Exceeded Internet Timeout Virus?
in [Windows Viruses]
|
Prev: ISUSPM.exe
Next: Sasser virus
From: Aragorn29 on 7 Nov 2006 17:16 We have an Exchange 2k3 box running Antigen 9.0 that is finding this : Microsoft Antigen for Exchange found a file infected with a virus. The file is currently Removed. File name: "CODE_.gif" Virus name: "Exceeded Internet Timeout" I can not seem to find anything on the net about this virus. I am starting to notice a large amount of internet mail SMTP Connectors with postmaster(a)mydomain.com in our exchange queues and since we do not have an account with that name i am assuming something is spoofing that name. We have Symantec 10. as the AV. I have scanned all 3 servers we have with Symantec, Microtrend's System Cleaner, SpyBot , and the "free" version of Ad-Aware from Lavasoft and all are clean. I also used Process Explorer to see if we had any rouge processes. We even went so far as to turn off all the workstations over a weekend period to see if there was something we missed when scanning them. We still found the same amount of notifications in Antigen and in the exchange queue. Does anyone have any experience with this supposed virus ?
From: David H. Lipman on 7 Nov 2006 17:36 From: "Aragorn29" <Aragorn29(a)discussions.microsoft.com> | We have an Exchange 2k3 box running Antigen 9.0 that is finding this : | Microsoft Antigen for Exchange found a file infected with a virus. The file | is currently Removed. | File name: "CODE_.gif" | Virus name: "Exceeded Internet Timeout" | | I can not seem to find anything on the net about this virus. I am starting | to notice a large amount of internet mail SMTP Connectors with | postmaster(a)mydomain.com in our exchange queues and since we do not have an | account with that name i am assuming something is spoofing that name. | | We have Symantec 10. as the AV. I have scanned all 3 servers we have with | Symantec, Microtrend's System Cleaner, SpyBot , and the "free" version of | Ad-Aware from Lavasoft and all are clean. I also used Process Explorer to | see if we had any rouge processes. We even went so far as to turn off all the | workstations over a weekend period to see if there was something we missed | when scanning them. We still found the same amount of notifications in | Antigen and in the exchange queue. | | Does anyone have any experience with this supposed virus ? Wheere does ANYTHING say that this GIF file was a virus ? You stated "Antigen for Exchange found a file infected with a virus". Ok, please provide an extract of the AntiGen log file indicating what was found. Was this GIF file completely deleted ? If not... Please submit a sample to Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition, unless told otherwise, Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan(a)virustotal.com?subject=SCAN When you get the report, please post back the exact results. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Aragorn29 on 7 Nov 2006 18:15 "David H. Lipman" wrote: > From: "Aragorn29" <Aragorn29(a)discussions.microsoft.com> > > | We have an Exchange 2k3 box running Antigen 9.0 that is finding this : > | Microsoft Antigen for Exchange found a file infected with a virus. The file > | is currently Removed. > | File name: "CODE_.gif" > | Virus name: "Exceeded Internet Timeout" > | > | I can not seem to find anything on the net about this virus. I am starting > | to notice a large amount of internet mail SMTP Connectors with > | postmaster(a)mydomain.com in our exchange queues and since we do not have an > | account with that name i am assuming something is spoofing that name. > | > | We have Symantec 10. as the AV. I have scanned all 3 servers we have with > | Symantec, Microtrend's System Cleaner, SpyBot , and the "free" version of > | Ad-Aware from Lavasoft and all are clean. I also used Process Explorer to > | see if we had any rouge processes. We even went so far as to turn off all the > | workstations over a weekend period to see if there was something we missed > | when scanning them. We still found the same amount of notifications in > | Antigen and in the exchange queue. > | > | Does anyone have any experience with this supposed virus ? > > Wheere does ANYTHING say that this GIF file was a virus ? > > You stated "Antigen for Exchange found a file infected with a virus". Ok, please provide > an extract of the AntiGen log file indicating what was found. > > Was this GIF file completely deleted ? > > If not... > > > Please submit a sample to Virus Total -- > http://www.virustotal.com/flash/index_en.html > The submission will then be tested against many different AV vendor's scanners. > That will give you an idea what it is and who recognizes it. In addition, unless told > otherwise, Virus Total will provide the sample to all participating vendors. > > You can also submit a suspect, one at a time, via the following email URL... > mailto:scan(a)virustotal.com?subject=SCAN > > When you get the report, please post back the exact results. