[Esa-l]097M.Tristate.Variant in a -.PPT leaked through

Karl Dunn Karl.Dunn at vmic.com
Wed May 23 11:42:51 PDT 2001


Our Norton scanner running on our internal Exchange server caught and
fixed a virus that John's scanner didn't trigger on.  (His scanner runs on
a SunOS 4.1.3_U1 SPARC IPX box before mail gets to the Exchange server).

- - - - -
Norton AntiVirus found the "O97M.Tristate.Variant" virus in the attachment
"SMTA Presentation.ppt".
The file was Repaired.

Sender of the infected attachment:  FrTurner at aol.com
Recipient of the infected attachment:  Jim Nunns\Inbox
Subject of the message:  Re: SMTA Presentation
- - - - -

John's filter's log:

- - - - -
Defanging active HTML content in "Re: SMTA Presentation" from FrTurner at aol.com to Jim.Nunns at vmic.com msgid=<7f.14be267c.283d558f at aol.com>
Sanitizing MIME attachment headers in "Re: SMTA Presentation" from FrTurner at aol.com to Jim.Nunns at vmic.com msgid=<7f.14be267c.283d558f at aol.c
om>
 Scanning "SMTA Presentation.ppt".
- - - - -

We don't MANGLE_EXTENSIONS the PPT, and it's not in the poison list, but
usually a virus triggers the macro scorer and a warning message gets
attached following the offending attachment.  Why not this time?

See:

http://www.symantec.com/avcenter/venc/data/o97m.tristate.html

Karl Dunn     (KLD13)
VMIC
12090 South Memorial Parkway
Huntsville AL USA 35803
VOICE: (256) 382-8211 or (800) 322-3616
FAX:   (256) 650-5472 or (256) 882-0859



More information about the esd-l mailing list