<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<STYLE>P.3f4a7a2d-e5e3-4013-9c45-c6e627ff7f48 {
MARGIN: 0cm 0cm 0pt
}
LI.3f4a7a2d-e5e3-4013-9c45-c6e627ff7f48 {
MARGIN: 0cm 0cm 0pt
}
DIV.3f4a7a2d-e5e3-4013-9c45-c6e627ff7f48 {
MARGIN: 0cm 0cm 0pt
}
TABLE.3f4a7a2d-e5e3-4013-9c45-c6e627ff7f48Table {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</STYLE>
<META content="MSHTML 6.00.2900.3660" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=880310100-28062010><FONT face=Arial
color=#0000ff size=2>My imediate thought here is that you user has been
pwned via social engineering, and my first action would be to disconnect
his machine, until you can establish exactly what those commands were, and who
was calling. Especially since you are seeing other
issues...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=880310100-28062010><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=880310100-28062010><FONT face=Arial
color=#0000ff size=2>If you cant find a legitimate explanation very quickly then
you should automatically assume the worst and act
accordingly.</FONT> </SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=880310100-28062010><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=880310100-28062010><FONT face=Arial
color=#0000ff size=2>ISP's do occasionaly call account
holders following abuse reports, or when it is obvious that their machine
is infected from the traffic flows, but I have never heard of Norton doing
this, and unless this guy is a Norton customer how would they get his
phone number?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=880310100-28062010><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=880310100-28062010> </SPAN></DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
ausnog-bounces@lists.ausnog.net [mailto:ausnog-bounces@lists.ausnog.net] <B>On
Behalf Of </B>Luke Fuller<BR><B>Sent:</B> Monday, 28 June 2010 9:48
AM<BR><B>To:</B> Ausnog List<BR><B>Subject:</B> [AusNOG] Strange call from
supposed Antivirus vendor.<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial>Hi All,
<DIV><BR></DIV>
<DIV>A quick question some of you may have come across before or have advice
on.</DIV>
<DIV><BR></DIV>
<DIV>One of our users over the weekend had an strange phone call from a company
supposedly 'Norton' stating that there computer is infected and they need to
follow the following steps which they gave the user several CMD and registry
commands. This was reported yesterday to us.</DIV>
<DIV><BR></DIV>
<DIV>Has anybody else come across such a thing before ? The user is connected to
our corporate WAN and a possibility that if it was infected it has spread as we
are seeing issues pop up on some production servers.</DIV>
<DIV><BR></DIV>
<DIV>Any advice on a standard response - we have already started to in depth
scan each server however also should we strengthen the IPS scanning for
Malware, etc at network edge points ?</DIV>
<DIV><BR></DIV>
<DIV>Very odd unless companies do contact end users however we use ESET through
the corporate network . Any body else with similar experience with a strange
call ?</DIV>
<DIV><BR></DIV>
<DIV>Luke.</DIV>
<DIV><BR>
<DIV><SPAN class=Apple-style-span
style="WORD-SPACING: 0px; FONT: medium Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; webkit-border-horizontal-spacing: 0px; webkit-border-vertical-spacing: 0px; webkit-text-decorations-in-effect: none; webkit-text-size-adjust: auto; webkit-text-stroke-width: 0px"><SPAN
class=Apple-style-span
style="WORD-SPACING: 0px; FONT: medium Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; webkit-border-horizontal-spacing: 0px; webkit-border-vertical-spacing: 0px; webkit-text-decorations-in-effect: none; webkit-text-size-adjust: auto; webkit-text-stroke-width: 0px">
<DIV
style="WORD-WRAP: break-word; webkit-nbsp-mode: space; webkit-line-break: after-white-space">
<DIV></DIV></DIV></SPAN></SPAN></DIV></DIV></FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><STRONG><FONT face=Arial size=2>Luke Fuller <FONT
size=1></FONT></FONT></STRONG></DIV>
<DIV><FONT face=Arial color=#000000 size=2></FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT
color=#000000></FONT></SPAN><FONT face=Arial> <IMG alt="" hspace=0
src="cid:880310100@28062010-2813" align=baseline border=0></FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><STRONG><FONT face=Arial size=2>COZmedics Medispas</FONT></STRONG></DIV>