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > > I just copied the notification directly from Antigen on the above post, they were using the virus verbiage. Here is the latest one from the log files. Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Outbound Message: Delivery Status Notification (Failure) File: helpful_.gif Incident: Exceeded Internet Timeout State: Removed"
From: David H. Lipman on 7 Nov 2006 18:28 From: "Aragorn29" <Aragorn29(a)discussions.microsoft.com> | I just copied the notification directly from Antigen on the above post, | they were using the virus verbiage. Here is the latest one from the log | files. | | Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan found virus: | Folder: SMTP Messages\Outbound | Message: Delivery Status Notification (Failure) | File: helpful_.gif | Incident: Exceeded Internet Timeout | State: Removed" Pretty lousy log ! All that can be gleamed from this is a outbound message with attached file; "helpful_.gif" exceeded a timout and was ultimately removed. It says "Internet scan found virus:". What virus ? What is the name of this virus and which AV software cdtected this ? All you can do is find out who the sender is and find the file "helpful_.gif" and then submit it to Virus Total as a prescribed earlier in this thread. In your original post, described the file name: "CODE_.gif" not "helpful_.gif". Were there TWO or more incidents ? You mention "We have Symantec 10. as the AV". Is that on the client PC or are you running a symantec AV version for MS Exchange Server ? If you are NOT, I suggest junking AntiGen for Symantec AV for MS Exchange Server or McAfee Anti Virus for Exchange Server. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Aragorn29 on 7 Nov 2006 19:13
"David H. Lipman" wrote: > From: "Aragorn29" <Aragorn29(a)discussions.microsoft.com> > > > | I just copied the notification directly from Antigen on the above post, > | they were using the virus verbiage. Here is the latest one from the log > | files. > | > | Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan found virus: > | Folder: SMTP Messages\Outbound > | Message: Delivery Status Notification (Failure) > | File: helpful_.gif > | Incident: Exceeded Internet Timeout > | State: Removed" > > Pretty lousy log ! > > All that can be gleamed from this is a outbound message with attached file; "helpful_.gif" > exceeded a timout and was ultimately removed. > > It says "Internet scan found virus:". > What virus ? > What is the name of this virus and which AV software cdtected this ? > > All you can do is find out who the sender is and find the file "helpful_.gif" and then > submit it to Virus Total as a prescribed earlier in this thread. > > In your original post, described the file name: "CODE_.gif" not "helpful_.gif". Were there > TWO or more incidents ? > > You mention "We have Symantec 10. as the AV". Is that on the client PC or are you running a > symantec AV version for MS Exchange Server ? > If you are NOT, I suggest junking AntiGen for Symantec AV for MS Exchange Server or McAfee > Anti Virus for Exchange Server. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > > Yeah, I am not impressed with Antigen logs either. My problem on the sender is the notification I get from Antigen is the sender is postmaster(a)mydomain.com. Here is the exact notification I receive: Microsoft Antigen for Exchange found a file infected with a virus. The file is currently Removed. File name: "helpful_.gif" Virus name: "Exceeded Internet Timeout" Message subject: "Delivery Status Notification _Failure_" Sent from: "postmaster(a)mydomain.com" Folder: "SMTP Messages\Outbound" I don't have a postmaster account in our environment and all the notifcations refer to that account as sender. As far as file names and more than one incident , yes, it keeps changing names of the gif file, I also am receiving notification of the file being : body of message : instead of a gif file on some notifications. On the AV question. unfortunatly I inherited this office recently and they are not using the Symantec for Exchange version, I belive my predecessor thought that Antigen would be enough for the exchange scan. They have the same version of Symantec on the workstations as they do the server. Not sure I can talk them into upgrading at this time..... |