From: Mike '/m' 


btw, I'm starting to like the f-secure AV stuff.

http://www.f-secure.com/

 /m


On Fri, 30 Dec 2005 22:54:00 -0600, "Glenn Meadows"
 wrote:

>Well, all indications are that the machine is now sound and secure.
>HijackThis shows no extra open listening ports, I've run 4 Adware/malware
>detection programs against the machine, as well as 3 separate Anti-Virus
>programs, including an online from Trend Micro.
>
>Adware/Malware:
>Ad-Aware
>Spybot Search-Destroy
>eWido
>CounterSpy.
>
>Both CounterSpy and eWido are running with their active detection left on.
>
>Anti-Virus:
>Sophos
>AVG
>Trend
>
>Sophos is left in active detect mode.  You can open the monitor panel, and
>watch it look at each exe/dll file that's loaded, be scanned.  I was
>"playing" with one of the trojan infected files, to zip it to
send to one of
>the AV firms, and Sophos caught every time I touched the file, or it was
>accessed, and blocked any action with it.  Had to use a restore with a file
>name change in the restore to destination window to be able to do anything
>with the files.
>
>NONE of the other computers in the office appear to have been affected.
>None of the files on this computer show up on any of the other machines.
>
>I'm actually quite thankful that both our NY office and Nashville offices
>were "closed" this week.  The few people who came in, appear
to have avoided
>this problem, save for the salesman here in Nashville.  Thank goodness for
>small favors.  I think that this exploit would have a larger impact on our
>systems if everyone had been working all this week.
>
>I had the production manager in the NY office put a physical notice on
>everyone's monitor today detailing the virus potential problem, and giving
>specific instructions that when they start their computers first thing
>Tuesday, that before they open Outlook, or IE, that they open their AV
>control panel, and do an immediate Live Update (NY uses Symantec Corporate
>edition), but as I discovered today, each local system is globally set to
>pull sig files from the Symantec server, NOT from the local AV server
>. Got to get that re-configured.  I also discovered that the Live
>Update was configured to check for updates once a week.  I've changed that
>to be once a day now.  I'm also going to re-config each computer to pull sig
>files from the local server, but the machines have to be on, so I can Remote
>Desktop to them to re-configure them and verify that the changes have been
>made.

--- BBBS/NT v4.01 Flag-5