[Declude.Virus] Seemingly bad virus this morning
FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
I can confirm this and can also see that Declude virus + f-prot seems catching it now as unknown virus In the past 30 minutes there was several of this infected messages on our servers. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 4:52 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
Ah, and not to forget: whatever name this virus will have: it's a forging worm. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 4:52 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? As save as the world can be ;-) Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Here's the Mcafee page: http://vil.mcafeesecurity.com/vil/virus-4d.asp - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee DailyDAT download location change.
I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed. I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :) Thanks, Matt Scott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] McAfee DailyDAT download location change.
I have been monitoring everything that has been said and I agree - there is a place I had setup on the front page for these kinds of alerts and currently working on the best way to provide this information to our customer base using that area on the website. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 3:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed.I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :)Thanks,MattScott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] McAfee DailyDAT download location change.
I have to check my script because it still works fine up to now. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 9:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed.I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :)Thanks,MattScott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] McAfee DailyDAT download location change.
Mr. Obvious says: You would have to change the URL plus the name of the file you're unzipping! So that I didn't have to change my script much, I changed my wget line to: wget http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip -O dailyscan.zip The -O parameter tells wget to save the requested file with that particular filename. I think that NAI/McAfee changed the path as part of the web interface change to funnel people through their EULA. When I follow it through, the web interface takes you to a filenames that now have a dynamic instead of static name. If they change the URL again, we may need a smarter script that can scrape out the correct name from the webpage. Hopefully, they'll bring the static name back, perhaps parallel to the Stinger download. Andrew 8) p.s. I only use McAfee as a backup, standalone scanner. Not part of my Declude at all. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 12:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed.I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :)Thanks,MattScott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
Re: [Declude.Virus] McAfee DailyDAT download location change.
David, Information such as this is best 'pushed' rather than 'pulled'. Declude should have a notification list that sends announcements of important things concerning all products such as new interims/betas/releases, new and important bugs, updates on known issues and things that can broadly affect customers such as issues like this one. I wouldn't expect more than a few messages per month. There was an earlier list that was to be reserved for the absolute biggest issues that never got used, and the specificity of that list was it's downfall. I would create a list and opt all customers into it but give them an opt-out message for the first mailing. Most Declude customers will never hear about things like this issue with McAfee otherwise. The site doesn't work at all for timely things such as this. BTW, I believe there are probably scripts linked to or contained on the Declude site for McAfee updates. You will want to change those before anyone new adds it in to their system. Thanks, Matt David Barker wrote: I have been monitoring everything that has been said and I agree - there is a place I had setup on the front page for these kinds of alerts and currently working on the best way to provide this information to our customer base using that area on the website. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 3:58 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed. I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :) Thanks, Matt Scott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15
Re: [Declude.Virus] Seemingly bad virus this morning
Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee DailyDAT download location change.
The Proper method to update the dat would be to pull the "ini" file http://download.nai.com/products/datfiles/4.x/nai/update.ini Then Parse this [zip] section [ZIP]EngineVersion=0DATVersion=4579FileName=dat-4579.zipFilePath=/pub/antivirus/datfiles/4.x/FileSize=6448048Checksum=2090,BED1MD5=cc4e480fbc191a89354a5891ca4aa6dc to obtain the URI Filename then, verify the MD5 Checksum, then unzip it.. then notify you of the download, unzip, and send the DatVersion to you. What happens if you download is corrupt? you now have successfully disabled your virus scanner.
Re: [Declude.Virus] McAfee DailyDAT download location change.
