don't behead your users.

I suppose that your workstations is using Outlook (Not express), if that is the case, have you installed the the latest security-update. I just installed that. (And hope that my net is now totally secured )

After disabling WSH/VBS scripting i thought that the net was secured and found out that it was NOT.
I have just installed the security-patch for Outlook, but if you have also done that, this could imply a new security-hole.

Erik

[This message has been edited by kholm (edited 23 October 2000).]

Top
#51910 - 2000-10-23 11:27 PM Re: It hit the fan.... The fan was oscillating....
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3164
Loc: Houston TX
Erik:

Yes I am implementing the kix removal of wsh/vbs by using the logon script (I should have done this long ago!!) We were hit by veryfunny.vbs it is just a loveletter variant.

I am also going to be reevaluating the latest security update for outlook. And will try to implement it before the end of the week....

I still haven't been able to find out how the attachment got through, but it look's like my virus scanner failed (Mcafee GroupShield). The initial user received the attachment at 6:45am. Several other people also received the same email, but the server caught and cleaned those, but not her's.

At 9:11am she ran the attachment, her local virusscan was disabled waiting on a reboot to bring it up the latest version.

At 9:12 the second user ran the attachment, and then the next user..... until a total of 7 people had ran the virus, resulting in a complete and total overload for the server based virusscan to catch them all.

I was out of the building and I wasn't informed until almost an hour after the initial infection. That is when one of my help desk tech's shutdown both mail servers, while scrambling to get in touch with me (At this time I was on my back upstairs to my office).

It took me another 20 min to get up to speed and get the servers running on a separate network, also hooked my self up to this separate network. Started a Scan On demand at 10:02am and at 4:12pm it just finished

For those who are interested...

Total number of infected email's was..... 4095!!
Total downtime 6.5 hours,

...... yea.


Bryce

Top
#51911 - 2000-10-24 08:27 AM Re: It hit the fan.... The fan was oscillating....
Anonymous
Unregistered


Hya Bryce..,

Hope you did get some sleep yesterday.

All the 600+ users in our domains are code-developers and they need VBS-**IT..!!

During the 'LoveLetter'-rage I had a script which (with 1 click) would remote (forcefully) shutdown a system, deletes it's network configuration from it's registry and removed it from the domain..

Fortunatly I had to use this only twice..!!
We used McAfee VScan 4.0.3a with custommized dat-files and a central VirusAlert recipient system.

I wish you luck and good speed with recovering from this **IT

------------------
Hope to be of service..,

Fabian.

-----------------Paranoia is reality on a finer scale-----------------

Top
#51912 - 2000-10-24 03:05 PM Re: It hit the fan.... The fan was oscillating....
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3164
Loc: Houston TX
We are already back up and running, the 7 infected computers have been cleaned and no more mr. nice administrator

What cause this to happen was the fact that I was not forcing the win9x computers to reboot after a Mcafee update. Well as of this morning they will have no choice but to reboot.

I also am making the default action for vbs files to be opened in notepad.exe.

Bryce

Top
#51913 - 2000-10-25 01:44 AM Re: It hit the fan.... The fan was oscillating....
kholm Offline
Korg Regular
*****

Registered: 2000-06-19
Posts: 714
Loc: Randers, Denmark
Preventing virus-attacks via Outlook-mail

Security patch for Outlook 2000/98
_________________________________________________________________________________________________

Bryce

I had just initiated the rollout of the patch last friday (10/20/2000), that was why i was curious
if you had installed it.

(Now installed on 505 of 540 workstations on the LAN, the rest hasn't been logged onto yet, i am stil
working on the WAN/RAS-script)
____________________________________________________________________________________________________

I haven't had any bad experiences after installing it, quite the opposite, users are now prevented from
sending non-valid shortcuts and most trafic of transfering files are moved from the mail-servers to the
file-servers.

Security patch for Outlook 2000/98

When installed it is easy to change settings, works via the Outlook form: Outlook security setting.
So once installed you don't have to change the clients each time you make a change in your
security policy, takes affect next time the users open Outlook.

