RE: [Declude.Virus] AUTOFORGE
Does anyone know why it was not possible to send messages to this list over the last 3-4 days? Also can anyone supply their current list of FORGINGVIRUS FORGINGVIRUS Anonymous Driver FORGINGVIRUS Antiman FORGINGVIRUS Bagle FORGINGVIRUS Bobax FORGINGVIRUS Breatel FORGINGVIRUS Bridex FORGINGVIRUS Bugbear FORGINGVIRUS Dumar FORGINGVIRUS Exploit-ObjectData FORGINGVIRUS Eyeveg FORGINGVIRUS Fizzer FORGINGVIRUS Ganda FORGINGVIRUS Holar FORGINGVIRUS Hybris FORGINGVIRUS IFrame FORGINGVIRUS IFromot FORGINGVIRUS Illwill FORGINGVIRUS Inor FORGINGVIRUS Ircbot2 FORGINGVIRUS Klez FORGINGVIRUS Kapser FORGINGVIRUS Lentin FORGINGVIRUS Lovgate FORGINGVIRUS Mabuto FORGINGVIRUS Magistr FORGINGVIRUS MiMail FORGINGVIRUS MyDoom FORGINGVIRUS Mytob FORGINGVIRUS Netsky FORGINGVIRUS ObjData FORGINGVIRUS Palyh FORGINGVIRUS Phish- FORGINGVIRUS Plexus FORGINGVIRUS Proxy-Cidra FORGINGVIRUS Reblin FORGINGVIRUS Scano FORGINGVIRUS Sober FORGINGVIRUS SoBig FORGINGVIRUS Stration FORGINGVIRUS Somefool FORGINGVIRUS Tanx FORGINGVIRUS Torvil FORGINGVIRUS Tricky-Malware-based! FORGINGVIRUS Trojan FORGINGVIRUS Wurmark FORGINGVIRUS Yaha FORGINGVIRUS Zafi FORGINGVIRUS Zerolin And maybe FORGINGVIRUS Unknown Virus Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] stration work
thank you for turning this out Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, October 02, 2006 4:27 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] stration work It looks like the Stration worm is causing backscatter today: The W32/Stration.drvirus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file. I've added it as a forging virus FORGINGVIRUSStration -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] ClamAV Exit codes
Does anyone know what exit codes ClamAV has and what they mean? From 2006-09-27 06:50PM on I can see a huge number of Virus scanner 2 reports exit code of 2 ...in the virus-logfile. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
Failure I do believe, probably ClamD is not running? Correct. Thank you. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
Thank you The strange thing is that the error doesn't appeared constantly at a certain point. At 06:50PM there was the first dozen result codes 2. Then the next one appeared at 11:00PM but still not contantly. There was always 0 and 1 codes. But then it become more and more, and then at a certain point the only result code was 2. Does this mean that clamd can also decease slowly? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulman Sent: Friday, September 29, 2006 4:22 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV Exit codes Markus, Here are the Return Codes from the ClamAV Documentation. George From http://www.clamav.net/doc/0.88.4/man/clamdscan.1 .SH RETURN CODES .LP 0 : No virus found. .TP 1 : Virus(es) found. .TP 2 : An error occured. From http://www.clamav.net/doc/0.88.4/man/clamscan.1 .SH RETURN CODES .LP Note: some return codes may only appear in a one file mode (clamscan is started with file argument). Those are marked with \fB(ofm)\fR. 0 : No virus found. .TP 1 : Virus(es) found. .TP 40: Unknown option passed. .TP 50: Database initialization error. .TP 52: Not supported file type. .TP 53: Can't open directory. .TP 54: Can't open file. (ofm) .TP 55: Error reading file. (ofm) .TP 56: Can't stat input file / directory. .TP 57: Can't get absolute path name of current working directory. .TP 58: I/O error, please check your file system. .TP 59: Can't get information about current user from /etc/passwd. .TP 60: Can't get information about user 'clamav' (default name) from /etc/passwd. .TP 61: Can't fork. .TP 62: Can't initialize logger. .TP 63: Can't create temporary files/directories (check permissions). .TP 64: Can't write to temporary directory (please specify another one). .TP 70: Can't allocate and clear memory (calloc). .TP 71: Can't allocate memory (malloc). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, September 29, 2006 5:59 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV Exit codes Does anyone know what exit codes ClamAV has and what they mean? From 2006-09-27 06:50PM on I can see a huge number of Virus scanner 2 reports exit code of 2 ...in the virus-logfile. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
Looking at the physical/virtual memory utilization for this server displays a peak for this date/time (see attached mrtg graph - growleft) But the graph shows a similar peak for today around 16:00PM and clamd is still running without any result code 2. I will watch this. Thank you. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulman Sent: Friday, September 29, 2006 6:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV Exit codes Strange. It sounds like a resource depletion problem such as a memory leak that may not even be directly related to clamd. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, September 29, 2006 10:58 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV Exit codes Thank you The strange thing is that the error doesn't appeared constantly at a certain point. At 06:50PM there was the first dozen result codes 2. Then the next one appeared at 11:00PM but still not contantly. There was always 0 and 1 codes. But then it become more and more, and then at a certain point the only result code was 2. Does this mean that clamd can also decease slowly? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george kulman Sent: Friday, September 29, 2006 4:22 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV Exit codes Markus, Here are the Return Codes from the ClamAV Documentation. George From http://www.clamav.net/doc/0.88.4/man/clamdscan.1 .SH RETURN CODES .LP 0 : No virus found. .TP 1 : Virus(es) found. .TP 2 : An error occured. From http://www.clamav.net/doc/0.88.4/man/clamscan.1 .SH RETURN CODES .LP Note: some return codes may only appear in a one file mode (clamscan is started with file argument). Those are marked with \fB(ofm)\fR. 0 : No virus found. .TP 1 : Virus(es) found. .TP 40: Unknown option passed. .TP 50: Database initialization error. .TP 52: Not supported file type. .TP 53: Can't open directory. .TP 54: Can't open file. (ofm) .TP 55: Error reading file. (ofm) .TP 56: Can't stat input file / directory. .TP 57: Can't get absolute path name of current working directory. .TP 58: I/O error, please check your file system. .TP 59: Can't get information about current user from /etc/passwd. .TP 60: Can't get information about user 'clamav' (default name) from /etc/passwd. .TP 61: Can't fork. .TP 62: Can't initialize logger. .TP 63: Can't create temporary files/directories (check permissions). .TP 64: Can't write to temporary directory (please specify another one). .TP 70: Can't allocate and clear memory (calloc). .TP 71: Can't allocate memory (malloc). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, September 29, 2006 5:59 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV Exit codes Does anyone know what exit codes ClamAV has and what they mean? From 2006-09-27 06:50PM on I can see a huge number of Virus scanner 2 reports exit code of 2 ...in the virus-logfile. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. win_mem_s3-week.png Description: PNG image
[Declude.Virus] New Virus: zipped word doc with Macro-Virus
Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus
Hi Kami, I've in use F-Prot 3.16f (latest version) here and can't find any appearance of "Possibly a new variant of JS"in my logfiles. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Saturday, March 25, 2006 12:32 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Hi Matt.. thanks for your quick reply. Here is the virus log entries: 03/24/2006 14:34:08.042 q49aa01741b4f.smd Vulnerability flags = 003/24/2006 14:34:10.777 q49aa01741b4f.smd Virus scanner 1 reports exit code of 003/24/2006 14:34:11.871 q49aa01741b4f.smd Virus scanner 2 reports exit code of 803/24/2006 14:34:11.965 q49aa01741b4f.smd Scanner 2: Virus= Possibly a new variant of JS/ Attachment=[HTML segment] [17] I03/24/2006 14:34:12.012 q49aa01741b4f.smd File(s) are INFECTED [ Possibly a new variant of JS/: 8]03/24/2006 14:34:12.059 q49aa01741b4f.smd Deleting file with virus03/24/2006 14:34:12.121 q49aa01741b4f.smd Deleting E-mail with virus!03/24/2006 14:34:12.153 q49aa01741b4f.smd Scanned: CONTAINS A VIRUS [MIME: 1 2652]03/24/2006 14:34:12.184 q49aa01741b4f.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 10.119.249.109]03/24/2006 14:34:12.215 q49aa01741b4f.smd Subject: Response here is our entries in the virus.cfg file SCANFILE1 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL /NOMEM /NOBEEP /PANALYZE /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txtVIRUSCODE1 13REPORT1Found # F-PROT - 2nd scanner SCANFILE2 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI /TYPE /SILENT /server /PARANOID /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txtVIRUSCODE2 3VIRUSCODE2 6VIRUSCODE2 8REPORT2 Infection: # AVG - 3rd ScannerSCANFILE3 C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOBOOT /NOHIMEM /NOSELF /ARC /RT /ARCW /RTW /MACROW /REPORT=report.txtVIRUSCODE34VIRUSCODE35VIRUSCODE36VIRUSCODE37VIRUSCODE39REPORT3 identified # CLAM- 4th ScannerSCANFILE4C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txtVIRUSCODE4 1 Hope that helps.. Regards, - Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, March 24, 2006 5:56 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Containing: Possibly a new variant of JS/ virus Kami,You might want to post your full Declude Virus log snippet for one such message and identify both your Declude version and your virus scanners.Matt
RE: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working
