[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Possible virus??

Posted on 2004-11-05
11
Medium Priority
?
321 Views
Last Modified: 2012-08-13
A lot of people in our company have been receiving a suspicious email lately.  I haven't been able to find any information about this message at all, though.  The message has no from address, the subject is 'NOTICE: mail delivery status', the body is empty and there is an attachment called NAI_Alert.htm.  We have Norton 8.1, mostly Windows 98 machines, everyone uses Outlook 2000 and a Win NT 4 server.  Any ideas on what this is or how to stop the messages from coming.  The first reported time this message was received was about three weeks ago.  Since then more and more people have been receiving it.

Thank you.
0
Comment
Question by:Cuho
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 7

Assisted Solution

by:Focusyn
Focusyn earned 400 total points
ID: 12506630
NAI alert is a Network Associates AntiVirus Software alert.  A legitimate email of this type would indicate that a message contained a virus and that the virus was removed from the email.  The file NAI_Alert.htm should provide details as to which virus, and when and where it was detected.  If you want to see where the mesasges are coming from, open one of the emails on a non-critical machine protected with the latest antivirus updates etc, and go in to the view options in Outlook.  Choose the "View Internet Header" option, which will display the header information for the email.  That should indicate the originating SMTP server from which the email arrived.  If there is no information in the header, then it likely came from somewhere within your organization.  Check to see if the server has a NEtwork ASsociates antivirus product on it.  If you get no headers, you'll need to look in your Exchange server logs (try sort by date/time and match up with one of the recieved messages).  The server logs should again indicate from where and exactly when the message was delivered and to whom.  The difference in the Exchange logs is that if the mail originated from within your organization, it will be able to tell you that, as well as tell you the ip address and DNS info about the originating server even if the sender has masked the headers.  

Important to note here, that many recent virii use delivery status messages to actually spread the virii as email worms.  They send alerts, undeliverable and failed status messages with attached files named alert.txt etc (file names used by popular email server antivirus products) and when or if you open that file, it is the actual virus paylod.  That's why I suggest you open the message on a spare computer with the latest antivirus software.  If it's a legitimate email from somewhere, the htm file should contain info on the virus, and if it's not, then the htm file probably IS a virus, or malicious html code that redirects your computer to a direct download of the virus.  Rather than open the file, you may want to use save as, then "Open With" it with notepad.exe and look at the code to see whether there is an actual mesage in there or some kind of script or redirect.  That should give you some starting points to get you going.

As far as stopping them, you can create a server filter/rule that auto-deletes all messages containing attachments called NAI_Alert.htm before delivery to user mailboxes.
0
 
LVL 6

Accepted Solution

by:
knoxj81 earned 800 total points
ID: 12510460
Cuho,

That is not a legit attachment. Internal or External it's obviously a worm. Check out: http://www.gfi.com/mailsecurity/  if you'd like to prevent future issues with worms and viruses within your network. The idea Focusyn suggested above is okay to prevent that one specific attachment, however what about tomorrow's threats and next weeks? Trying to prevent attacks one at a time manually isn't going to work in a large network enviroment. You need a program that will handle that for you, update for you, and even give you reports to show you status.

Good Luck,

Jorden

**Please advise if you have any questions or concerns.**
0
 
LVL 27

Assisted Solution

by:Asta Cu
Asta Cu earned 800 total points
ID: 12515432
I checked the McAfee site and did not see anything about this NAI_Alert.htm.  Could well be as noted above, spoofed email; and intrusion.
http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=1024x768&rurl=&rqs=
NAI_Alert.htm

For Office 2000, would highly recommend checking for updates and patches here to ensure you've got any protections available from MS .... http://www.officeupdate.com

We use McAfee, and can report such issues; suspect Norton has the same and may be worth a shot as well.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12517003
No 'From' address and an HTML link?
My guess is that this file contains a link to a remote site to install some sort of trojan. If you have any Exchnage like server; there are many tools for you within that server to eliminate or prevent such maillings from appearing..

Cyber
0
 

Author Comment

by:Cuho
ID: 12525096
Thanks everyone.  The messages have stopped, for now.  I didn't get a chance to look into the source code of the htm file.  Because we use Norton, I will assume it is a trojan off some sort.  I'll post more when I know more.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12533076
Listening further when more is needed.
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12535863
astaec, many viruses, especially worms generate random file names. This is important to prevent manually detection. People that just google the filename and/or check a vendor's website are better off going to multiple sites and scanning the file. Don't relie on a filename for detection.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12539584
Good point, knoxj81.  The variants and problems are ghastly and tough to isolate; they become more and more complex all the time and tougher to isolate and kill.   ":0) Asta
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12557001
exactly. =)
0
 

Author Comment

by:Cuho
ID: 12696489
OK, the message has stopped.  I spoke with my ISP and they do have MacAfee but said these messages shouldn't get through to us.  I even looked at the source for the message and found nothing interesting at all.  I guess it was nothing.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12716495
Thank you.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question