The FTP site doesn't have the beta DAT's listed. It is the beta DAT's that contain the latest updates, and for an E-mail system, they are the best thing to use. Naturally they aren't as well tested as the other things, but they will block things more quickly and you have to weigh that against the possibility of losing E-mail. I would recommend the HTTP link that Scott provided unless the beta DAT's are available over FTP. Matt William Stillwell wrote: The Proper method to update the dat would be to pull the "ini" file http://download.nai.com/products/datfiles/4.x/nai/update.ini Then Parse this [zip] section [ZIP] EngineVersion=0 DATVersion=4579 FileName=dat-4579.zip FilePath=/pub/antivirus/datfiles/4.x/ FileSize=6448048 Checksum=2090,BED1 MD5=cc4e480fbc191a89354a5891ca4aa6dc to obtain the URI Filename then, verify the MD5 Checksum, then unzip it.. then notify you of the download, unzip, and send the DatVersion to you. What happens if you download is corrupt? you now have successfully disabled your virus scanner.
Re: [Declude.Virus] McAfee DailyDAT download location change.
Well, there's always the Declude.Releases mailing list. Not sure that I've ever received anything on that one. Maybe they need to make another one and call it Declude.News. I'd refer people to Declude's User Forums, but they seem to be extremely under utilized by both Declude users and Declude support. By contrast, the SmarterMail user forums are extremely active, though that may be because SmaterMail doesn't have a mailing list equivalent to Declude.Junkmail. Original Message From: Matt [EMAIL PROTECTED] Sent: Monday, September 12, 2005 4:27 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] McAfee DailyDAT download location change. David, Information such as this is best 'pushed' rather than 'pulled'. Declude should have a notification list that sends announcements of important things concerning all products such as new interims/betas/releases, new and important bugs, updates on known issues and things that can broadly affect customers such as issues like this one. I wouldn't expect more than a few messages per month. There was an earlier list that was to be reserved for the absolute biggest issues that never got used, and the specificity of that list was it's downfall. I would create a list and opt all customers into it but give them an opt-out message for the first mailing. Most Declude customers will never hear about things like this issue with McAfee otherwise. The site doesn't work at all for timely things such as this. BTW, I believe there are probably scripts linked to or contained on the Declude site for McAfee updates. You will want to change those before anyone new adds it in to their system. Thanks, Matt David Barker wrote: I have been monitoring everything that has been said and I agree - there is a place I had setup on the front page for these kinds of alerts and currently working on the best way to provide this information to our customer base using that area on the website. David B www.declude.com http://www.declude.com *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, September 12, 2005 3:58 PM *To:* Declude.Virus@declude.com *Subject:* Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed. I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :) Thanks, Matt Scott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - *From:* Matt mailto:[EMAIL PROTECTED] *To:* Declude.Virus@declude.com mailto:Declude.Virus@declude.com *Sent:* Monday, September 12, 2005 2:26 PM *Subject:* Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For
Re: [Declude.Virus] Seemingly bad virus this morning
-Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERS
RE: [Declude.Virus] Seemingly bad virus this morning
Scott, in various older versions of wget, the -N parameteras well as the --header=Accept-Encoding:gzip parameterplain old didn't work. Pick up the current version here: http://xoomer.virgilio.it/hherold/#Files andit should be fine. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, September 12, 2005 2:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices
RE: [Declude.Virus] Seemingly bad virus this morning
which is all well and good, but... It worked fine for the update.ini, but not for the .zip file.The currentstable versionofwgetdoes in download a full file every time. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 2:47 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Scott, in various older versions of wget, the -N parameteras well as the --header=Accept-Encoding:gzip parameterplain old didn't work. Pick up the current version here: http://xoomer.virgilio.it/hherold/#Files andit should be fine. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, September 12, 2005 2:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You
Re: [Declude.Virus] Seemingly bad virus this morning
Scott and Andrew, It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths): C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip Matt Scott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's. I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%" IF ERRORLEVEL 1 GOTO END C:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\ :END ENDLOCAL Matt Markus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Monday, September 12, 2005 10:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Monday, September 12, 2005 1:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this
RE: [Declude.Virus] Seemingly bad virus this morning
A very basic: wget -N http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip was not working when Scott (and then I) tried it. But it does now, including with the -O parameter. I'd hazard a guess that they have some kind of front-end webcache or cluster, and things weren't perfectly synched. I'm using 1.10-something. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 3:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Scott and Andrew,It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths):C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zipMattScott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should
