Virus in IFS

[soma1...@yahoo.com]

During a scan of a clients IFS, the virus "W32/Netsky.p.eml!exe" was
found in a .NOT file in /QTCPTMM/EMAIL/user-name.

I am not familiar with Mail on AS/400, so I'm not sure what to do with
this .NOT file. Wondering if this can be deleted or is it a bigger
part of the mail setup?

Also, I found a few hundred files in their IFS that were infected.
Most files ended in .eml. Would this be a reason why their Sys Save
would never finish. Stops at the IFS and seems to lock. Left it at
this step for 26 hours when it only took 3 hours to save everything
else.

Reclaim Storage on IFS also takes 20-30+ hours.

This is on a 720 with 120GB usuable and about 67% DASD utilization.
About 20GB is in the IFS.

Thanks,
-Mike

[matt...@thomsonlearning.com]

.NOT is the extension that each message gets when stored (the directory
structure you list is where incoming mail is delivered). These are just
text files and you can delete them without harm.

The virus isn't going to cause any harm to OS/400 itself. To the best
of my knowledge, there are no virus' that infect OS/400.

Matt

[steve.s...@sfgov.org]

[steve.s...@sfgov.org]

Mike,

You do have to worry. The iSeries itself is not affected by these
viruses but it can be a carrier and continue to infect other PC's in
your network that use files on the IFS.

I would recommend calling IBM Support Line for the best approach to
dealing with this problem.

What you will probably end up scanning the entire IFS with up-to-date
anti-virus software from Client Access to take care of the viruses that
are living there. You will then need to do take additional measures to
prevent the IFS from becoming a carrier again.

Regards,

Steve

[Shalomc]

Mike,

Does your client use the AS400 as a mail server?
The infected files are stored in a POP3 user mail box.

Generally speaking, using an AS400 server for POP3 in not the best of
ideas,
and the lack of antivirus support is just one of the reasons to move
email to
another server.

The infected files are not likely the reason for the prolonged sys
save.

Shalom Carmel
-----------------------
www.venera.com - Exposing iSeries insecurity

[matt...@thomsonlearning.com]

I'd say it's a reason not to use the native POP3 and SMTP servers but
not the AS400 in general. Stalker Software sells a package called
Communigate Pro (I don't use it but I know of several folks that do and
they like it) that allows you to plug in anti-virus software. Thier
website is http://www.stalker.com.

Matt

[edfi...@us.ibm.com]

>What you will probably end up scanning the entire IFS with up-to-date
>anti-virus software from Client Access to take care of the viruses
>that are living there. You will then need to do take additional
>measures to prevent the IFS from becoming a carrier again.

A native virus scanner also exists for iSeries systems. For more
information see this article on iSeries Network:
http://www.iseriesnetwork.com/artarchive/index.cfm?fuseaction=viewarticle&CO_ContentID=19363&channel=art&subart=dept&deptid=111

Here is a quote from that article: . . . StandGuard Anti-Virus can
also scan mail messages stored in OS/400's Mail framework. Like
Windows-based virus scanners, StandGuard Anti-Virus automatically
downloads the latest virus definitions and software updates. And for
i5/OS (V5R3) users, StandGuard Anti-Virus supports an "On Access"
feature that scans files whenever they're opened or closed, providing
up-to-the-second protection against infections.

Ed Fishel

[soma1...@yahoo.com]

Matt,

I'm still a bit unclear about these .NOT files. Are these actually
emails that are in each user's Inbox? If I delete every .NOT file, am
I blowing away everything in their Inbox? I deleted the one file that
was infected. This directory is one of the larger ones in the clients
IFS and if these don't have to be there, how do they get purged?

Thanks,
-Mike