Sorry, David hadn't had time to read latest postings on this list. On my servers with 3.0.5.23 it seems working fine. That's what I can see in a postmaster.eml from today: Virus: Unknown Virus File: Unknown File From: To: Subject: Recipients: 1 Queuename: Df37a051c0088d3cf.smd Date: 08 Mar 2006 Time: 16:24:51 (GMT+1) Remotehost: .it (82.188.97.71) Localhost: xxx.it D.Version: 3.0.5.23 BTW: How are you guys notfied for a updated version? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Wednesday, March 08, 2006 6:05 PM To: Declude.Virus@declude.com Subject: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working I'm feeling lonely here...like I'm talking to myself... Could someone PLEASE check the %RECIPHOST% and %REMOTEHOST% variables in your email notification on 3.0.6 just to make sure it's not me for some reason. You don't have to mess with your active notifications. Just put another .eml file in the Declude folder with these two variables. Thanks. -David Thursday, March 2, 2006, 12:10:55 PM, you wrote: DS Ok, no one else has so I'll respond to my own post. 3.06 and still DS no change. Can someone try a notification with the %RECIPHOST% and DS %REMOTEHOST% variables and see if they work? DS Thanks DS -David DS Friday, February 24, 2006, 2:39:34 PM, you wrote: DS Has anyone else had trouble with the RECIPIENT HOST and REMOTE HOST DS NAME variables in your virus notification email since going to 3.x? DS We send all data to a program alias for notification processing, DS but since December now we can't get the RECIPIENT HOST data. DS Below is our notify email file and below that is a slightly munged DS example of the output. Notice lines 11 and 12 in the output. This DS behavior persistent and used to work before upgrading. DS Anyone else experiencing this? DS From: [EMAIL PROTECTED] DS To: [EMAIL PROTECTED] DS Subject: Virus Notification DS 1 ALLRECIPS: %ALLRECIPS% DS 2 BANNED EXTENSION: %BANEXT% DS 3 DATE (mm/dd/yyy): %DATE% DS 4 HEADERS: %HEADERS% DS 5 INOROUT: %INOROUT% DS 6 LOCALHOST: %LOCALHOST% DS 7 MAILFROM: %MAILFROM% DS 8 MESSAGE ID: %MSGID% DS 9 NUMBER OF RECIPIENTS: %NRECIPS% DS 10 QUEUE FILE NAME: %QUEUENAME% DS 11 RECIPIENT HOST: %RECIPHOST% DS 12 REMOTE HOST NAME: %REMOTEHOST% DS 13 REMOTE IP: %REMOTEIP% DS 14 SENDER HOST: %SENDERHOST% DS 15 SUBJECT: %SUBJECT% DS 16 CURRENT TIME (hh/mm/ss): %TIME% DS 17 VIRUS FILE: %VIRUSFILE% DS 18 VIRUS NAME: %VIRUSNAME% DS 19 SOFTWARE VERSION: %VERSION% DS 1 ALLRECIPS: [EMAIL PROTECTED] DS 2 BANNED EXTENSION: DS 3 DATE (mm/dd/yyy): 24 Feb 2006 DS 4 HEADERS: Received: from mx1.ourpostfixserver.com [192.168.200.60] DS by mail5.ourimailserver.com with ESMTP DS (SMTPD32-8.15) id A5ADFD770080; Fri, 24 Feb 2006 12:43:09 -0500 DS Received: from localhost (adsl-146-64-253.mia.bellsouth.net [70.146.64.253]) DS by mx1.ourpostfixserver.com (Postfix) with SMTP id 4150B1464ED DS for [EMAIL PROTECTED]; Fri, 24 Feb 2006 DS 12:45:43 + (GMT) DS Message-ID: [EMAIL PROTECTED] DS From: Jay Ross [EMAIL PROTECTED] DS To: [EMAIL PROTECTED] DS Subject: Software At Low Pr1ce DS Date: Fri, 24 Feb 2006 12:42:58 -0500 DS MIME-Version: 1.0 DS Content-Type: multipart/alternative; DS boundary==_NextPart_000_0001_01C63993.BFF33280 DS X-Priority: 3 DS X-MSMail-Priority: Normal DS X-Mailer: Microsoft Outlook Express 6.00.2900.2180 DS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 DS 5 INOROUT: outgoing DS 6 LOCALHOST: mail5.ourimailserver.com DS 7 MAILFROM: [EMAIL PROTECTED] DS 8 MESSAGE ID: [EMAIL PROTECTED] DS 9 NUMBER OF RECIPIENTS: 1 DS 10 QUEUE FILE NAME: D45adfd7700801edf.smd DS 11 RECIPIENT HOST: DS 12 REMOTE HOST NAME: DS 13 REMOTE IP: 192.168.200.60 DS 14 SENDER HOST: bellamorris.com DS 15 SUBJECT: Software At Low Pr1ce DS 16 CURRENT TIME (hh/mm/ss): 12:43:27 DS 17 VIRUS FILE: [No attachment] DS 18 VIRUS NAME: [Outlook 'Blank Folding' Vulnerability] DS 19 SOFTWARE VERSION: 3.0.5.26 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working
I use %LOCALHOST% in my postmaster.eml file. As I understand this should be the same, or not? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, March 08, 2006 6:24 PM To: Declude.Virus@declude.com Subject: Re: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working Remotehost Yes. Reciphost no. Declude 3.06 .eml: REMOTE HOST NAME: %REMOTEHOST% RECIPIENT HOST: %RECIPHOST% result: REMOTE HOST NAME: farmprogress.com RECIPIENT HOST: - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, March 08, 2006 11:04 AM Subject: Re[2]: [Declude.Virus] Virus Notification Variables No Longer Working I'm feeling lonely here...like I'm talking to myself... Could someone PLEASE check the %RECIPHOST% and %REMOTEHOST% variables in your email notification on 3.0.6 just to make sure it's not me for some reason. You don't have to mess with your active notifications. Just put another .eml file in the Declude folder with these two variables. Thanks. -David Thursday, March 2, 2006, 12:10:55 PM, you wrote: DS Ok, no one else has so I'll respond to my own post. 3.06 and still DS no change. Can someone try a notification with the %RECIPHOST% and DS %REMOTEHOST% variables and see if they work? DS Thanks DS -David DS Friday, February 24, 2006, 2:39:34 PM, you wrote: DS Has anyone else had trouble with the RECIPIENT HOST and REMOTE DS HOST NAME variables in your virus notification email since going to 3.x? We DS send all data to a program alias for notification processing, but DS since December now we can't get the RECIPIENT HOST data. DS Below is our notify email file and below that is a slightly DS munged example of the output. Notice lines 11 and 12 in the DS output. This behavior persistent and used to work before upgrading. DS Anyone else experiencing this? DS From: [EMAIL PROTECTED] DS To: [EMAIL PROTECTED] DS Subject: Virus Notification DS 1 ALLRECIPS: %ALLRECIPS% DS 2 BANNED EXTENSION: %BANEXT% DS 3 DATE (mm/dd/yyy): %DATE% DS 4 HEADERS: %HEADERS% DS 5 INOROUT: %INOROUT% DS 6 LOCALHOST: %LOCALHOST% DS 7 MAILFROM: %MAILFROM% DS 8 MESSAGE ID: %MSGID% DS 9 NUMBER OF RECIPIENTS: %NRECIPS% 10 QUEUE FILE NAME: %QUEUENAME% DS 11 RECIPIENT HOST: %RECIPHOST% DS 12 REMOTE HOST NAME: %REMOTEHOST% DS 13 REMOTE IP: %REMOTEIP% DS 14 SENDER HOST: %SENDERHOST% DS 15 SUBJECT: %SUBJECT% DS 16 CURRENT TIME (hh/mm/ss): %TIME% DS 17 VIRUS FILE: %VIRUSFILE% DS 18 VIRUS NAME: %VIRUSNAME% DS 19 SOFTWARE VERSION: %VERSION% DS 1 ALLRECIPS: [EMAIL PROTECTED] DS 2 BANNED EXTENSION: DS 3 DATE (mm/dd/yyy): 24 Feb 2006 DS 4 HEADERS: Received: from mx1.ourpostfixserver.com DS [192.168.200.60] by DS mail5.ourimailserver.com with ESMTP DS (SMTPD32-8.15) id A5ADFD770080; Fri, 24 Feb 2006 12:43:09 -0500 DS Received: from localhost (adsl-146-64-253.mia.bellsouth.net [70.146.64.253]) DS by mx1.ourpostfixserver.com (Postfix) with SMTP id 4150B1464ED DS for [EMAIL PROTECTED]; Fri, 24 Feb 2006 12:45:43 + (GMT) DS Message-ID: [EMAIL PROTECTED] DS From: Jay Ross [EMAIL PROTECTED] DS To: [EMAIL PROTECTED] DS Subject: Software At Low Pr1ce DS Date: Fri, 24 Feb 2006 12:42:58 -0500 DS MIME-Version: 1.0 DS Content-Type: multipart/alternative; DS boundary==_NextPart_000_0001_01C63993.BFF33280 DS X-Priority: 3 DS X-MSMail-Priority: Normal DS X-Mailer: Microsoft Outlook Express 6.00.2900.2180 DS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 DS 5 INOROUT: outgoing DS 6 LOCALHOST: mail5.ourimailserver.com DS 7 MAILFROM: [EMAIL PROTECTED] DS 8 MESSAGE ID: [EMAIL PROTECTED] DS 9 NUMBER OF RECIPIENTS: 1 DS 10 QUEUE FILE NAME: D45adfd7700801edf.smd DS 11 RECIPIENT HOST: DS 12 REMOTE HOST NAME: DS 13 REMOTE IP: 192.168.200.60 DS 14 SENDER HOST: bellamorris.com DS 15 SUBJECT: Software At Low Pr1ce DS 16 CURRENT TIME (hh/mm/ss): 12:43:27 DS 17 VIRUS FILE: [No attachment] DS 18 VIRUS NAME: [Outlook 'Blank Folding' Vulnerability] DS 19 SOFTWARE VERSION: 3.0.5.26 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at
RE: [Declude.Virus] [IMail Forum] Realistic virus threat?
Hi Bill Regarding the viruscodes 9 and 10 that was introduced with f-prot 3.16I will quote the relaese notes Archive handling has been improved and is now more consistent.Version 3.16 also includes detection against so-called "archive bombs", archives... ... If the limit is exceeded then it will exitwith a new exit code 10 (some files were not scanned; in this casebecause maximum archive level was reached). The OnDemand Scannerscans an infinite number of levels by default but this behaviourcan be changed using the same command-line switch. The RealTimeProtector scans to a depth of one level by default.Another new exit code has been added to the OnDemand Scanner andthe Command-Line Scanner, exit code 9. This exit code indicatesthat some files were not scanned, e.g., encrypted files, becauseof unsupported/unknown compression methods, because ofunsupported/unknown file formats, corrupted or invalid files.Both exit code 9 and 10 indicate that some files were not scannedand, therefore, they can not be guaranteed to be clean. Thedifference between them is that if exit code 10 occurs then somesettings can be changed (e.g., increase the maximum allowedarchive depth) and the scanner might be able to scan the file.If, however, exit code 9 occurs then the scanner is not able toscan the file.A complete list of the exit codes can be found athttp://www.f-prot.com/support/windows/fpwin_faq/65.html So exit code 10 seems ok for me but I'm not sure what exit code 9 means in real world. What "compressions methods" and "file formats" are supported and what not? If a legit message containsone little unsupported or corrupt file with disabled notifications this will cause a false positive. Right? Someone has something against a feature request like ONLYIFEXITCODEIS ? So we could set up end user notifications for certain "suspicious" exit codes. Durring outbreaks while signatures are missing this will block messages and show the end users that the virus filter is here and working. After the signature update the exit code usualy should become 3 or 6. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 11:31 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? Andrew, I already have PRESCAN set to off and use the /server switch with F-Prot, so those were not the issue that was causing this behavior for me. From my virus.cfg: # F-ProtSCANFILE1C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE13VIRUSCODE16VIRUSCODE18VIRUSCODE19VIRUSCODE110REPORT1Infection: PRESCANOFF Bill - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Cc: [EMAIL PROTECTED] Sent: Thursday, February 02, 2006 2:09 PM Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime
[Declude.Virus] Heads up: something new is around
Block exe in zips (at least temporaly)! --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Heads up: something new is around
...seem's beeing a new varaint of Bagle.Virustotal says Antivirus Version Update Result AntiVir 6.33.0.81 02.02.2006 TR/Bagle.Gen.B Avast 4.6.695.0 02.01.2006 no virus found AVG 718 02.01.2006 I-Worm/Bagle Avira 6.33.0.81 02.02.2006 TR/Bagle.Gen.B BitDefender 7.2 02.02.2006 [EMAIL PROTECTED] CAT-QuickHeal 8.00 02.02.2006 (Suspicious) - DNAScan ClamAV devel-20060126 02.02.2006 no virus found DrWeb 4.33 02.02.2006 no virus found eTrust-InoculateIT 23.71.66 02.02.2006 Win32/Bagle.Variant!Worm eTrust-Vet 12.4.2063 02.02.2006 Win32/Baglelike Ewido 3.5 02.02.2006 no virus found Fortinet 2.54.0.0 02.02.2006 suspicious F-Prot 3.16c 02.02.2006 no virus found Ikarus 0.2.59.0 02.02.2006 no virus found Kaspersky 4.0.2.24 02.02.2006 no virus found McAfee 4687 02.01.2006 W32/Bagle.gen NOD32v2 1.1391 02.01.2006 a variant of Win32/Bagle Norman 5.70.10 02.02.2006 no virus found Panda 9.0.0.4 02.01.2006 Suspicious file Sophos 4.02.0 02.02.2006 no virus found Symantec 8.0 02.02.2006 Bloodhound.Beagle TheHacker 5.9.3.088 02.02.2006 W32/[EMAIL PROTECTED] UNA 1.83 02.01.2006 no virus found VBA32 3.10.5 02.02.2006 suspected of Email-Worm.Bagle.1 My Mcafee engine is on version 4687 and the definitions are up to date. However it hasn't catched this virus even if the same zip file was identified by virustotals mcafee engine.
