Search Again: Re: Virus Help From: Andy Gibson Date: Thursday, March 4, 2004 Time: 12:28:00 pm This is only a guess due to the fact that this variation of the virus is only a day old, and anti-virus companies may not have fully tested its capabilities, but any workstations in your office that have an ODBC link to your optigold server may have been used as a gateway for the virus to get that user information. --- Andy Gibson Digital Networks agibson@digitalnetworks.ca (613) 802-1585 ----- Original Message ----- From: Matt Clark To: 'Optigold ISP List' Sent: Thursday, March 04, 2004 3:21 PM Subject: RE: [Optigold ISP] Virus Help Thanks for the info. One employee was infected with MyDoom.F last week and compromised some files on the server (via network drive). Could this have something to do with it? We cleared the MyDoom off all computer at that time, but maybe we were missing something. I also checked to see if I had an old copy of the database files on my computer (maybe as a backup). I do not, and I am the only one that would have anything related to the customer data from Optigold. Matt -----Original Message----- From: isp-list@optigold.com [mailto:isp-list@optigold.com] On Behalf Of Andy Gibson Sent: Thursday, March 04, 2004 1:17 PM To: Optigold ISP List Subject: Re: [Optigold ISP] Virus Help Our ISP office had a similar breakout of this virus yesterday and we were able to shut it down before it got out of control. The first thing I thought when I got the virus was that the mail server was infected and was sending this out to all of our customers but turns out it was an employee's machine that was infected and sent out to everyone in the office. We were able to narrow down the source by viewing the email headers. If the virus has somehow found its way to your optigold server then it may be a database aware virus and got a user listing from filemaker or SQL. Our OptiGold server was not compromised when this virus was spreading but thats not to say it isn't possible. OR, an employee, or ex-employee has a current listing of your users on their computer that was compromised by the virus... --- Andy Gibson Digital Networks agibson@digitalnetworks.ca (613) 802-1585 ----- Original Message ----- From: Matt Clark To: 'Optigold ISP List' Sent: Thursday, March 04, 2004 3:04 PM Subject: RE: [Optigold ISP] Virus Help Ok, but does this explain that the emails going out are using my optigold database (login and over ride email) as the email address? These are not being sent to addresses in anyone's local contact list. Thanks! Matt -----Original Message----- From: isp-list@optigold.com [mailto:isp-list@optigold.com] On Behalf Of Andy Gibson Sent: Thursday, March 04, 2004 1:04 PM To: Optigold ISP List Subject: Re: [Optigold ISP] Virus Help Someone (possibly in your office) is infected with the Bagel.J worm which replicates itself appearing as though it came from some Administration department of your ISP. Everyone on the infected person's address book would likely have gotten a similar email. Read link below for more info: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.h tml --- Andy Gibson Digital Networks agibson@digitalnetworks.ca (613) 802-1585 ----- Original Message ----- From: Matt Clark To: isp-list@optigold.com Sent: Thursday, March 04, 2004 2:56 PM Subject: [Optigold ISP] Virus Help Team, I have recently found out that all my accounts on Optigold have been sent an email (I have listed it at the bottom). It appears that my billing server has been infected with some sort of virus. Does anyone else have any idea what virus would go to such great lengths to pretend to come from my company? Attached on this email is a .txt file that has the virus. The viruses are going to login/pass@rni.net and to overrideemail@rni.net. Any help is appreciated. *************** Dear user, the management of Rni.net mailing system wants to let you know that, Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. Pay attention on attached file. The Management, The Rni.net team http://www.rni.net Matt Clark RNi 480-344-3144 mattclark@rni.net <-- Please Update In Your Records

Messages In This Thread: Virus Help by Matt Clark on Mar 4, 2004 at 11:58:34 am Re: Virus Help by Andy Gibson on Mar 4, 2004 at 12:05:04 pm Re: Virus Help by Matt Clark on Mar 4, 2004 at 12:07:25 pm Re: Virus Help by Jeff Folk on Mar 4, 2004 at 12:11:33 pm Re: Virus Help by Tim Brown on Mar 4, 2004 at 12:14:52 pm Re: Virus Help by Matt Clark on Mar 4, 2004 at 12:16:22 pm Re: Virus Help by Andy Gibson on Mar 4, 2004 at 12:17:45 pm Re: Virus Help by Matt Clark on Mar 4, 2004 at 12:18:46 pm Re: Virus Help by Matt Clark on Mar 4, 2004 at 12:25:02 pm Re: Virus Help by Shawn Hogan on Mar 4, 2004 at 12:25:47 pm Re: Virus Help by Andy Gibson on Mar 4, 2004 at 12:28:00 pm Re: Virus Help by Andy Gibson on Mar 4, 2004 at 12:29:53 pm Re: Virus Help by Jeff Folk on Mar 4, 2004 at 12:31:50 pm Re: Virus Help by Matt Clark on Mar 4, 2004 at 12:40:42 pm Re: Virus Help by Shawn Hogan on Mar 4, 2004 at 12:47:38 pm Re: Virus Help by Matt Clark on Mar 5, 2004 at 7:57:58 am Re: Virus Help by Butch Andrews on Mar 5, 2004 at 8:15:27 am