It is now possible to remove filetypes from Level 1: Files not possible to send and receive, this
wasn't the case in the previous security-patch. So I chose not to install the first patch because i have
several users that gets program updates via mail (selfextracting zip-files), also we have some workstations
that is stil not on the WAN, so we have to mail .mdb files to them.

By default the "Unsafe" (Level1) files are:

.ade Microsoft Access project extension
.adp Microsoft Access project
.bas Microsoft Visual Basic class module
.bat Batch file
.chm Compiled HTML Help file
.cmd Microsoft Windows NT Command script
.com Microsoft MS-DOS program
.cpl Control Panel extension
.crt Security certificate
.exe Program
.hlp Help file
.hta HTML program
.inf Setup Information
.ins Internet Naming Service
.isp Internet Communication settings
.js JScript file
.jse Jscript Encoded Script file
.lnk Shortcut
.mdb Microsoft Access program
.mde Microsoft Access MDE database
.msc Microsoft Common Console document
.msi Microsoft Windows Installer package
.msp Microsoft Windows Installer patch
.mst Microsoft Visual Test source files
.pcd Photo CD image, Microsoft Visual compiled script
.pif Shortcut to MS-DOS program
.reg Registration entries
.scr Screen saver
.sct Windows Script Component
.shb Shell Scrap object
.shs Shell Scrap object
.url Internet shortcut
.vb VBScript file
.vbe VBScript Encoded script file
.vbs VBScript file
.wsc Windows Script Component
.wsf Windows Script file
.wsh Windows Script Host Settings file

Look in Information About the Outlook E-mail Security Update

Erik

[This message has been edited by kholm (edited 25 October 2000).]

Top
#51914 - 2000-10-25 02:18 AM Re: It hit the fan.... The fan was oscillating....
BoxKite Offline
Da Box
*****

Registered: 2000-05-17
Posts: 282
Loc: Vacaville,CA,USA
BRYCE, Dude, I feel your pain.

Hope this makes you feel better.

code:
$a = 6
while $a > 0
$x = 2500
$y = 0
while $x >= 0
$y = $y + 1
select
case $y = 1
color r+/n
case $y = 2
color y+/n
case $y = 3
color g+/n
case $y = 4
color b+/n
case 1
$y = 0
endselect
$r = rnd(23)
$c = rnd(75)
at($r,$c) "*"
$x = $x -1
loop
big
select
case $a = 6
color b+/n
$w = chr(89) + chr(79) + chr(85)
at(10,15) " $w "
case $a = 5
color G+/n
$w = chr(65) + chr(82) + chr(69)
at(10,15) " $w "
case $a = 4
color y+/n
$w = chr(78) + chr(79) + chr(84)
at(10,15) " $w "
case $a = 3
color b+/n
$w = chr(76) + chr(79) + chr(83) + chr(73) + chr(78) + chr(71)
at(10,15) "$w"
case $a = 2
color y+/n
$w = chr(89) + chr(79) + chr(85) + chr(82)
at(10,15) " $w "
case $a = 1
color r+/n
$w = chr(77) + chr(73) + chr(78) + chr(68)
at(10,15) " $w "
case 1
endselect
small
sleep(2)
$a = $a - 1
if $a > 1
cls
endif
loop
play "0g6d1000f1200f1300f1400f1500f1600f1700f1800f70d1900f"
exit

------------------
BoxKite
FACTA NON VERBA

[This message has been edited by BoxKite (edited 25 October 2000).]

_________________________
Box
FACTA NON VERBA

Top
#51915 - 2000-10-25 03:47 PM Re: It hit the fan.... The fan was oscillating....
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
I also replaced all wscript.exe and cscript.exe files with a renamed notepad.exe

user: "why does notepad open every time I read this email"
me: " hahahahahahaha"

_________________________
How to ask questions the smart way <-----------> Before you ask

Top
Page 1 of 1 1


Moderator:  Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Mart 
Hop to:
Shout Box

Who's Online
3 registered (fergieman101, Glenn Barnas, Mart) and 183 anonymous users online.
Newest Members
emnipetro, Hirze, thequeen, ameliaryan, shalomsalami
17641 Registered Users

Generated in 0.083 seconds in which 0.063 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org