RE: [Declude.Virus] Encoded viruses...worried
It's not the only thread remaining without comment from Declude even if there was replies to other threads in the meantime. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, February 02, 2006 7:32 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Encoded viruses...worried Am I the only one that is wondering why there wouldn't have been an official response to this from Declude? While I have added the extension listed to block attachments, (and FProt did detect on all of my instances), when a potential flaw is pointed out, it would be nice to have an official response to the message. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Tuesday, January 31, 2006 6:49 PM Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htmThis started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023]01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521]There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection.Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe.Matt
RE: [Declude.Virus] Encoded viruses...worried
for grep and epreg on windows machines use the switch -U to have correct line wraps Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, February 01, 2006 10:35 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Andrew, the output ended up being 255 characters long and then wrapping. How do I do this so each find is on a separate line for reading? John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:35 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:04 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:44 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:37 PMTo:
RE: [Declude.Virus] Encoded viruses...worried
I've grep'ed trough the logfiles for the last 7 days on my servers 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" (ignoring double counts for the second av scanner) After filtering out all lines containing "Kapser" and "Mywife" there remains the following 4 lines 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; assuming .exe01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] This looks very promising that declude is already handling it in order to catch malicious code inside such attachments. Note: the 4.th line is listed due the "MIME" Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, February 01, 2006 3:19 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Encoded viruses...worried You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the ".uue" extension, but I doubt that would have changed your results.I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action.I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them.MattColbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:04 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude
[Declude.Virus] F-prot exit code 8 and body content
Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-prot exit code 8 and body content
Matt, John, F-Prot is not catching simple e-zips. I supposed it was the password string in the mailbody. Now after an additional test it turned out that F-Prot is exiting with code 8 if there is an attached e-zip containing .exe files. The mail-body seems not interfering to F-prot's result. This is a problem for thus who need allow any extensions in zip-files. Maybe we can ask F-Prot if they can change the singnatures to catch only exe in ezip's if they are larger then ... Usualy legit ezip's should be much larger then 100 kByte. I wouldn't remove exit code 8 from my configuration because most of the outbreaks in the last year was catched by this exit code before any AV-scanner has had updated signatures. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 7:17 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-prot exit code 8 and body content I am using viruscode 8 and it is not blocking password protected zips. I think like Markus said it is looking for a combination of a password protected zip, and executable and the phrase he listed. Markus, did that attachment have an executable within the zip file? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 10:02 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] F-prot exit code 8 and body content Markus, I believe that this is something that several of us railed against and tried to get F-Prot to change. Formerly no known viruses would be tagged with an exit code of 8, but then they suddenly started tagging some known viruses this way, essentially requiring us to add that code in for detection. The downside of this is that this exit code also blocks things like encrypted zips. It was a real shame. It's worth checking to see if F-Prot is tagging more recent known viruses with exit code 8 because if they are no longer doing this, I would assume that turning it off would be wise so long as you had two virus scanners running. Note that I'm not dismissing your primary intention of pointing out the FP issue with virus scanning and a way to deal with it. Matt Markus Gufler wrote: Today I've had a message hold as false positive (unknown virus exit code 8) F-Prot seems ending with this exit code if there is attached a password protected zip file and in the body is something like password: . This message was definitively no false positive and so I requeued it. I've noted it due the low number of postmaster virus warnings I receive because they are send to me only if the detected virus is not a forging one. Fortunately this legit message wasn't deleted from the virus folder between thousands of unwanted netsky's and sober's. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
I'm still on Declude v2.x and am comfortable there, as Don points out, many of us are waiting for the v3.x to be utterly stable and to have desired new features before going to it. As the software is maturing, so is much of the userbase; there used to be a lot of early adopters when the releases were coming out fast and furious. I've running it on 3 different servers and except the strangenes with the declude.cfg file on one if this servers that was solved be recreating it I'm very impressioned from stability and performance of v3. The amount of incomming messages is growing rapidly and so the number of hold viruses and spam too. (v3 can process much more messages the previous versions!) So I search for something simple to clean out all this stuff as fast as it's comming in. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Ok you're right exactly as you was when HOP was introduced. Such a little feature request was not worth neither the half of all messages in this topic. Additionaly the entire Declude staff seems to be in holidays. So I have to write another time my own post-solution. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Saturday, January 28, 2006 5:32 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG I hav no stat's or numbers. MG Only the fact that AV-Engines has introduced a suspicious category MG that is catching more and more new outbreaks. Additionaly it seems MG that the scanning process is becoming more and more complex. Each MG variant (we have up to two-letter versions!) seems to need complete MG new definitions. Another more MG alarming: certain virus-signatures seems catching only a part of one MG single but polymorphic and encrypted virus variant. MG Try to send a vb-script containing one single call of the MG filesystem-object even if zipped or with renamed file extension trough some av-engines. MG DELETEVIRUS ON will delete the entire message and you will have to MG tell some fairy story to the customer who call you because he misses some messages. MG Don't deleting messages immediately as many of us do is one way. MG Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very MG simple possibility to keep clean and small the virus folder. And I MG repeat: It should be something very very simple to implement. Anyone MG who doesn't want or need it could simply not turn it on. MG Regarding the allready existing FORGINGVIRUS DNS lookup feature and MG a possible enhancement like AUTODELETEKNOWNWORMS. MG I wouldn't say that I don't trust declude's FORGINGVIRUS list. But MG first of all I realy want to know what I categorize FORGING and what MG not an my server. Beside the fact that since we don't send out MG notfications to customers anymore my personal FORGINGVIRUS list is MG simply a good way to filter out 99% of all postmaster notifications, MG and so a wave of thus notifications is an excellent indicator that MG something new is around that I should give a look. MG An additional DNS lookup for each hold virus in my eyes is not MG really usefull if the number of forging viruses is so small as it is MG today. Ok it's a nice thing for someone who doesn't want daily care his server. MG Another unclear aspect is how this DNS-based list handles different MG virus names. We have seen in the last months that there is no more MG consistent naming between AV-Companies. Does Declude maintain and MG serve forging virus names for all AV-Engines? MG I still consider Declude my swiss army knife for handling MG SMTP-traffic and keep our customer mailboxes usable for the daily MG work. And even if I know that some tools in my knife can be MG dangerous I want to have them when it will become neccessary. MG Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, January 27, 2006 8:24 PM
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
How does AVAFTERJM cut down on work? I thought it only affected the order in which JM and AV ran, and that AV ran each time, regardless of this setting. The problem I know is when someone is reviewing hold spam messages and has the possibility to requeue them. In this case the message will be delivered without being checked from Declude Virus. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Instead of doing something like that, which will require on-going, hands-on maint, why not just tag to hold those which are identified by the scanner as suspicious or generic and delete the rest? This is another possible solution but my intention is to clean my server from messages containing certain viruses. Thus are the well know top viri like Sober, Netsky and Co. Deleting them immediatly there will remain only a little crowd of viruses and suspicious files. Whatever will happen in the future I have them on my server and can keep it there also for one or two weeks in the case it turns out that some user is missing a legit message. In this cas I can find the message in my virus-folder on the server and requeue it even if it was false positive-identified by some scanner as a fiften year old tequila-Virus. Andrews idea to parse the virus logfile instead of the content from each virus-message is definitively an excellent idea. However there is a more simplier and efficient possibility if we could delete infected messages by the virus name. Markus Wednesday, January 25, 2006, 4:37:28 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG Maybe someone has already requested it: MG Why not allow commands like MG DELETEVIRUSNAME Netsky MG DELETEVIRUSNAME Bagle MG ... MG in the virus.cfg file? MG I won't and can't delete all viruses on our server because there is MG always the possibility that a scanner is catching something as MG suspicious or generic MG But commands to delete certain virusnames should be very easy to MG implement and allow us to eliminate 95% of all hold viruses on out servers. MG Markus MG --- MG [This E-mail was scanned for viruses by Declude EVA www.declude.com] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
aren't you out hunting mosquitos with hand grenades? If the mosquito is a very nasty but important customer it's bether using tank's, mg's and whatever you can organize in order to prevent painfull stings... On a day liky today I could turn on DELETEVIRUSES with nearly zero risk in order to keep the server disk clean. But what happens if tommorow turns out that one of the scan engines has catched many legit messages as viruses due to a new buggy singature or because a legit message unexpected contains something sospicious. How do you explain to customers that the messages are already deleted? F-Prot's exit code 8 (suspicious files) has catched a lot of new unknow viruses before singatures was available. So I use this exit code in my config to hold messages. But suspicous could also be something legit we don't know at the moment. As I can understand a feature like DELETEVIRUSNAME wouldn't require more then 30 lines of code and 3 hours of work and it would eliminate any need for own scripts on each server. This is not what I consider a hand grenade... Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic
Then you maybe should keep AUTODELETEKNOWNWORMS OFF My fear is not realy having false positives with real viruses. The suspicious exit code seems dangerous to me for having false positives. So the big part of definitively known, forging, 100% unwanted and programaticaly created virus-messages can be deleted be keeping a small part of virus messages on the disk for some (more) days. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, January 27, 2006 7:09 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic I thought that AV false positives can occur with definitions for known virus names. In other words, if a message gets tagged as Bagle, it might be legit 0.1% of the time. So would this really be a complete solution?MattColbeck, Andrew wrote: Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as "suspicious" or "generic" But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
