Anti-Spyware Forums


Reply
Thread Tools Display Modes

Exceeded Internet Timeout Virus?

 
 
Aragorn29
Guest
Posts: n/a

 
      07-11-2006, 10:16 PM
We have an Exchange 2k3 box running Antigen 9.0 that is finding this :
Microsoft Antigen for Exchange found a file infected with a virus. The file
is currently Removed.
File name: "CODE_.gif"
Virus name: "Exceeded Internet Timeout"

I can not seem to find anything on the net about this virus. I am starting
to notice a large amount of internet mail SMTP Connectors with
(E-Mail Removed) in our exchange queues and since we do not have an
account with that name i am assuming something is spoofing that name.

We have Symantec 10. as the AV. I have scanned all 3 servers we have with
Symantec, Microtrend's System Cleaner, SpyBot , and the "free" version of
Ad-Aware from Lavasoft and all are clean. I also used Process Explorer to
see if we had any rouge processes. We even went so far as to turn off all the
workstations over a weekend period to see if there was something we missed
when scanning them. We still found the same amount of notifications in
Antigen and in the exchange queue.

Does anyone have any experience with this supposed virus ?

 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      07-11-2006, 10:36 PM
From: "Aragorn29" <(E-Mail Removed)>

| We have an Exchange 2k3 box running Antigen 9.0 that is finding this :
| Microsoft Antigen for Exchange found a file infected with a virus. The file
| is currently Removed.
| File name: "CODE_.gif"
| Virus name: "Exceeded Internet Timeout"
|
| I can not seem to find anything on the net about this virus. I am starting
| to notice a large amount of internet mail SMTP Connectors with
| (E-Mail Removed) in our exchange queues and since we do not have an
| account with that name i am assuming something is spoofing that name.
|
| We have Symantec 10. as the AV. I have scanned all 3 servers we have with
| Symantec, Microtrend's System Cleaner, SpyBot , and the "free" version of
| Ad-Aware from Lavasoft and all are clean. I also used Process Explorer to
| see if we had any rouge processes. We even went so far as to turn off all the
| workstations over a weekend period to see if there was something we missed
| when scanning them. We still found the same amount of notifications in
| Antigen and in the exchange queue.
|
| Does anyone have any experience with this supposed virus ?

Wheere does ANYTHING say that this GIF file was a virus ?

You stated "Antigen for Exchange found a file infected with a virus". Ok, please provide
an extract of the AntiGen log file indicating what was found.

Was this GIF file completely deleted ?

If not...


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
(E-Mail Removed)?subject=SCAN

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
 
Aragorn29
Guest
Posts: n/a

 
      07-11-2006, 11:15 PM


"David H. Lipman" wrote:

> From: "Aragorn29" <(E-Mail Removed)>
>
> | We have an Exchange 2k3 box running Antigen 9.0 that is finding this :
> | Microsoft Antigen for Exchange found a file infected with a virus. The file
> | is currently Removed.
> | File name: "CODE_.gif"
> | Virus name: "Exceeded Internet Timeout"
> |
> | I can not seem to find anything on the net about this virus. I am starting
> | to notice a large amount of internet mail SMTP Connectors with
> | (E-Mail Removed) in our exchange queues and since we do not have an
> | account with that name i am assuming something is spoofing that name.
> |
> | We have Symantec 10. as the AV. I have scanned all 3 servers we have with
> | Symantec, Microtrend's System Cleaner, SpyBot , and the "free" version of
> | Ad-Aware from Lavasoft and all are clean. I also used Process Explorer to
> | see if we had any rouge processes. We even went so far as to turn off all the
> | workstations over a weekend period to see if there was something we missed
> | when scanning them. We still found the same amount of notifications in
> | Antigen and in the exchange queue.
> |
> | Does anyone have any experience with this supposed virus ?
>
> Wheere does ANYTHING say that this GIF file was a virus ?
>
> You stated "Antigen for Exchange found a file infected with a virus". Ok, please provide
> an extract of the AntiGen log file indicating what was found.
>
> Was this GIF file completely deleted ?
>
> If not...
>
>
> Please submit a sample to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it. In addition, unless told
> otherwise, Virus Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> (E-Mail Removed)?subject=SCAN
>
> When you get the report, please post back the exact results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

I just copied the notification directly from Antigen on the above post,
they were using the virus verbiage. Here is the latest one from the log
files.

Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan found virus:
Folder: SMTP Messages\Outbound
Message: Delivery Status Notification (Failure)
File: helpful_.gif
Incident: Exceeded Internet Timeout
State: Removed"
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a

 
      07-11-2006, 11:28 PM
From: "Aragorn29" <(E-Mail Removed)>


| I just copied the notification directly from Antigen on the above post,
| they were using the virus verbiage. Here is the latest one from the log
| files.
|
| Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan found virus:
| Folder: SMTP Messages\Outbound
| Message: Delivery Status Notification (Failure)
| File: helpful_.gif
| Incident: Exceeded Internet Timeout
| State: Removed"

Pretty lousy log !

All that can be gleamed from this is a outbound message with attached file; "helpful_.gif"
exceeded a timout and was ultimately removed.

