One of my coworkers recently got several messages, claiming to be
bounce messages from our local postmaster@ account, reporting that
some message she had sent was not deliverable. Since she does not
remember recently sending anything to these people, the obvious
reaction is to try to open "the attached message" to see what this is
about.
Unfortunately, the attachment is really a copy of the Klez.H virus.
Fortunately, this particular co-worker uses a Mac, and so the virus
cannot run. (This particular distribution method, as a forged bounce
message, does not appear to be a documented bhaviour of the virus;
someone may have modified it, or be hand-crafting these messages as
attacks.
Now here's where it gets interesting. I forward the message,
including attachment, to my work machine, protected by Norton AV
Corporate v 7.5, with all the latest definitions, and to my home PC,
running Norton AV 8.07.17C, as included with Norton SystemWorks 2002.
At home, Norton AV detects the inbound email's infected attachment
just fine.
At work, though, not a peep. I save the attachment to a folder,
and tell NAV to scan the folder. Nada, zip, zilch.
Now here's where it gets really interesting: From my work PC, I go
to Trend Micro's web site and run their free Java-based virus scan of
the folder containing the saved attachment. Trend finds it just fine
-- and Norton AV pops up to report that it has just found an infected
copy of the file, in the TEMP folder!
Somehow, the Norton Corporate cannot usually spot the virus, even
though it is clearly amongst its current definitions. I've checked
for defined exclusions, and haven't found any.
David Gillett
The NOSPIN Group Promotions is now offering
Mandrake Linux or Red Hat Linux CD sets along
with our NOSPIN Power Linux CD... at a great price!!!
http://freepctech.com/goodies/promotions.shtml
|