I hav no stat's or numbers. Only the fact that AV-Engines has introduced a suspicious category that is catching more and more new outbreaks. Additionaly it seems that the scanning process is becoming more and more complex. Each variant (we have up to two-letter versions!) seems to need complete new definitions. Another more alarming: certain virus-signatures seems catching only a part of one single but polymorphic and encrypted virus variant. Try to send a vb-script containing one single call of the filesystem-object even if zipped or with renamed file extension trough some av-engines. DELETEVIRUS ON will delete the entire message and you will have to tell some fairy story to the customer who call you because he misses some messages. Don't deleting messages immediately as many of us do is one way. Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very simple possibility to keep clean and small the virus folder. And I repeat: It should be something very very simple to implement. Anyone who doesn't want or need it could simply not turn it on. Regarding the allready existing FORGINGVIRUS DNS lookup feature and a possible enhancement like AUTODELETEKNOWNWORMS. I wouldn't say that I don't trust declude's FORGINGVIRUS list. But first of all I realy want to know what I categorize FORGING and what not an my server. Beside the fact that since we don't send out notfications to customers anymore my personal FORGINGVIRUS list is simply a good way to filter out 99% of all postmaster notifications, and so a wave of thus notifications is an excellent indicator that something new is around that I should give a look. An additional DNS lookup for each hold virus in my eyes is not really usefull if the number of forging viruses is so small as it is today. Ok it's a nice thing for someone who doesn't want daily care his server. Another unclear aspect is how this DNS-based list handles different virus names. We have seen in the last months that there is no more consistent naming between AV-Companies. Does Declude maintain and serve forging virus names for all AV-Engines? I still consider Declude my swiss army knife for handling SMTP-traffic and keep our customer mailboxes usable for the daily work. And even if I know that some tools in my knife can be dangerous I want to have them when it will become neccessary. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, January 27, 2006 8:24 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME There is no perfect Spam or Virus system. There will either be false positives, missed Spam or Viruses or a combination of both. Therefore, if the customer is expecting absolute perfection, then I think the problem is one of a customer with unrealistic expectations. You said, what happens if tommorow turns out that scan engines has catched many legit messages as viruses due to a new buggy singature. Well, then you need to HOLD ALL messages tagged as containing a virus, if you are that anal about it and that makes your original point moot. For instance, you've solved nothing if you had bagal hard coded to be deleted and that was the buggy one in the signature file. How often does this really happen - does it happen more than 1% of the time? It hasn't shown to be an issue in our case, but I think we'd all be interested in your statistics which show it as a significant exposure to false positives. You said, or because a legit message unexpected contains something sospicious. My previous comment was to hold all of those tagged as suspicious. Do you have good statistics on these, which show a significant false positive rate? I think we'd all be interested in your finding . . . Thanks, Friday, January 27, 2006, 10:56:56 AM, Markus Gufler [EMAIL PROTECTED] wrote: aren't you out hunting mosquitos with hand grenades? MG If the mosquito is a very nasty but important customer it's bether MG using tank's, mg's and whatever you can organize in order to prevent MG painfull stings... MG On a day liky today I could turn on DELETEVIRUSES with nearly zero MG risk in order to keep the server disk clean. But what happens if MG tommorow turns out that one of the scan engines has catched many MG legit messages as viruses due to a new buggy singature or because a MG legit message unexpected contains something sospicious. How do you MG explain to customers that the messages are already deleted? MG F-Prot's exit code 8 (suspicious files) has catched a lot of new MG unknow viruses before singatures was available. So I use this exit MG code in my config to hold messages. But suspicous could also be MG something legit we don't know at the moment. MG As I can understand a feature like DELETEVIRUSNAME wouldn't require MG more then 30 lines of code and 3 hours of work
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
But if we are cycling the held viruses on a x day basis, (my cycle is 5 days,) why would that be needed? 5 days x 2 viruses x 2 (d q-file) = 200k files Around 99% of this files contains the same 5 types of malware that are stored, moved and defragmented unnecessary. I asked only because as I understand it should be very easy and unproblematic to add such a feature. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Feebs variant warning
This is still the most significant limit in declude.eva's extensions banning. As long as we can't specify different BANEXTS for direct attachments and in-archive-attachments many of us can't enable BANZIPEXTS. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto ArangoSent: Thursday, January 26, 2006 3:24 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Virus Feebs variant warning I thought about it but the the thing is that if I use Banzipexts it will check and ban all the extensions banned by Banext -hta is banext already-. Then I might becatching lots of emails that my legit users are sending in zip files like a .exe file. Nevertheless I am still considering that optoin Luis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Miércoles, 25 de Enero de 2006 08:34 p.m.To: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Virus Feebs variant warning Why not catch it with less resources via banning hta files and BANZIPEXTS and BANEZIPEXTS? John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto ArangoSent: Wednesday, January 25, 2006 4:56 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Virus Feebs variant warning I just got a message from a gmail account (forged)With a data.zip attached. It has a hta file inside. subject: Secure MailThe body saysID: 46271Password: zgbvndwdxMessage is attached.Sincerely,Protected Mail System,Gmail.comUsing virustotal.com it is only catched by very few companies.This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file "data.zip" file.This is a report processed by VirusTotal on 01/26/2006 at 01:38:32 (CET) after scanning the file "data.zip" file. Antivirus Version Update Result AntiVir 6.33.0.77 01.25.2006 no virus found Avast 4.6.695.0 01.25.2006 no virus found AVG 718 01.25.2006 Worm/Feebs Avira 6.33.0.77 01.25.2006 no virus found BitDefender 7.2 01.26.2006 no virus found CAT-QuickHeal 8.00 01.25.2006 no virus found ClamAV devel-20051123 01.26.2006 no virus found DrWeb 4.33 01.25.2006 Win32.HLLM.Graz eTrust-InoculateIT 23.71.60 01.25.2006 no virus found eTrust-Vet 12.4.2056 01.25.2006 Win32/Feeb!ZIP Ewido 3.5 01.25.2006 no virus found Fortinet 2.54.0.0 01.26.2006 JS/Feebs.fam-mm F-Prot 3.16c 01.25.2006 no virus found Ikarus 0.2.59.0 01.25.2006 no virus found Kaspersky 4.0.2.24 01.25.2006 Worm.Win32.Feebs.gen McAfee 4682 01.25.2006 no virus found NOD32v2 1.1380 01.25.2006 JS/TrojanDownloader.Tivso.gen Norman 5.70.10 01.25.2006 JS/[EMAIL PROTECTED] Panda 9.0.0.4 01.25.2006 no virus found Sophos 4.01.0 01.25.2006
RE: [Declude.Virus] New Virus?
I've seen many of this Kapser.A today. I've added it to the forging virus list and (oops) forgot to write it on the Declude.Virus list. As we can see more and more that AV-Companies has forgotten how to call one Virus using one name we should maybe begin to enhance their naming convention by an initial name of the av-company. Something like: F-ProtW32/[EMAIL PROTECTED] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 17, 2006 11:21 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Feebsa
Can't fnd anything about feebsa on vil.nai.com and the f-prot virus info page. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, December 20, 2005 6:54 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Virus Feebsa Great news, not. Any one know if F-Prot or AVG or BitDefender is catching this yet? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
Hi Kami, (Nice to read you) As suggested the best path at the moment could be: BANZIPEXTSON Yes this is necessary and unfortunately we can't still choose to block only certain extensions within zip-files from all the extensions we block as direct attachment. Something like BANZIPEXT exe would be a very usefull feature, because with the current list of recommendet BANEXT's and BANZIPEXTS ON no users can send or recieve legit packed file attachments like application updates. And again most AV-engines has showed that they are not more fast enough :-/ Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another new Bagle/Mitglieder variant
not all scanners seems catching it right now This is a report processed by VirusTotal on 12/15/2005 at 16:35:59 (CET) after scanning the file "Stephen.zip" file. Antivirus Version Update Result AntiVir 6.33.0.61 12.15.2005 TR/Bagle.Gen.B Avast 4.6.695.0 12.14.2005 no virus found AVG 718 12.14.2005 no virus found Avira 6.33.0.61 12.15.2005 TR/Bagle.Gen.B BitDefender 7.2 12.15.2005 Trojan.Bagle.BK CAT-QuickHeal 8.00 12.15.2005 I-Worm.Bagle.gen ClamAV devel-20051108 12.15.2005 Trojan.Bagle.BN DrWeb 4.33 12.15.2005 no virus found eTrust-Iris 7.1.194.0 12.15.2005 Win32/Bagle.AntiTroj!Downloader eTrust-Vet 12.3.3.0 12.15.2005 no virus found Fortinet 2.54.0.0 12.15.2005 suspicious F-Prot 3.16c 12.15.2005 security risk named W32/Mitglieder.GU Ikarus 0.2.59.0 12.15.2005 no virus found Kaspersky 4.0.2.24 12.15.2005 no virus found McAfee 4650 12.14.2005 no virus found NOD32v2 1.1324 12.15.2005 Win32/Bagle.DR Norman 5.70.10 12.15.2005 W32/Downloader Panda 8.02.00 12.14.2005 no virus found Sophos 4.00.0 12.15.2005 no virus found Symantec 8.0 12.15.2005 no virus found TheHacker 5.9.1.055 12.14.2005 no virus found VBA32 3.10.5 12.15.2005 Trojan-Downloader.Win32.Bagle.f
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
www.virustotal.com (se me previous posting for results) At the moment i consider blocking at least temporaly eye in zips and update the virus definitions Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 4:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New bagle
There is a new Bagle variant around here. F-prot is catching it as suspicious file. AVG does not catch it. Most other scanners has updates The message is comming with two file attachments. The first is a small .bmp file the second one a zip-file with different names containing a .txt and a .exe file Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Ircbot2 forging
It seem's to be a virus with low prevalence but today I've had a case with many virus warnings to forged recipient adresses due to one infected client. FORGINGVIRUS Ircbot2.gen or for Sophos FORGINGVIRUS Forbot-FO Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (= idea)
Thank you John but, BANNAME mailtext.zip ...is this really the only name used by this variant? I'm feeling a little bit bad, while adding and adding BANNAMEs to the virus.cfg file. First as sayd yesterday I feel there are many many BANNAME entries that are not more accurate or spreading in the wild and so unneccessary load in my and our config files. Second it's always the two steps behind if we have to adapt our config files manualy after someone else has discovered a new variant. Wouldn't be possible to write a junkmail external test, or maybe also an AV-Engine that does nothing else then looking at a central database for filenames that are suspsicious. I'm not 100% familiar with the ip4r/rbl tecnique but why not set up a DNS-server containing TLD-zones like .zip .exe .com Then some of us can act as operators and add additional zones like mailtext Looking at the case two days ago that I reported with the new bagle variant it would also be possible to add something like 1.exe.ester.zip 12.exe.ester.zip 1.exe.emanuel.zip ... Are maybe also with wildcards like *.exe.mailtext.zip By having bitmasked result codes it would maybe also possible to entries like *.exe*.zip with a suspicious result code and other more concrete definitions with an accurate result code. so admins can use it at they want. Our administrative work should decrease while new banname definitions will be available as soon the first of the operators will detect and add it to the database. +as having one (or more replicated) central points we should be able to notice a relativ high increase of request for exe in zips and so know that something seems going on. What do you think? My opinion is that last week av-companies showed that they are not able to provide accurate detection-quality. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (= idea)
I am scanning for viruses first. I block executables within zips. Yes I know you can do this. But on my systems banning exe in zips is like having a restaurant where people can eat but drinking is not allowed. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (= idea)
Well, I would say it is more like a restaurant but you can not get blow fish, alcohol, cigarettes, 10 Lbs of greasy French fries, etc. Yes and in my case as alcohol is prohibited you can't have neither an excellent glass of wine. Some of our customers and partners are providing application updates inside zip-files. So we need something to exclude certain recipients for EXEZIP extensions or another system allowing us to block files that are not known by the AV-engines. By banning certain suspicious file names maybe it would be bether to use it within junkmail and then add a big fat ATTENTION: ATTACHED FILE SEEMS TO BE A DANGEROUS VIRUS in the subject line. This for file names where we can't be sure (based on the file name) that it's really a virus. Immagine this guys send out the next wave of viruses not with attachments like your-password.zip or p amela.zip and go using names like update.zip, data.zip or setup.zip Yes I know you will block this by the exe inside the zip. But I unfortunately can't do this and I can't neither block such filenames. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another Sober out. (= idea)
Seems like AV companies need to start using more advanced pattern matching to catch these variants, rather than relying on specific signatures. It's only a question of time that AV-engines will run a virtual PC sandbox and let start inside the suspicious file. If certain actions are taken like outgoing smtp-connections, registry-changes, changes in the %windir% directory structure it's very suspicous. Regadring the BANNAME-DNS-Idea: First of all in my opinion it should be replicable across multiple servers in order to avoid failures due to overload and DDOS-attacks. Adding additional file properties like file size and CRC checksums is a good idea. Who has the knowledge to set up such a DNS-structure? Who can develope an external test who is able to extract all attached file names (full Mime-type support needed or based on the temporary directory created by declude.virus? Should it be an external test for d.junkmail in order to have much more possibilities or should it act like an av-scan engine with simple result codes and a report-file that is able to give the feedback as virusname like file ... is a possible virus Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] BANNAMEs in log file
Would it be possible to have one line in the MID-logfile for each banned filename For example if I have BANNAME price.com BANNAME price.scr BANNAME price.exe BANNAME price.cpl BANNAME joke.com BANNAME joke.scr BANNAME joke.exe BANNAME joke.cpl in my virus.cfg file it would be nice to have lines like BANNAME price.exe filesize in kB in the logfiles. So I can A.) easily create reports for currently active banned filenames and so remove inactive names from the config file B.) check if BANNAME price.exe 120 maybe was a false positive because it has a filesize of 1,2 MB Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] how is Declude 3.x?
