Outlook 2002 (XP)

[Robert]

Hello:
I have a client who claims that his Outlook opens all attachments just by
looking at the message. His antivirus has stopped Mydoom about 10 times. I
told him not to open any attachments but he said he's not opening them,
outlook does it by default.
I do not have outlook on my computer so I can't figure out why. Anybody know
a away to disable this behavior? or maybe he is really opening them?
Thanks

 

[FromTheRafters]

Hello:
I have a client who claims that his Outlook opens all attachments just by
looking at the message. His antivirus has stopped Mydoom about 10 times. I
told him not to open any attachments but he said he's not opening them,
outlook does it by default.
I do not have outlook on my computer so I can't figure out why. Anybody know
a away to disable this behavior? or maybe he is really opening them?
Thanks

I think he is confusing detection with intervention. His AV
is probably detecting the worm way before it has become
a threat, this is to say it is alerting to a possible exposure
and not an actual "it tried to run" scenario.

....like many software firewalls also do, his AV is giving
him a false sense of insecurity. )

 

[Robert]

You have a good point, but he's not the only one who uses Outlook XP;
several others do, they are not opening attachments and the antivirus is not
detecting them because they are not 'run'.

 

[SFB]

Hello:
I have a client who claims that his Outlook opens all attachments just by
looking at the message.

Opening what? Read the content? No harm done.

His antivirus has stopped Mydoom about 10 times.

How? What you mean? Stop executing or just found some code and rung the
alarm bells.

I told him not to open any attachments but he said he's not opening them,
outlook does it by default.

??? If then, he/she hasn't updated the OS.

I do not have outlook on my computer so I can't figure out why.

Hmm, what is the worth of your advise then?

away to disable this behavior? or maybe he is really opening them?

I think you need some more education yourself.

 

[Robert]

Opening what? Read the content? No harm done.

Oulook executes the attachment by just reading the content

How? What you mean? Stop executing or just found some code and rung the
alarm bells.

According to Norton the attachments was executed and stopped mydoom, he said
he didn't execute them

??? If then, he/she hasn't updated the OS.

What has updating the OS to do with this? in this case it will be an update
on outlook.

Hmm, what is the worth of your advise then?

Not muchm since I don't know outlook 2002 and I can't tell why is it opening
attachments by just reading the content

I think you need some more education yourself.

No question about it, I am just an average Joe, that's why I am looking for
help from somebody who knows, and obviously is not you.

 

[FromTheRafters]

You have a good point, but he's not the only one who uses Outlook XP;
several others do, they are not opening attachments and the antivirus is not
detecting them because they are not 'run'.

MyDoom has vectors other than e-mail IIRC. The fact is
that newest variant doesn't even use e-mail as one of them.
Maybe the detections are from another vector not related
to Outlook XP.

Sorry that it was not as simple as my first suggestion.

 

[FromTheRafters]

Oulook executes the attachment by just reading the content

That version shouldn't be vulnerable to the autoexecution exploit
(Incorrect MIME type) used by many past worms.

According to Norton the attachments was executed and stopped mydoom, he said
he didn't execute them

Where did Norton say the "attachment" file was located?

I haven't heard as yet about any MyDoom variant using the
autoexecuting exploit from within an e-mail, besides, that
version should not have that vulnerability (perhaps another,
but not *that* one).

[snip]

 

[Robert]

just
by

Oulook executes the attachment by just reading the content

That version shouldn't be vulnerable to the autoexecution exploit
(Incorrect MIME type) used by many past worms.

According to Norton the attachments was executed and stopped mydoom, he said
he didn't execute them

Where did Norton say the "attachment" file was located?

I haven't heard as yet about any MyDoom variant using the
autoexecuting exploit from within an e-mail, besides, that
version should not have that vulnerability (perhaps another,
but not *that* one).

[snip]

This is part of the report NAV gave us, there is about 10 of these files:

Filename Virus Name Virus Type Action Taken Original Location Status
Current Location
document.scr W32.Mydoom.A@mm File Quarantined Mail System Infected
Quarantine
data.zip W32.Mydoom.A@mm File Quarantined Mail System Infected
Quarantine

 

[FromTheRafters]

This is part of the report NAV gave us, there is about 10 of these files:

Filename Virus Name Virus Type Action Taken Original Location Status
Current Location
document.scr W32.Mydoom.A@mm File Quarantined Mail System Infected
Quarantine

It is possible that this had attempted to run, but I really
doubt it considering....

data.zip W32.Mydoom.A@mm File Quarantined Mail System Infected
Quarantine

....that this one is still zipped - and in quarantine.

This still looks to me like the exposure scenario I mentioned.

If that is unacceptable, I'm sorry I couldn't help.

 

[Robert]

It is possible that this had attempted to run, but I really
doubt it considering....


...that this one is still zipped - and in quarantine.

This still looks to me like the exposure scenario I mentioned.

If that is unacceptable, I'm sorry I couldn't help.

Looking at the data.zip I think you are right. NAV scanned the incoming mail
and realized the .zip file was infected. My question is, why nobody else is
getting the same results?
I will keep an eye on all of them
Thanks

 

[SFB]

Looking at the data.zip I think you are right. NAV scanned the incoming mail
and realized the .zip file was infected. My question is, why nobody else is
getting the same results?
I will keep an eye on all of them
Thanks

Seems to me you are not infecteted. Run NAV in safe mode and remove the
sucker.
http://tinyurl.com/pfca

 

[optikl]

You have a good point, but he's not the only one who uses Outlook XP;
several others do, they are not opening attachments and the antivirus is not
detecting them because they are not 'run'.

Depends on the AV. Kaspersky AV, for example, was very aggressive in
identifying any malware I received by email. It literally blocked access
to my email box until I disabled the resident scanning and deleted the
offending file.