Cannot send to email group after accidental deletion
This happens far too often and is completely understandable. I am sure I would have done it by now if I used our distribution lists. Every few months or so it seems like somebody here in the office goes to edit one of the lists to keep them nice and clean (thank you) but when they go to delete a user from the list they accidentally delete the entire list itself. You can see why below:
I completely understand why they would immediately go to delete group instead of remove member. You see the big X signifying delete and just assume that’s what it will do when you have the user highlighted. I know how to recover the lists when they do delete them. You have to hunt through the deleted items and find it. If you sort by date it will sort the list based on the date it was created, not when you deleted it. Click on the group and drag over to the left where it says contacts or in our case go to folder list view and click and drag it to the appropriate contacts list under public folders.
The next time the person tried to send an email to the group they would get an error that said “unexpected error.” *sigh* So I finally got the bright idea to start typing in the group name into the To: field to make the auto-fill show up and delete that entry. I clicked the To: button and added it that way, sent the email and it worked. For some reason the auto-fill entries break if you delete the group and restore it. There must be some way outlook is identifying the auto-fills and when you restore the group it gives it another ID number or something.
D-Link Shareport Utility and Windows 7 Pro
I have been using the shareport utility for awhile now but I always had to disable my firewall for it to work properly. It works fine on the Windows 7 home computer, but not on my Windows 7 Pro desktop. I looked around online and it looks like a common problem but I did not see anybody post the solution that worked for me. Simply creating a rule in the firewall allowing the utility itself to do whatever it wants did not work. I turned on logging for the Windows firewall and watched what was happening whenever I tried to print something. It was blocking traffic coming from the other computers on the network. So I created a rule to allow UDP traffic from the range of IPs on my network, which is only a handful of machines. That’s the only shareport related rule I have in the firewall and it works perfectly fine now. The utility will not print if other computers are connected to the printer with shareport, which is why I think the traffic is coming from the other machines on the network – they are just answering back saying they are not using the printer.
Go to your start menu and type firewall in the search box, then click on Windows Firewall with Advanced Security.
- Click inbound rules on the left and then new rule on the right
- Custom rule, next
- All programs, next
- You can either leave protocol type to any or change it to UDP, next
- Under “which local IP addressses does this rule apply to?” choose “these IP addresses:” and click add. I just put the range of IPs of the computers on my network. Hit OK.
- Then allow the connection, next
- Only selecting private should work fine for a home network.
- Finally, name the rule so you know what it is. I just called it Shareport Utility. Hit finish.
If you want to turn on firewall logging open your command prompt and use either/both of these commands depending on what you want to see:
netsh firewall set logging droppedpackets = enable
netsh firewall set logging connections = enable
By default your log file is %systemroot%\System32\LogFiles\Firewall\pfirewall.log
I was having another issue printing where it would print all jumbled up with text overlapping itself and the colors being completely wrong. I saw a post that suggested going into the printer properties to disable spooling. For my printer it’s under the advanced tab in the printer properties. I told it to print directly to the printer instead – so far so good.
USAA phishing emails
I am seeing a new phase of USAA spam hitting us. The ones I am seeing hit our servers the most claim to be deposit notifications that, of course, include an attachment they want you to open. The scary thing is that I am seeing more and more phishing emails that look really good. I’m actually kind of impressed by them. I can easily see a lot of people, maybe even some in my office, opening this email and downloading the attachment. Of course for me, the dead giveaway is the fact that there’s an attachment at all – let alone a zip file that includes an exe file. Luckily our spam filter doesn’t let exe files through, even if it doesn’t detect it as a virus.
Being the curious person that I am I downloaded the attachment to see what was in it. I found an exe file, Deposit_Posted_Details_USAA_122012.exe. I scanned the exe with our corporate version of Malwarebytes and it was detected as Trojan.Zbot.CBCGen. I scanned it with GFI’s Vipre anti-virus, but it was not detected. I then uploaded it to virustotal to see what other scanners were detecting it. As of this post, only 3 scanners are seeing it, one of which was added while I was putting this post together – ByteHero, Kaspersky, and McAfee. You can see the report here.
My next step is do some research based on the names the scanners that detect it have given it to see what kind of infection this is. Hopefully if any of you have it Malwarebytes will just take care of it for you.
Update: It now looks like 6 scanners are able to find this virus. I did some looking around online and from what I see it sounds pretty nasty.
It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.
From the report Symantec put together and the report I received from submitting this to GFI’s sandbox I can see that it creates a file to dump all your login information into and tries to phone home to suck those passwords off your computer. Symantec lists this as a low threat, but if there is any sign of this being on your computer you need to change all your passwords. That is not something I would want to risk. At least it appears to use the same names to create the files and keys over and over, which would hopefully mean that it wouldn’t be terribly difficult for the anti-virus scanners to find and remove – once they update their definitions to get this newest variation.
Also, this virus can possibly inject forms into your web browser that make it look like your banking site, or whatever site your logging into, is asking extra security questions to confirm who you are. But if the it’s something beyond the basic “what’s your mother’s maiden name?” be careful. I saw on another forum somewhere that when someone tried to log into their banking site it asked them the basic questions, but then asked him what his debit card number is – why would your banking site be asking that?
Here are the DNS requests from the report that GFI sent me after submitting it to their sandbox.
In response to Mosey’s question about whether Filezilla’s credentials would be at risk: it doesn’t sound like they would be based off the the Symantec report and a couple others things I found about it (see the two links I added below). It sounds like it is only monitoring what you type into your web browser. I have not seen anything yet that tells me otherwise. But I did find another blog that describes how Filezilla stores your credentials in a plain text file that is very easy to find. This trojan is also known as Zeus, there are a lot of variations – so I suppose someone out there creating their version of the Zeus trojan could target the Filezilla files that hold your credentials.
Sources:
My Flickr Photos
|