Imail 8.15 and Declude 1.82 here We will wait for smartermail 3 the compare it with Imail2006 and then set up a complete new box with Declude v3. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, November 24, 2005 9:49 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] how is Declude 3.x? Totally agree with you there, Sandy. We're trying to decide whether to renew the service agreement. We paid for a year and haven't upgraded at all due to the stability problems and bugs with 2.x and 3.x, though we are considering upgrading to IMail 2006 and 3.0 soon. Things seem to have settled down a bit. What are you running? 2.06 with IMail 8.15? We're still running IMail 8.05 and 1.82 currently. Darin. - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, November 24, 2005 3:23 PM Subject: Re: [Declude.Virus] how is Declude 3.x? 3.0.5y.20 on Imail running fine here. I think it would be helpful if 3.0.x adopters could mention IMail/SmarterMail version, Windows OS version, msgs/day, and which (publicly available) external tests they're running. I honestly thought, after the rash of buggy releases and seemingly insufficent internal testing, that I would not deploy 3.0.x for several months, if ever. I'm sure I'm not alone. --Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Virus Backscatter
Not OT, or? Some months ago there was a similar situation. I've set up a combination of 3 junkmail text filters. The first to identify such warning messages by looking for strings like found, identified, removed... The second one looks for items like virus, worm, attach, file ... The last one looks for virus names like Sober, Netsky, ... Then there is on additional text filter who looks for certain combinations of the 3 other filters. The filter files are for my needs here in english, german, italian and some in spanish too. If you need them I can send it to you directly or on the junkmail list. BTW: this days I can't notice such a wide backscatter like some month ago. At the moment I've disabled this filters. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Bagle variant
In the last 2 hours I can see something new.F-Prot is catching it with result code 8 as unknown virusLooking at the first examples:Subject: a random name like Alice, Emanuel, Martha, Cybil, Ester, Body: empty htmlAttachment: ZIP-file with another random name like them in the subject lineInside the ZIP is an exe-file 1.exeThe entire message has around 10 kByteVirustotal result says This is a report processed by VirusTotal on 11/23/2005 at 18:40:34 (CET) after scanning the file "Emanuel.zip" file. Antivirus Version Update Result AntiVir 6.32.0.6 11.23.2005 TR/Bagle.EC Avast 4.6.695.0 11.23.2005 Win32:Beagle-FR AVG 718 11.23.2005 I-Worm/Bagle Avira 6.32.0.6 11.23.2005 TR/Bagle.EC BitDefender 7.2 11.23.2005 Trojan.Downloader.Bagle.F CAT-QuickHeal 8.00 11.23.2005 (Suspicious) - DNAScan ClamAV devel-20051108 11.23.2005 Worm.Bagle.Gen-9 DrWeb 4.33 11.23.2005 Win32.HLLM.Beagle.9219 eTrust-Iris 7.1.194.0 11.23.2005 no virus found eTrust-Vet 11.9.1.0 11.23.2005 no virus found Fortinet 2.48.0.0 11.23.2005 suspicious F-Prot 3.16c 11.23.2005 security risk named W32/Mitglieder.GH Ikarus 0.2.59.0 11.23.2005 no virus found Kaspersky 4.0.2.24 11.23.2005 Trojan-Downloader.Win32.Bagle.f McAfee 4634 11.22.2005 no virus found NOD32v2 1.1300 11.23.2005 Win32/Bagle.DR Norman 5.70.10 11.23.2005 W32/[EMAIL PROTECTED] Panda 8.02.00 11.23.2005 no virus found Sophos 3.99.0 11.23.2005 no virus found Symantec 8.0 11.22.2005 no virus found TheHacker 5.9.1.043 11.23.2005 Trojan/Downloader.Bagle.f VBA32 3.10.5 11.23.2005 suspected of Email-Worm.Bagle.22
[Declude.Virus] New Bagle variant Update
There seems to be another Variant with the same desciption as in my message before but the exe in the zip-file is named 12.exe This is not detected by F-Prot and Mcafee. Virustotal says: Antivirus Version Update Result AntiVir 6.32.0.6 11.23.2005 TR/Bagle.EC Avast 4.6.695.0 11.23.2005 Win32:Beagle-FR AVG 718 11.23.2005 I-Worm/Bagle Avira 6.32.0.6 11.23.2005 TR/Bagle.EC BitDefender 7.2 11.23.2005 Trojan.Bagle.BK CAT-QuickHeal 8.00 11.23.2005 (Suspicious) - DNAScan ClamAV devel-20051108 11.23.2005 no virus found DrWeb 4.33 11.23.2005 no virus found eTrust-Iris 7.1.194.0 11.23.2005 no virus found eTrust-Vet 11.9.1.0 11.23.2005 no virus found Fortinet 2.48.0.0 11.23.2005 suspicious F-Prot 3.16c 11.23.2005 no virus found Ikarus 0.2.59.0 11.23.2005 no virus found Kaspersky 4.0.2.24 11.23.2005 no virus found McAfee 4634 11.22.2005 no virus found NOD32v2 1.1300 11.23.2005 probably unknown NewHeur_PE virus Norman 5.70.10 11.23.2005 no virus found Panda 8.02.00 11.23.2005 no virus found Sophos 3.99.0 11.23.2005 no virus found Symantec 8.0 11.22.2005 no virus found TheHacker 5.9.1.043 11.23.2005 no virus found VBA32 3.10.5 11.23.2005 suspected of Email-Worm.Bagle.22 For all who can't simple block exe inside zips as suggested by John, it's mabe a good idea to temporaly add BANEXT EXE and BANEZIPS ON to your config and try to update virus signatures. Markus
RE: [Declude.Virus] New Sober to be released, possible variation?
Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus name reported as different than what scanner detected.
Hmm, looks like there is one single variable containing the last detected virus name and several threads writing to and reading from this variable... Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, October 28, 2005 6:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Virus name reported as different than what scanner detected. A little more checking and this seems to be happening on any message infected with a virus Possible bug... Running 3.x, AVAFTERJM, with EXITSCANONVIRUSDETECT ON 10/28/2005 00:39:56.359 qab8ff7a40618ffdf.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Virus scanner 1 reports exit code of 3 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [11] O 10/28/2005 00:41:47.984 qabfaf7c50618004e.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=email-password.zip [11] O 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Darrell ([EMAIL PROTECTED]) writes: Anyone seen this before? The message (attachment) have the W97M/Thus Virus and is detected by McAfee as having such, but the final virus string somehow ends up at Netsky? Darrell x:\imail\spoolgrep -i q41c378d5099ed6c9.smd vir1028.log 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look list.doc [base64; Length=59 904 Checksum=2996157] 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports exit code of 0 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports exit code of 13 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the W97M/Thus.gen Attachment=HD New Look List.doc [11] I 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 13] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS [MIME: 2 60102] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [ incoming from 64.207.161.182] 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - Proposal -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
I can confirm this and can also see that Declude virus + f-prot seems catching it now as unknown virus In the past 30 minutes there was several of this infected messages on our servers. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 4:52 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
Ah, and not to forget: whatever name this virus will have: it's a forging worm. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 4:52 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? As save as the world can be ;-) Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] McAfee DailyDAT download location change.
I have to check my script because it still works fine up to now. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 9:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed.I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :)Thanks,MattScott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Expect new Bagle variants
It looks as though the Bagle author is back from his vacation. Today we've detected several new variants (actually old variants which have been repacked) and they are still coming in. I can see some unknown virus detections in the last 24 hours. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Strange messages (Subject: 1)
In the last hours a I can see some strange messages (see attached samples) send from different servers and obviously forged mailfrom adresses. Each message has as Subject and as Body 1 and an attached but empty file named 1.txt The mailfrom-adress seems to be the first part of the recipients adress + some random domain name. I've added 1.txt to the Declude Virus BANNAME-List. Markus ---BeginMessage--- 1 1.txt Description: Binary data ---End Message--- ---BeginMessage--- 1 1.txt Description: Binary data ---End Message---
[Declude.Virus] Breatel.B@MM seems to forging
Have seen some NDR's yesterday and this morning and so I've added Breatel to the list of forging viruses. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Patch Tuesday and graphic images
Andrew thanks for the info ...you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF ... and hope that Declude or the AV-Engine will catch this vulnerability as soon as possible. As much as I can understand from reading the KB-Article it's something similar to the GDI-Exploit but not the same. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Limit Size of message to be scanned?
have had one with 405 MB last week. The entire Declude system has scanned and checked it (it was hold due to several suspicious files in the archive). Only the _vbscript_ that should move the hold message file has created some problems +800 MB of memory usage and some read-errors in the declude logfile. Some further messages was not scanned. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Friday, July 08, 2005 9:05 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Limit Size of message to be scanned? 50 MB e-mail attachments? Youch! John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant GriffithSent: Thursday, July 07, 2005 8:36 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Limit Size of message to be scanned? Hello All, Is there a way to limit the size of the message that Declude/F-Prot can scan? We have some customers that are sending 50+ meg files and it is causing our servers to have major issues. Is there a setting to say skip anything over a certain size? Either in F-Prot or Declude? We fixed it currently by setting it to OFF for certain domains, but really want to ban extensions and vulnerabilities for those domains. Thanks, Grant Griffith EI8HTLEGS, A Division of ETC (812)932-1000
RE: [Declude.Virus] FYI - new virus as yet unidentified
can't see anyfile "kitten.zip" in the past 8 hours... Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Sunday, June 26, 2005 8:33 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] FYI - new virus as yet unidentified Don't know what it is yet, but the attached file was named kitten.zipcontainingan unencryptedEXE. Darin.
