[80094] in North American Network Operators' Group
[Fwd: Re: [Full-disclosure] Possible Virus activity]
daemon@ATHENA.MIT.EDU (Austin McKinley)
Sun Apr 24 10:57:59 2005
Date: Sun, 24 Apr 2005 10:57:27 -0400
From: Austin McKinley <aumckinl@cisco.com>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
--------------010608020108040609000906
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------010608020108040609000906
Content-Type: message/rfc822;
name="Re: [Full-disclosure] Possible Virus activity"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Re: [Full-disclosure] Possible Virus activity"
Return-Path: <full-disclosure-bounces@lists.grok.org.uk>
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148])
by rooster.cisco.com (8.11.7p1+Sun/8.11.7) with ESMTP id j3NEMIo11748;
Sat, 23 Apr 2005 10:22:18 -0400 (EDT)
Received: from rtp-core-1.cisco.com (64.102.124.12)
by rtp-iport-1.cisco.com with ESMTP; 23 Apr 2005 10:33:53 -0400
X-IronPort-AV: i="3.92,125,1112587200";
d="scan'208"; a="45833633:sNHT60218020"
Received: from sj-inbound-c.cisco.com (sj-inbound-c.cisco.com [128.107.234.206])
by rtp-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j3NEM0RT022304;
Sat, 23 Apr 2005 10:22:12 -0400 (EDT)
Received: from lists.grok.org.uk (195.184.125.51)
by sj-inbound-c.cisco.com with ESMTP; 23 Apr 2005 07:22:06 -0700
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="3.92,125,1112598000";
d="scan'208"; a="57672760:sNHT21118502"
Received: from lists.grok.org.uk (localhost [127.0.0.1])
by lists.grok.org.uk (Postfix) with ESMTP id D8FB7A2A;
Sat, 23 Apr 2005 15:21:37 +0100 (BST)
X-Original-To: full-disclosure@lists.grok.org.uk
Delivered-To: full-disclosure@lists.grok.org.uk
Received: from edciscan01.edc.trendmicro.com (edciscan01.edc.trendmicro.com
[194.112.106.202])
by lists.grok.org.uk (Postfix) with ESMTP id E6F287E2
for <full-disclosure@lists.grok.org.uk>;
Sat, 23 Apr 2005 10:19:15 +0100 (BST)
Received: from edciscan01.edc.trendmicro.com (localhost [127.0.0.1])
by localhost.edc.trendmicro.com (Postfix) with ESMTP id 781A34A496;
Sat, 23 Apr 2005 11:19:15 +0200 (MEST)
Received: from edcexbh01-vs2.eu.trendnet.org (unknown [194.112.106.200])
by edciscan01.edc.trendmicro.com (Postfix) with ESMTP id 262624A43C;
Sat, 23 Apr 2005 11:19:15 +0200 (MEST)
Received: from deexmail01.de.trendnet.org ([10.13.0.29]) by
edcexbh01-vs2.eu.trendnet.org with Microsoft SMTPSVC(6.0.3790.211);
Sat, 23 Apr 2005 11:19:14 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Subject: RE: [Full-disclosure] Possible Virus activity
Date: Sat, 23 Apr 2005 11:19:13 +0200
Message-ID: <C887EDB390C0E74781D4B54156A9544A05719A0D@deexmail01.de.trendnet.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Full-disclosure] Possible Virus activity
Thread-Index: AcVHs4x1/3qrxpR4RzeYvQ6jzYTqPQALr8Eg
From: <Martin_Roesler@trendmicro-europe.com>
To: <benjamin@seattlefenix.net>, <jgrotegut@directpointe.com>
X-OriginalArrivalTime: 23 Apr 2005 09:19:14.0370 (UTC)
FILETIME=[845D0A20:01C547E5]
X-Mailman-Approved-At: Sat, 23 Apr 2005 15:21:27 +0100
Cc: full-disclosure@lists.grok.org.uk
X-BeenThere: full-disclosure@lists.grok.org.uk
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: An unmoderated mailing list for the discussion of security issues
<full-disclosure.lists.grok.org.uk>
List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
<mailto:full-disclosure-request@lists.grok.org.uk?subject=unsubscribe>
List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
List-Post: <mailto:full-disclosure@lists.grok.org.uk>
List-Help: <mailto:full-disclosure-request@lists.grok.org.uk?subject=help>
List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
<mailto:full-disclosure-request@lists.grok.org.uk?subject=subscribe>
Sender: full-disclosure-bounces@lists.grok.org.uk
Errors-To: full-disclosure-bounces@lists.grok.org.uk
X-PMX-Version: 4.7.0.111621
X-from-outside-Cisco: 128.107.234.206
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by rooster.cisco.com id j3NEMIo11748
Hello everybody
First of all I have to apologize on behalf of Trend Micro.
I understand that you faced severe problems due to a significant
performance issue on PC's that have loaded the pattern file 2.594.00
Manual Solution:
To fix this problem, please follow the solution #24263 (Office Scan) and
#24264 (PC-cillin Internet Security Suite)
http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp
?solutionId=24263
http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp
?solutionId=24264
Explanation:
On April 22, 2005, starting at 3:33 pm Pacific (10:33 GMT) Trend Micro
posted a pattern file (2.594.00) that had the potential to interact with
certain computing configurations and cause computer performance issues
for some users. This specific pattern file was only available during a
1 hour and 29 minute time window. Trend Micro removed the pattern file
from our Web sites and Active Update servers at 5:02 pm (1:02 GMT), and
immediately took steps to post a new pattern file. Subsequent pattern
file downloads do not cause these issues.
Right now Trend Micro global support team is working to fully understand
the extent of the problem and provide additional solutions.
Trend Micro has extended support hours especially to help those
customers who had this special intersection of circumstances and were
affected by this issue. Trend Micro is continuing testing in order to
fully understand initial assessments and fix the issue, and endeavor to
provide additional information as it becomes available.
Martin Roesler
Director of Global Technical Support Operations
Trend Micro Deutschland GmbH
Lise-Meitner-Str. 4
85716 Unterschleissheim
E-Mail: Martin_Roesler@trendmicro-europe.com
__________________________________________________
http://www.trendmicro-europe.com
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Benjamin
Krueger
Sent: Samstag, 23. April 2005 05:14
To: Jonathan Grotegut
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Possible Virus activity
* Jonathan Grotegut (jgrotegut@directpointe.com) [050422 19:30]:
> One of the things one of our techs has found is it is somehow related
to Trend Office Scan, one of our techs killed all the services on one of
the computer he could, he started them up one by one. Once he started
Trend Officescan service the System process spiked. Possible update
today on Trend that botched it?
>
> Jonathan Grotegut
http://kb.trendmicro.com/solutions/search/main/search/SolutionDetail.asp
?SolutionID=24263&btnSearch=GO
"Windows XP Service Pack 2 machines with critical patches and OfficeScan
Corporate Edition (OSCE) starts to experience high CPU utilization after
updating to Pattern 594"
594 was released today, and then 596 was released immediately
afterwards. It looks like the machines having problems on my network are
running 594 and weren't able to successfully update to 596. Coincidence?
I think not.
Thanks Trend. You've ruined my Friday night. My girlfriend and I thank
you...
--
Benjamin Krueger
"Nakedness is sinful. If God wanted us to go naked, we would have been
born that way."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------010608020108040609000906--
