On 14/06/02 David Gillett wrote:
>   One of my coworkers recently got several messages, claiming to be
>bounce messages from our local postmaster@ account, reporting that
>some message she had sent was not deliverable.  Since she does not
>remember recently sending anything to these people, the obvious
>reaction is to try to open "the attached message" to see what this is
>about.
>   Unfortunately, the attachment is really a copy of the Klez.H virus.
>Fortunately, this particular co-worker uses a Mac, and so the virus
>cannot run.  (This particular distribution method, as a forged bounce
>message, does not appear to be a documented bhaviour of the virus;
>someone may have modified it, or be hand-crafting these messages as
>attacks.
>   Now here's where it gets interesting.  I forward the message,
>including attachment, to my work machine, protected by Norton AV
>Corporate v 7.5, with all the latest definitions, and to my home PC,
>running Norton AV 8.07.17C, as included with Norton SystemWorks 2002.
>
>   At home, Norton AV detects the inbound email's infected attachment
>just fine.   At work, though, not a peep.  I save the attachment to a folder,
>and tell NAV to scan the folder.  Nada, zip, zilch.
>   Now here's where it gets really interesting:  From my work PC, I go
>to Trend Micro's web site and run their free Java-based virus scan of
>the folder containing the saved attachment.  Trend finds it just fine
>-- and Norton AV pops up to report that it has just found an infected
>copy of the file, in the TEMP folder!
>   Somehow, the Norton Corporate cannot usually spot the virus, even
>though it is clearly amongst its current definitions.  I've checked
>for defined exclusions, and haven't found any.
>David Gillett

David,

Where I work, we have in the last 2 weeks switched to Norton Corporate
Edition 7.6. Intrigued (and concerned) by the mystery you described, I
mentioned the scenario to the member of staff (Russell Bastock) who is
"overseeing" the roll out of Norton CE. This is his explanation of the mystery:

QUOTE:
It is early days for my (complete) knowledge on NAV CE but here's some
ideas. Klez is notorious for forging addresses. It will grab senders from
anywhere so if the infected user ever had a bounce reply from their mail
server that can be used as the sender. With Klez the person listed as
sender rarely is the sender.

As for NAV CE not picking up the virus:

The latest retail version of NAV prescans attachments *before* they are
passed on to the POP email client (eg Outlook). This POP prescan function
is not included in NAV CE. However, NAV CE will prescan groupware email
such as Exchange based Outlook (not POP outlook) and Notes in a similar
manner. If the person concerned does not use Notes or Exchange, or hasn't
the prescan plug-ins for these installed, then no it will not prescan. It
will only scan the attachment when the user tries to launch it or otherwise
'act upon it' hence the process which occurred in the temp folder. That's
the theory as I understand it but I haven't tested it. The user could try
an EICAR virus to test the process ...
END QUOTE

Hopefully this explains the discrepancy in behaviour between Norton CE and
Norton Retail.

Regards,
Rosalind W.

             Do you want to signoff PCSOFT or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcsoft.shtml