RE: [Declude.Virus] FYI - new virus as yet unidentified
Title: Message Thanks for the info's I've seen some of this "SMS" subject lines in the virus log (while searching for kitten.zip) 06/26/2005 22:37:03 Q11e3167a00d2c413 Scanner 2: Virus=W32/Bagle.dldr Attachment= [42] I06/26/2005 22:37:22 Q1200168000d2c41c Scanned: Virus Free [Prescan OK][MIME: 3 19716]06/26/2005 22:37:24 Q11e3167a00d2c413 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 21646]06/26/2005 22:37:24 Q11e3167a00d2c413 From: [Forged] To:[Hidden] [incoming from 71.97.144.45]06/26/2005 22:37:24 Q11e3167a00d2c413 Subject: Is sent SMS This was yesterday evening (06/26/2005 22:37:24 GMT+1) Scanner 2 is Mcafee and following the logfiles it's called "Bagle.dldr" Scanner 1 (F-Prot) has catched it 2 hours later with errorlevel 8. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, June 27, 2005 8:14 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] FYI - new virus as yet unidentified 12 hours after Darin's post, I see that the ISC Storm Center has seen it. http://isc.sans.org/diary.php?date=2005-06-25 "New Bagle VariantWe're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this." I hunted around our undeliverables and found more than one copy. Each had "SMS" in the subject, e.g. "Is sent SMS" and "The picture is sent on SMS". Trend Micro detects the executable as Bagle.BB but everyone else who detects it calls it Bagle.BQ or Bagle.Gen (generic). McAfee and Symantec are not detecting it. ClamAV does. F-Prot calls it an errorlevel = 8 security risk called "W32/_newstuff.2". Each message was 32 KB. I hope that helps, Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Sunday, June 26, 2005 11:33 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] FYI - new virus as yet unidentified Don't know what it is yet, but the attached file was named kitten.zipcontainingan unencryptedEXE. Darin.
RE: [Declude.Virus] [sniffer] New Spam/Virus?
In the last hours? Not here. I can see an increased number of spams passing the filter in the last two weeks. From 01/01/05 up to the mid of May I've recieved less then 30 spam messages to my own inbox (by catching 300 each day) but from mid of May up to now I've received around 20 spam messages. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 11:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [Declude.Virus] [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: [removed] - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [Declude.Virus] EXITSCANONVIRUS
John, it wouldn't help you this time but we have running most of our servers with Raid-Mirroring and each server has a third disk in standby. This disk is not only here to be replaced if one of the other two disk fails but it is also replaced periodicaly (usualy once per month) with one of the mirror drives. So if there is a problem on the RAID who has caused a "disaster" we have at all time a running system that will boot within minutes and begin to restore the daily backup files. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Monday, May 30, 2005 6:07 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] EXITSCANONVIRUS Windows. Power went out, for some reason the UPS went into shutdown mode, it appears some thing on the server hung preventing it from shutting down before the UPS shutdown timer expired, the rest is history. Turns out the Ghost image is inconsistent, so I am rebuilding the OS from the ground, will try to do a restore from a backup I made of the extracted OS partition in Ghost, not sure how that is going to go, but if not then will have to recreate in IIS 47 web sites. Data for the sites is fine, as that was on a pair of separate SCSI drives. So much for getting caught up on other work. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Monday, May 30, 2005 6:43 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] EXITSCANONVIRUS Oh man...I feel your pain! Happened tous mid-April. Fortunately it was just after midnight on a Friday, so we had everything back up before morning and no one noticed the interruption in service. Was it Windows mirroring or hardware level? Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 3:30 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You ==
[Declude.Virus] W32.Eyeveg is forging
My F-prot does catch some W32.Eyeveg-Massmailers in the last 5 days. The are is always a NDR bounce, so I believe it should be added to the forging virus list. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] I hate Sober.o
That means there are still way to many e-mail servers out there not using Declude Virus. From what I can see this virus is sending out messages containing a long list of recipients in the TO field. This turns out that there are not only some dumb mail-virus-filters out but also there are still some unpatched MS Exchange POP3 connectors out that are delivering the message not only to the local domain but also to all other recipients in the list. Having one such Pop3-Connector in the recipient list does mean the message comes twice to each recipient. Having two Pop3-Connectors does create a big problem because popconn2 redelivers messages from popconn1 and viceversa. All involved MTA's have to process as many messages as their bandwith allow, messages queues are full and all recipients recieve the messages in hundreds or thousands until A.) I block the sender address durring smtp envelope B.) The admins of the lazy maintained exchange server note that something goes slow this days and after hours and days of I have no idea they discover whats going on. Due to Sober.o we've had four of this issues in the last 48 hours one with 3 involved PopConns. Gr ..r! We should set up a filter that will send back to each sender who's mail header contains sources of unpatched exchange MTAs a warning message... Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
I've just received a message containing a file account_info.zip to my inbox. I've tried to open it but winzip was not able to open this 53 kByte zip-archive: start of central directory not found: zip file corrupt So I believe in this case neither AV-Scanner nor BANZIPEXTS ON will work, as absolutely no content from the archive could be read. Only BANNAMEs will work to block it before it reaches the recipients mailbox. At least such corrupt files can't create any damage beside the problem that some user could believe the virus filter does not work as good as it should. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, May 02, 2005 11:54 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I don't have any samples of the latest Sober, but *if* you're using the penultimate pattern file for F-Prot and have your auto-update disabled, then according to the writeups, either of these two techniques in your virus.cfg will keep this specific virus out of your user's mailboxes: BANEXT PIF BANZIPEXTS ON or BANNAME account_info.zip BANNAME autoemail-text.zip BANNAME LOL.zip BANNAME Fifa_Info-Text.zip BANNAME mail_info.zip BANNAME okTicket-info.zip BANNAME our_secret.zip BANNAME _PassWort-Info.zip Andrew 8) p.s. Now, back to the day job, already! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, May 02, 2005 2:20 PM To: Declude.Virus@declude.com Subject: Fw: [Declude.Virus] Viruses appearing to be getting through... Hi, Oops, correct that. F-prot is catching it as Sober.O, Sophos is still not catching it. :-( Sure glad I'm using two scanners. ;-) As of now I'm still getting hit by a virus with attachments like our _ secret . zip which Sophos catches as Sober.O. Ff-prot is still nopt catching them and there is as of yet no update. Just did a manual update and no new version. I'm at: SIGN.DEF 2-may-2005, 13:32 CET SIGN2.DEF 2-may-2005, 16:46 CET Using f-prot 3.16b Groetjes, Bonno Bloksma - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 8:37 PM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... F-Prot may have already fixed their pattern file. My current sign.def is timestamped: 05/02/2005 03:53 AM and checking their website and downloading the current version manually shows that the current version is: 05/02/2005 01:32 PM Can anybody with the issue confirm which pattern file they are using that has the problem? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, May 02, 2005 11:20 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Viruses appearing to be getting through... Yep, these are being detected by NAI (W32/[EMAIL PROTECTED]) and ClamAV (Worm.Sober.P), but not yet being detected by TrendMicro or F-Prot (although I have F-Prot updates disabled for now, until they get there problem with HTML/[EMAIL PROTECTED] fixed). Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 02, 2005 11:11 AM Subject: RE: [Declude.Virus] Viruses appearing to be getting through... I saw a big bunch about 2 hours ago that were stopped by banned zip extensions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Monday, May 02, 2005 10:58 AM To: Declude. Virus Subject: [Declude.Virus] Viruses appearing to be getting through... I am seeing several files getting through that appear to have viruses attached as zip files. I am running Declude with F-Prot. We ban encrypted zips and I have error code 8 included. Anyone else seeing this behavior? Here is part of the log. 05/02/2005 10:34:20 Q568a382 MIME file: account_info-text.zip [base64; Length=53728 Checksum=5837399] 05/02/2005 10:34:21 Q568a382 Scanned: Virus Free [MIME: 2 53979] Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just
RE: [Declude.Virus] F-Prot and HTML object exploit
Question: Have you all running the latest v3.16b ? I can't see any appearance of HTML/ObjData in the entire current logfile, but I've still running 3.16a Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, May 02, 2005 7:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot and HTML object exploit It appears that something has updated on F-Prot in the last hour. Now, a lot of outbound HTML e-mails are being flagged by F-Prot as having the HTML object exploit. Running the file on www.virustotal.com shows clean. Any one else seeing problems? For now, as I am at a client, I have turned off F-Prot scanning relying on AVG. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Viruses appearing to be getting through...
F-Prot Seems to be catching it now as X-Declude-Virus: Detected W32/[EMAIL PROTECTED] My F-Prot is catching it for over 3 hours nou as Sober.O Previously only the second scanner Mcafee has catched is as Sober.gen for around a hour while F-prot has not detected it. In this hour there was several attempts to deliver this virus. From around 2 hours ago Mcafee is catching it as Sober.p Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New forging virus: Antiman
In the last hour I've seen some NDR's comming back for a new virus called Antiman Maybe we should ad it to the FORGINGVIRUS list. Anyone else can see this virus in his virus logfiles? Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] High CPU F-Prot
Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 6:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot After further review, I'm pretty sure that there is an F-Prot issue going on here.My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream].--- 6 second gap where F-Prot scans message ---04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560]--- 4 second gap where F-Prot scans message ---04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus!04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/28/2005 09:09:46 QE095EDCB006E8802 Subject: hello04/28/2005 09:47:55 QE98BF4DC00DA98FB MIME file: data.scr [base64; Length=56320 Checksum=6982245]04/28/2005 09:47:55 QE98BF4DC00DA98FB Invalid SCR Vulnerability04/28/2005 09:47:55 QE98BF4DC00DA98FB Banning file with SCR extension [application/octet-stream].--- 9 second gap where F-Prot scans message ---04/28/2005 09:48:04 QE98BF4DC00DA98FB Could not find parse string Infection: in report.txt04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=data.scr [0] O04/28/2005 09:48:05 QE98BF4DC00DA98FB File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting file with virus04/28/2005 09:48:05 QE98BF4DC00DA98FB Deleting E-mail with virus!04/28/2005 09:48:05 QE98BF4DC00DA98FB Scanned: CONTAINS A VIRUS [MIME: 2 56551]04/28/2005 09:48:05 QE98BF4DC00DA98FB From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/28/2005 09:48:05 QE98BF4DC00DA98FB Subject: Good dayI'm virtually certain that this is what was happening yesterday, but under heavier load, F-Prot was taking longer to scan the messages than the 30 seconds that I allow it to. There are no other long delays like this that I can find. F-Prot based on past testing should detect a typical virus in 100 ms on my system, but it is not only taking much more time to scan a very small file, it is also missing the virus.I suspect that this is happening on other systems, but the timeout issue probably wasn't seen as often because I have my timeout set to 30 seconds instead of 60 seconds, and I had very heavy
RE: [Declude.Virus] High CPU F-Prot