<DIV><FONT face=Arial size=1>Maroochydore - Level 1, 49 The Esplanade<BR>Noosa -
Suite 1.17, Noosa Medical & Professional Centre 90 Goodchap
Street<BR>Ascot - Level 1, 121 Racecourse Road<BR>Kenmore - Suite 9, 2081
Moggill Road</FONT></DIV>
<DIV><FONT face=Arial size=1>, , </FONT></DIV>
<DIV><FONT face=Arial size=1></FONT> </DIV>
<DIV><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT color=#000000><FONT
face=Arial><FONT size=1><STRONG>Ph:</STRONG> 07 5409
4400</FONT></FONT></FONT></SPAN></DIV>
<DIV><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT color=#000000><FONT
face=Arial><FONT size=1><STRONG>Fax:</STRONG> 07 5409
4444</FONT></FONT></FONT></SPAN></DIV>
<DIV><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT color=#000000><FONT
face=Arial><FONT size=1><STRONG>Bookings:</STRONG> 1300 792
299</FONT></FONT></FONT></SPAN></DIV>
<DIV><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT face=Arial color=#000000
size=1><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT color=#000000><FONT
face=Arial><FONT size=1><STRONG>Web:</STRONG> </FONT></FONT></FONT></SPAN><A
href="http://www.cozmedics.com.au/">www.cozmedics.com.au</A></FONT></SPAN></DIV>
<DIV><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT face=Arial color=#000000
size=1></FONT></SPAN> </DIV>
<DIV><A href="http://www.cozmedics.com.au/"><IMG alt="" hspace=0
src="http://www1.cozmedics.com.au/imagestore/emailbannercoz.gif" align=baseline
border=0 NOSEND="1"></A></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial>
<HR>
</FONT><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><FONT color=#000000><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"><FONT size=1>This email and any files
transmitted with it are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you have received this email
in error, please notify the system manager. This message contains confidential
information and is intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or copy this email.
Please notify the sender immediately by email if you have received this email by
mistake and delete this email from your system. If you are not the intended
recipient, you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.</FONT></SPAN></FONT></SPAN></DIV>
<DIV>
<P class=MsoNormal><SPAN style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"><FONT
size=1>WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses. The
organization accepts no liability for any damage caused by any virus transmitted
by this email. Email transmission cannot be guaranteed to be secure or
error-free, as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender, therefore, does not
accept liability for any errors or omissions in the contents of this message
which arise as a result of email transmission.</FONT></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">
<DIV>
<DIV><SPAN class=Apple-style-span
style="WORD-SPACING: 0px; FONT: medium Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; webkit-border-horizontal-spacing: 0px; webkit-border-vertical-spacing: 0px; webkit-text-decorations-in-effect: none; webkit-text-size-adjust: auto; webkit-text-stroke-width: 0px"><SPAN
class=Apple-style-span
style="WORD-SPACING: 0px; FONT: medium Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; webkit-border-horizontal-spacing: 0px; webkit-border-vertical-spacing: 0px; webkit-text-decorations-in-effect: none; webkit-text-size-adjust: auto; webkit-text-stroke-width: 0px">
<DIV
style="WORD-WRAP: break-word; webkit-nbsp-mode: space; webkit-line-break: after-white-space">
<DIV>__________</DIV></DIV></SPAN></SPAN></DIV></DIV>
<DIV>
<DIV><SPAN class=Apple-style-span
style="WORD-SPACING: 0px; FONT: medium Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; webkit-border-horizontal-spacing: 0px; webkit-border-vertical-spacing: 0px; webkit-text-decorations-in-effect: none; webkit-text-size-adjust: auto; webkit-text-stroke-width: 0px"><SPAN
class=Apple-style-span
style="WORD-SPACING: 0px; FONT: medium Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; webkit-border-horizontal-spacing: 0px; webkit-border-vertical-spacing: 0px; webkit-text-decorations-in-effect: none; webkit-text-size-adjust: auto; webkit-text-stroke-width: 0px">
<DIV
style="WORD-WRAP: break-word; webkit-nbsp-mode: space; webkit-line-break: after-white-space">
<DIV></DIV></DIV></SPAN></SPAN></DIV><BR></DIV></SPAN><FONT
size=+0></FONT><SPAN></SPAN>
<P></P></DIV></BODY></HTML>