It says "Internet scan found virus:".
What virus ?
What is the name of this virus and which AV software cdtected this ?

All you can do is find out who the sender is and find the file "helpful_.gif" and then
submit it to Virus Total as a prescribed earlier in this thread.

In your original post, described the file name: "CODE_.gif" not "helpful_.gif". Were there
TWO or more incidents ?

You mention "We have Symantec 10. as the AV". Is that on the client PC or are you running a
symantec AV version for MS Exchange Server ?
If you are NOT, I suggest junking AntiGen for Symantec AV for MS Exchange Server or McAfee
Anti Virus for Exchange Server.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Aragorn29
Guest
Posts: n/a

 
      08-11-2006, 12:13 AM


"David H. Lipman" wrote:

> From: "Aragorn29" <(E-Mail Removed)>
>
>
> | I just copied the notification directly from Antigen on the above post,
> | they were using the virus verbiage. Here is the latest one from the log
> | files.
> |
> | Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan found virus:
> | Folder: SMTP Messages\Outbound
> | Message: Delivery Status Notification (Failure)
> | File: helpful_.gif
> | Incident: Exceeded Internet Timeout
> | State: Removed"
>
> Pretty lousy log !
>
> All that can be gleamed from this is a outbound message with attached file; "helpful_.gif"
> exceeded a timout and was ultimately removed.
>
> It says "Internet scan found virus:".
> What virus ?
> What is the name of this virus and which AV software cdtected this ?
>
> All you can do is find out who the sender is and find the file "helpful_.gif" and then
> submit it to Virus Total as a prescribed earlier in this thread.
>
> In your original post, described the file name: "CODE_.gif" not "helpful_.gif". Were there
> TWO or more incidents ?
>
> You mention "We have Symantec 10. as the AV". Is that on the client PC or are you running a
> symantec AV version for MS Exchange Server ?
> If you are NOT, I suggest junking AntiGen for Symantec AV for MS Exchange Server or McAfee
> Anti Virus for Exchange Server.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Yeah, I am not impressed with Antigen logs either. My problem on the
sender is the notification I get from Antigen is the sender is
(E-Mail Removed). Here is the exact notification I receive:
Microsoft Antigen for Exchange found a file infected with a virus. The file
is currently Removed.
File name: "helpful_.gif"
Virus name: "Exceeded Internet Timeout"
Message subject: "Delivery Status Notification _Failure_"
Sent from: "(E-Mail Removed)"
Folder: "SMTP Messages\Outbound"

I don't have a postmaster account in our environment and all the
notifcations refer to that account as sender.

As far as file names and more than one incident , yes, it keeps changing
names of the gif file, I also am receiving notification of the file being :
body of message : instead of a gif file on some notifications.

On the AV question. unfortunatly I inherited this office recently and they
are not using the Symantec for Exchange version, I belive my predecessor
thought that Antigen would be enough for the exchange scan. They have the
same version of Symantec on the workstations as they do the server. Not sure
I can talk them into upgrading at this time.....

 
Reply With Quote
 
Lanwench [MVP - Exchange]
Guest
Posts: n/a

 
      09-11-2006, 02:26 PM
In news:(E-Mail Removed),
Aragorn29 <(E-Mail Removed)> typed:
> "David H. Lipman" wrote:
>
>> From: "Aragorn29" <(E-Mail Removed)>
>>
>>
>>> I just copied the notification directly from Antigen on the above
>>> post,
>>> they were using the virus verbiage. Here is the latest one from the
>>> log files.
>>>
>>> Tue Nov 07 16:57:55 2006 (2596-7028), "INFORMATION: Internet scan
>>> found virus: Folder: SMTP Messages\Outbound
>>> Message: Delivery Status Notification (Failure)
>>> File: helpful_.gif
>>> Incident: Exceeded Internet Timeout
>>> State: Removed"

>>
>> Pretty lousy log !
>>
>> All that can be gleamed from this is a outbound message with
>> attached file; "helpful_.gif" exceeded a timout and was ultimately
>> removed.
>>
>> It says "Internet scan found virus:".
>> What virus ?
>> What is the name of this virus and which AV software cdtected this ?
>>
>> All you can do is find out who the sender is and find the file
>> "helpful_.gif" and then submit it to Virus Total as a prescribed
>> earlier in this thread.
>>
>> In your original post, described the file name: "CODE_.gif" not
>> "helpful_.gif". Were there TWO or more incidents ?
>>
>> You mention "We have Symantec 10. as the AV". Is that on the client
>> PC or are you running a symantec AV version for MS Exchange Server ?
>> If you are NOT, I suggest junking AntiGen for Symantec AV for MS
>> Exchange Server or McAfee Anti Virus for Exchange Server.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
>>
>>
>>

> Yeah, I am not impressed with Antigen logs either. My problem on
> the sender is the notification I get from Antigen is the sender is
> (E-Mail Removed). Here is the exact notification I receive:
> Microsoft Antigen for Exchange found a file infected with a virus.
> The file is currently Removed.
> File name: "helpful_.gif"
> Virus name: "Exceeded Internet Timeout"
> Message subject: "Delivery Status Notification _Failure_"
> Sent from: "(E-Mail Removed)"
> Folder: "SMTP Messages\Outbound"
>
> I don't have a postmaster account in our environment and all the
> notifcations refer to that account as sender.
>
> As far as file names and more than one incident , yes, it keeps
> changing names of the gif file, I also am receiving notification of
> the file being : body of message : instead of a gif file on some
> notifications.
>
> On the AV question. unfortunatly I inherited this office recently and
> they are not using the Symantec for Exchange version, I belive my
> predecessor thought that Antigen would be enough for the exchange
> scan. They have the same version of Symantec on the workstations as
> they do the server. Not sure I can talk them into upgrading at this
> time.....