No I've checked this already before: there is no appearance of the spool file name above this line. All I can see is something like 04/28/2005 08:00:13 Q7be703950112a342 Could not find parse string Infection: in report.txt04/28/2005 08:00:13 Q7be703950112a342 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=Cat.zip [40] I04/28/2005 08:00:13 Q7be703950112a342 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 13]04/28/2005 08:00:13 Q7be703950112a342 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955]04/28/2005 08:00:13 Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x]04/28/2005 08:00:13 Q7be703950112a342 Subject: Re: Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 7:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Markus,Take the spool file name corresponding to the "could not find parse string" and look above it for the beginning of the log entries for that file. You might think that this is the first entry for that message, but it appears that there is a gap in time and you aren't finding the first entries. Your entries should look the same or similar to mine. The first entry for each such message that passes PRESCAN will start with the "MIME file" line. It seems likely that you are experiencing the same thing.MattMarkus Gufler wrote: Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 6:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAfter further review, I'm pretty sure that there is an F-Prot issue going on here.My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream].--- 6 second gap where F-Prot scans message ---04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 05:49:11 QB18D740700A83968 Deleting file with virus04/28/2005 05:49:11 QB18D740700A83968 Deleting E-mail with virus!04/28/2005 05:49:11 QB18D740700A83968 Scanned: CONTAINS A VIRUS [MIME: 2 54788]04/28/2005 05:49:11 QB18D740700A83968 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 12.152.254.47]04/28/2005 05:49:11 QB18D740700A83968 Subject: MAIL TRANSACTION FAILED04/28/2005 09:09:41 QE095EDCB006E8802 MIME file: doc.zip [base64; Length=55408 Checksum=6875560]--- 4 second gap where F-Prot scans message ---04/28/2005 09:09:45 QE095EDCB006E8802 Could not find parse string Infection: in report.txt04/28/2005 09:09:46 QE095EDCB006E8802 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment= [0] O04/28/2005 09:09:46 QE095EDCB006E8802 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 09:09:46 QE095EDCB006E8802 Deleting file with virus04/28/2005 09:09:46 QE095EDCB006E8802 Deleting E-mail with virus!04/28/2005 09:09:46 QE095EDCB006E8802 Scanned: CONTAINS A VIRUS [MIME: 2 55605]04/28/2005 09:09:46 QE095EDCB006E8802 From: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/28/2005 09:09:46
RE: [Declude.Virus] High CPU F-Prot
no absolutely no trace of the spool filename before the "parse string" line. I've checked now multiple cases in todays logfile Note: F-prot is my first, Mcafee my second scanner. F-Prot 3.15 not 3.16 I've PRESCAN ON in my virus.cfg line bye Markus (have to leave the office now) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 7:48 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Markus,It's there (or should be). Search for "Q7be703950112a342" appearing before this block and you should find at least one line corresponding to the message.BTW, I just looked at an old log file from April 11th using Declude 1.82, and F-Prot was experiencing the same sorts of delays with the same characteristics. Seems like a pretty serious and longer-term issue with F-Prot.MattMarkus Gufler wrote: No I've checked this already before: there is no appearance of the spool file name above this line. All I can see is something like 04/28/2005 08:00:13 Q7be703950112a342 Could not find parse string Infection: in report.txt04/28/2005 08:00:13 Q7be703950112a342 Scanner 2: Virus=W32/[EMAIL PROTECTED] Attachment=Cat.zip [40] I04/28/2005 08:00:13 Q7be703950112a342 File(s) are INFECTED [W32/[EMAIL PROTECTED]: 13]04/28/2005 08:00:13 Q7be703950112a342 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 25955]04/28/2005 08:00:13 Q7be703950112a342 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x]04/28/2005 08:00:13 Q7be703950112a342 Subject: Re: Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 7:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtMarkus,Take the spool file name corresponding to the "could not find parse string" and look above it for the beginning of the log entries for that file. You might think that this is the first entry for that message, but it appears that there is a gap in time and you aren't finding the first entries. Your entries should look the same or similar to mine. The first entry for each such message that passes PRESCAN will start with the "MIME file" line. It seems likely that you are experiencing the same thing.MattMarkus Gufler wrote: Matt, how do you search for this F-Prot space gaps? As I can see from your log snippets there is each time a "could not find parse string" after the space gap Searching my logfile for this phrase I can find around 10 of them, but always as the first log entry of a processed message. So I can't determine if there is a space gap or not. Each of this log lines is for F_prot while Scanner2 Mcafee is detecting a virus (Netsky, Bagle, ... but no Mytob in this case) I've still in use F-prot 3.15 not 3.16 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 6:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAfter further review, I'm pretty sure that there is an F-Prot issue going on here.My server hasn't been hitting 100% yet today, and I also haven't seen any F-Prot timeouts, however I have found more compelling evidence that there is an issue with F-Prot that would probably lead to timeouts if the load was heavy while some messages were scanned. I searched my logs today for examples of where McAfee found Mytob, but F-Prot didn't detect anything. There were a fair number of examples, and in every one, F-Prot took an uncharacteristically long time to scan the file. Here are three examples that are marked with the gap corresponding to the F-Prot delays: 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396]04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream].--- 6 second gap where F-Prot scans message ---04/28/2005 05:49:10 QB18D740700A83968 Could not find parse string Infection: in report.txt04/28/2005 05:49:11 QB18D740700A83968 Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=document.scr [0] O04/28/2005 05:49:11 QB18D740700A83968 File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/28/2005 05:49:11
RE: [Declude.Virus] High CPU F-Prot
it seems to me that talking (or writting) is a good idea. why viruscode 9 and 10? Have I missed something? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, April 28, 2005 10:32 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Matt, I searched 2 weeks of logs on both of my servers (both of which run F-Prot and TrendMicro) and could only find 4 instances of "Could not find parse string Infection", and they were found on the server that is very heavily loaded. I use the following F-Prot strings in my virus.cfg: # F-ProtSCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6VIRUSCODE1 8VIRUSCODE1 9VIRUSCODE1 10REPORT1 Infection: Here is a sample of what I find if I parse for 5 lines before and after the target Q-ID: 04/20/2005 11:53:22 Qa51de08d00e25919 Scanned: Virus Free [MIME: 3 36875]04/20/2005 11:53:25 Qa523e08f00e25924 MIME file: [text/html][quoted-printable; Length=10177 Checksum=774898]04/20/2005 11:53:26 Qa523e08f00e25924 Scanned: Virus Free [MIME: 2 11904]04/20/2005 11:53:27 Qa510a96d00c4590a MIME file: [text/html][quoted-printable; Length=11036 Checksum=792412]04/20/2005 11:53:28 Qa510a96d00c4590a Scanned: Virus Free [MIME: 2 14609]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: [text/html][7bit; Length=52 Checksum=3520]04/20/2005 11:53:29 Qa51fa9a300ec591e MIME file: 5.zip [base64; Length=19404 Checksum=2507990]04/20/2005 11:53:29 Qa51fa9a300ec591e Could not find parse string Infection: in report.txt04/20/2005 11:53:30 Qa51fa9a300ec591e File(s) are INFECTED [: 0]04/20/2005 11:53:30 Qa51fa9a300ec591e Scanned: CONTAINS A VIRUS [MIME: 2 19522]04/20/2005 11:53:30 Qa51fa9a300ec591e From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 165.165.221.208]04/20/2005 11:53:30 Qa51fa9a300ec591e Subject:04/20/2005 11:53:32 Qa52aa9a400ec592a Scanned: Virus Free [MIME: 1 2087]04/20/2005 11:53:34 Qa52b4d30fdb9 Scanned: Virus Free [MIME: 1 672]04/20/2005 11:53:35 Qa52c4f880105 Scanned: Virus Free [MIME: 1 752]04/20/2005 11:53:35 Qa52ea9ab00ec592c MIME file: [text/html][8bit; Length=8334 Checksum=681405]04/20/2005 11:53:37 Qa52ea9ab00ec592c Scanned: Virus Free [MIME: 2 13549] I didn't find a time gap in any of the "Could not find parse string Infection" log entries I found. Bill - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Thursday, April 28, 2005 10:58 AM Subject: Re: [Declude.Virus] High CPU F-Prot Andrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I haven't yet contacted F-Prot because I'm busy at this moment and this was only just confirmed by someone else. I would have to say that Scott would be quite useful in a situation like this because it appeared that he had a line of contact with them (Scott, are you out there?).MattColbeck, Andrew wrote: The "could not parse" string occurs whenever F-Prot returns a result that *isn't* equal to 3. Only return code 3 provides a string in the result file that says "Infection: " followed by the virus name. I'd like to help you out with this Matt, but with only one antivirus scanner, I don't see the evidence of a space gap. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Sent: Thursday, April 28, 2005 10:29 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot On 28 Apr 2005 at 12:57, Matt wrote: Matt - If this becomes a real problem that you see and can monitor I would revert back to an older scan.exe to eliminate the issue of versions. This is a possible clue: " Could not find parse string Infection: in report.txt" What does this mean? Your virus.cfg needs a different setup parameter or report.txt cannot be found? -Nick 04/28/2005 05:49:04 QB18D740700A83968 MIME file: document.scr [base64; Length=52224 Checksum=6533396] 04/28/2005 05:49:04 QB18D740700A83968 Invalid SCR Vulnerability 04/28/2005 05:49:04 QB18D740700A83968 Banning file with SCR extension [application/octet-stream]. --- 6 second gap
RE: [Declude.Virus] High CPU F-Prot
Title: Message I'm using LOGLEVEL MID in my logfile so it must be this the cause of missing previous loglines. I've logfiles back to 03/2004 and have made some sporadic checks. This few "could not find parse" was there for over 10 months now. Due to the missing previous loglines I can't say if this was casued by a scanner timeout or not. As already sayd the second scanner is detecting Zafi, Bagle, Netsky ... so nothing special and also nothing new that would cause an exit code 8 from f-prot due to missing updated signatures. At least I can say that I haven't seen any case where the second scanner hasn't catched the virus Another aspect: Why declude should try to parse report.txt if the engine hasn't reported a virus with the exit code? Beside the problem that f-prot seems to use a lot of CPUI believe that it will not timeout but it will detect something but for whatever reason will not write the report.txt or a complete report.txt I believe also that /(P|M)ANALYZE could be a good reason for increased CPU usage, even if I can't explain why it should happen only for a few messages each day. Another idea: why not set up a declude virus configuration in a separate folder with or without the second scanner and test the hold message (by scanner2) again? It should be interesting if the same space gap can be reproduced or if we must search another reason for the sporadic appearance... good night from GMT+1 Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, April 28, 2005 8:52 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-Prot Markus and Andrew,I think I have an idea as to possibly why. I run Declude Virus at LOGLEVEL HIGH. Maybe you guys are logging at a different level. FYI, the HIGH level doesn't produce an inordinate amount of data by any means.I went back to my oldest Virus log where I was also running Declude 1.82 and there are definitely a fair number of examples back then as well, though this isn't a huge number in comparison to the total number of viruses that are detected each day. Here's one example of a 10 second gap from April 1st running Declude 1.82 and both F-Prot and McAfee, where McAfee tags the virus and F-Prot takes 10 seconds to error. 04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: gsbfgwcjnx.bmp [base64; Length=1846 Checksum=281466]04/01/2005 14:37:00 Qa2dce53900ee9f9d MIME file: Dog.zip [base64; Length=26047 Checksum=3314327]04/01/2005 14:37:00 Qa2dce53900ee9f9d Found encrypted .ZIP file04/01/2005 14:37:00 Qa2dce53900ee9f9d Banning .ZIP file with encrypted EXE extension.--- 10 second gap while F-Prot scans ---04/01/2005 14:37:10 Qa2dce53900ee9f9d Could not find parse string Infection: in report.txt04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanner 2: Virus=the W32/[EMAIL PROTECTED] Attachment=Dog.zip [0] O04/01/2005 14:37:11 Qa2dce53900ee9f9d File(s) are INFECTED [the W32/[EMAIL PROTECTED]: 13]04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting file with virus04/01/2005 14:37:11 Qa2dce53900ee9f9d Deleting E-mail with virus!04/01/2005 14:37:11 Qa2dce53900ee9f9d Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 3 28098]04/01/2005 14:37:11 Qa2dce53900ee9f9d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 208.7.179.200]04/01/2005 14:37:11 Qa2dce53900ee9f9d Subject: Re:MattColbeck, Andrew wrote: Matt, no there is no related Q line in my log files above that error. And given the load on my server, there is no way to correlate a useful gap between my DECmmdd.log and VIRmmdd.log files; rather, I expect random gaps. Also, I've noticed that F-Prot has definitely leaked viruses, because they're caught on my internal Exchange servers. Whenever I notice this however, I've been able to attribute these to late pattern updates. I don't think my serverhas problem that you have, but I've certainly looked. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, April 28, 2005 10:58 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] High CPU F-ProtAndrew,If you are only using F-Prot, you should be able to find evidence of at least the delays by searching for "Could not find parse string Infection" and then checking for a gap above that point to where the message began to be scanned.If I'm correct about this, and it seems that I am, F-Prot has been missing a fair number of viruses every day at least going back to April 11th. Their new scan engine, 3.16b was released back on March 7th and this may be related, but I don't have logs going back past April to confirm.F-Prot users should all probably pay very close attention to this. I