Note that I don't know many Exchange folks who would recommend Symantec
*anything* over Antigen - or TrendMicro's ScanMail (which is what I tend to
use).

Regarding Postmaster - check the properties of the built-in administrator
account & see whether postmaster@ is not defined therein.

I suggest you try posting in m.p.exchange.admin - to cast a wider net here.
A lot of people in there use Antigen.




 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a

 
      09-11-2006, 07:52 PM
From: "Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com>


|
| Note that I don't know many Exchange folks who would recommend Symantec
| *anything* over Antigen - or TrendMicro's ScanMail (which is what I tend to
| use).
|
| Regarding Postmaster - check the properties of the built-in administrator
| account & see whether postmaster@ is not defined therein.
|
| I suggest you try posting in m.p.exchange.admin - to cast a wider net here.
| A lot of people in there use Antigen.
|

You'd be surprised at how many US Gov't. Exchange Servers (civilian and Military) use
Symantec.

In fact, the US DoD has a "wide license" providing all Symantec AV products to all the
services (including the Coast Guard).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Lanwench [MVP - Exchange]
Guest
Posts: n/a

 
      10-11-2006, 02:01 PM
In news:(E-Mail Removed),
David H. Lipman <DLipman~nospam~@Verizon.Net> typed:
> From: "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com>
>
>
>>
>> Note that I don't know many Exchange folks who would recommend
>> Symantec *anything* over Antigen - or TrendMicro's ScanMail (which
>> is what I tend to use).
>>
>> Regarding Postmaster - check the properties of the built-in
>> administrator account & see whether postmaster@ is not defined
>> therein.
>>
>> I suggest you try posting in m.p.exchange.admin - to cast a wider
>> net here. A lot of people in there use Antigen.
>>

>
> You'd be surprised at how many US Gov't. Exchange Servers (civilian
> and Military) use Symantec.
>
> In fact, the US DoD has a "wide license" providing all Symantec AV
> products to all the services (including the Coast Guard).


I'm sure they have a very nice relationship with Symantec - although for the
time being I'm not sure the fact that the DoD uses something is all that
much to be proud of!

I still don't know a lot of Exchange experts who like it.



 
Reply With Quote
 
dnelson830038
Guest
Posts: n/a

 
      11-12-2009, 05:33 PM

Ummm.... Excellent point. The government using SAV does not say much...
in fact... you may as well state that my mom's bakery store uses it. The
fact is, with anti-virus you can never put all of your eggs in one
basket. There are viruses that will get passed every scan engine out
there. Antegen is definatly your best bet with Exchange though. Take
that from a 15 year vet who still works for MS Dave.

And what does this have to do with fixing the problem DAVE! Stop
arguing on this site. Go find a chat room to arue in.

Microsoft has decided to retire a few scan engines that forefront and
Antigen use causing message scan timeouts. This results in the message
automatically being quarantined. Configure the timeout value for your
scan engines by extending it.


--
dnelson830038
------------------------------------------------------------------------
dnelson830038's Profile: http://forums.techarena.in/members/163026.htm
View this thread: http://forums.techarena.in/security-virus/621403.htm

http://forums.techarena.in

 
Reply With Quote
 
VanguardLH
Guest
Posts: n/a

 
      11-12-2009, 09:52 PM
dnelson830038 wrote:

<snip>
> And what does this have to do with fixing the problem DAVE! Stop
> arguing on this site. Go find a chat room to arue in.

<snip>

You thought Aragorn29, David, and Lanwrench were still monitoring this
thread that is _*/over 3 years old/*_ ?

Next time when you go hunting for posts that match your search criteria,
remember to *look at the datestamps* before replying.

> http://forums.techarena.in


A leech site pretending to have forums by using a webnews-for-boobs
interface to spew improperly formatted posts through a gateway to Usenet.
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Antigen - Exceeded Internet Timeout Anne Butera Virus Information 3 25-07-2007 08:24 PM
Terminal Server Session Timeout ndorphine Security Software 0 12-08-2004 11:27 AM
Web page timeout Gary Kimbrell Security Software 0 20-10-2003 08:25 PM
workstation timeout due to inactivity Kevin Knight Security Software 0 29-08-2003 07:17 PM
'Blank URL/timeout' log entries in proxy. Russell Security Software 0 09-08-2003 07:38 PM


All times are GMT. The time now is 08:32 PM.