RE: [Declude.Virus] High CPU F-Prot
11:59pm here so it's not a good time to watch the cpu usage as most people has leaved the office some hours ago. Time to say good night for me too after haven't seen anything strange with f-prot on my server at the moment. |-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 27, 2005 11:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] High CPU F-Prot I saw F-Prot time out 3 times today in my logs, and I can't remember that ever happening before. McAfee didn't time out once, and that's usually the first to go. Maybe this explains the issue. I think it's time to so some performance monitoring to see what is up. Matt Darrell ([EMAIL PROTECTED]) wrote: In the last 24 hours I have seen F-Prot start to use an excessive amount of CPU. Normally it very rarely shows up in task manager and now it has been using a considerable amount of CPU. Thoughts? Darrell Comprehensive Declude Virus and Junkmail reporting with DLAnalyzer - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Adobe PDF embedded attachemt
Although Adobe recommends enabling scanning all file types in order to scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner is not currently going to be able to scan this encrypted content until the content has been rendered/unencrypted at the desktop. Is there any info from Adobe or any AV-company about the ability/possibility to scan and detect such encrypted content. If there is any possibilty to detect encrypted PDFs I think declude should be prepared to add BANEXT ePDF to the config file before there will appear the first worms... At this point maybe I can place also the feature request that we can block certain (archiving) file types if they have a small size and a suspicious file inside. For example all ZIP-files below 100 kB and any executable file inside. This should help to block new virus variants until there are available appropriate signatures from the AV-companies. I'm not 100% sure but I can't imagine why someone should send a legit zip-file having a small executable inside. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Another new virus
Another idea, now with the ability to use customizable hold foldersin v2 create a test that will move all messages containing a relative small zip attachment to a separate hold folder. Another external app or script will check this folder regulary and requeue messages (or also move it back to spool/overflow for a second declude analysis) after a certain time range (for example 15 minutes) and a longer time range (120 minutes) if there is a relative high amount of such small zip's. In this case an email alert to the admin qould also be usefull. A human brain should see immediatly if it's a new virus. This will create the necessary time to react on new viruses. I can confirm that our system has let trough last weekend some few viruses. Both F-Prot, F-Secureand Mcafee was too slow in this case. Bitdefender has had ready updates very fast. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, April 19, 2005 3:56 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Another new virus Markus,This will work great with things like my IPINMX test which is anything that doesn't hit IPNOTINMX and has no sub-domains for the Mail From domain (the last part stops zombies from getting credit when they use the reverse DNS entry as the Mail From). I will likely pre-qualify in VBScript and then simply END processing the test in Declude for things like IPINMX, and add on even more points for other spammy things that Declude tracks like SPAMDOMAINS. In VBScript I can test for things like message boundaries that contain non-hex characters, absence of X-Mailer header, small size attachments, etc., which shouldn't typically be seen when there is a zip attachment since people should generally be attaching zip files manually through normal software and doing so to hide larger files or groups of files. I probably will have to do something where it needs multiple hits for it to fail since there are going to be clear exceptions to all of what I have mentioned, but they likely won't exist in combination. It would be very helpful if I could figure out from the zip file base64 encoding what type of extension was contained within the file, so I might play around with that a bit as well.MattGufler Markus wrote: Good idea to create some combo filter for small zip file attachments! What about creating an external test that will count up small zip file attachments in a separate file and check if there are more then x suspicious zip files between a certain timerange? Maybe it would also be a good idea to combine this test with some mailfrom validating test as this addresses are forged. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, April 19, 2005 3:33 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Another new virusFYI, I have found that F-Prot continues to throw Virus Code 8 for what McAfee is detecting as Bagle.gen even though 4 or so days have past. I'm not clear on whether or not this is intentional in F-Prot or if this is one of their hiccups where they don't respond appropriately for a week after a new threat. It is probably necessary for F-Prot users to use Virus Code 8 if they want to stop whatever is coming now.I also wanted to add that the zip file viruses did finally slip through my server on Saturday morning for a period of a few hours (when not caught by spam blocking). I did verify that these were detectable with newer definitions, and although low in numbers, it appears that the recent slew of virus writers have figured out that the safest mechanism for sending infected executables is to zip them up in a standard archive since most admins don't block these. Every virus attachment from the recent group has been a standard ZIP or RAR. I have also seen notes that indicate as of a week ago, the writers have managed to produce 96 variants of Mytob, which means several per day. These are apparently being launched into the wild by hijacked machines used to seed, and I believe that this was the sort of activity that I saw Saturday morning. I assume that is is being used to replenish bot networks that might have become too old with previously exploited machines.I'm not surprised at the zip leakage, but no one that I have talked to wants me to start blocking these zips because it is limiting to their use of E-mail. Instead, I am going to code up a new test that looks for a typically virus sized zip attachment and does some heuristics on the E-mail to see if these were generated by a client mailer or a nondescript mass-mailing mechanism (a virus). I'm
[Declude.Virus] New virus new__price.zip
Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus new__price.zip
Seems there is something going on, please check your virus logs. ... There are comming in a lot of messages (SMD-file has a filesize of 23 kByte) containing zip-files like BANNAME new__price.zip BANNAME price_new.zip BANNAME price.zip BANNAME price2.zip F-Prot or Mcafee is already catching this as an unknown virus. In the meantime i've blocked .zip attachments on my server. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Where is the 'CR' vulnerability
Actually, the problem is just as bad no matter who use the domain.net domain. Note that you can use example.com, example.net, or example.org for cases like this. Those domains were designed for test purposes, and are set up to properly deal with whatever traffic comes their way as a result. Ok, I understand. The original SMD file contained a CRCRLF at the end of the X-header: PITA-Server line. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[10]: [Declude.Virus] testvirus.org #22
Andrew, Your comment so we'll still keep this list up to date from postings on the Declude.Virus newslist Here is my actual FORGINGVIRUS list, maintained for F-Prot/McAfee virus names: #FORGINGVIRUS Unknown Virus FORGINGVIRUSMagistr FORGINGVIRUSKlez FORGINGVIRUSYaha FORGINGVIRUSLentin FORGINGVIRUSBridex FORGINGVIRUSBugbear FORGINGVIRUSSoBig FORGINGVIRUSFizzer FORGINGVIRUSPalyh FORGINGVIRUSMiMail #FORGINGVIRUS Lirva FORGINGVIRUSDumar FORGINGVIRUSSober FORGINGVIRUSHybris FORGINGVIRUSBagle FORGINGVIRUSMyDoom FORGINGVIRUSTanx FORGINGVIRUSNetsky FORGINGVIRUSProxy-Cidra FORGINGVIRUSTorvil FORGINGVIRUSExploit-ObjectData FORGINGVIRUSAnonymous Driver FORGINGVIRUSZafi FORGINGVIRUSMabuto FORGINGVIRUSIllwill FORGINGVIRUSObjData FORGINGVIRUSZerolin FORGINGVIRUSInor FORGINGVIRUSIFromot FORGINGVIRUSIFrame FORGINGVIRUSPlexus FORGINGVIRUSPhish- FORGINGVIRUSLovgate FORGINGVIRUSWurmark FORGINGVIRUSSomefool FORGINGVIRUSReblin Thanks for the great comments in your cfg file Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sober-J alias Reblin
(sorry for the previous wrong post to the junkmail list) Seems like from today on there is out a new Sober variant: Sober-J F-Prot and/or Mcafee are catching them as Reblin Up to now I can see here two Reblin's and the Remotehosts REVDNS entry seems to fit to the sender domain, so maybe no forging virus... ? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober-J alias Reblin
Up to now I can see here two Reblin's and the Remotehosts REVDNS entry seems to fit to the sender domain, so maybe no forging virus... ? After multiple NDR's for our virus warnings I believe it's bether to add Reblin to the forging virus list. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RAR Support - why not?
My log files go to a separate directory (partition if available) and are zipped either weekly or monthly depending on size and when there are enough they get burned to CD then deleted. As we're talking about partitions, spool folders and moving/deleting/archiving files. I've noted that setting up the spool folder as a separate NTFS-partition attached as a subfolder to the imail partition works but sometime there are some strange error messages (cant delete message, or the message is deleted but still showing up in the file explorer) Following a MS KB article this is a known issue. Stop. :-/ Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] FW: Your mail server sent us a virus (messaggio per ellebisrl.it)
I don't know if the postmaster of the ellebisrl.it MTA is watching this list. If not please can someone from declude contact the customer and tell him that it's not a good idea to send out virus warnings for HTML/[EMAIL PROTECTED](oits) as the recipients are mostly forged and we have nothing to do with this message. My mail-server has exactly the same virus protection... the difference is that mine is not sending out uneccessary and false virus warnings. ;-) Ciao Markus Southtyrol - Italy -Original Message- From: Postmaster [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 2:08 PM To: [EMAIL PROTECTED] Subject: Your mail server sent us a virus The Declude Virus software on our mail server detected the : HTML/[EMAIL PROTECTED] virus that appears to have come from your mail server. It was sent in an attachment [HTML segment], from [EMAIL PROTECTED] to [EMAIL PROTECTED], with the subject Mail Delivery (failure [EMAIL PROTECTED]). The Message-ID was: [EMAIL PROTECTED]. This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. The headers from the E-mail are: Received: from ellebisrl.it [82.90.111.171] by mail.ciesseserramenti.com with ESMTP (SMTPD32-7.07) id A11823DA0082; Wed, 12 Jan 2005 14:07:36 +0100 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Wed, 12 Jan 2005 14:07:56 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_001B_01C0CA80.6B015D10 X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude Licensing codes
This as my comment on many posts about licensing: I believe Scott and Berry KNOW there are out many unlicensed copies of Declude. I believe also that only a product with an appropriate revenue can be maintained and brought forward regulary. (Probably this was a big problem in the last 12 months) So I really love it to see that there are strong rules that will bring users of unlicensed copies in trouble and the paying customers will benefit. For sure: The non-announcement of such actions can create some colateral damage. At least any of Barry's posts contained a final statement that all users of unlicensed copies should make them legal. I've a friend who's a truly genius regarding application developement. Any of his applications (mostly windows services) contains an activation component who contacts the online licensing server the first time and each time if more then two basic properties of the hardware has changed (For example CPU, MAC, IP, or ...) As Declude.exe is called for each single message it wouldn't work in the same way but maybe something like a weekly or monthly Keep-Alive-License-Package? The local application will continue to work only if after a new request (containing hostname, IP, MAC, CPU-ID, ...) there is a returning time-limited license package from Decludes license server. So each customer know that he will have time enough to reactivate his license if he has changed hardware. On the other side CPHZ has a great control over definitively (or maybe) unlicensed copies. This would include also control over illegal usage of new releases without an service agreement. Also test systems will work for some days. Maybe the new declude licensing functionality is already able to do all this. So the only criticism is that there was no announcement. Also not to customerers who's running definitively legal copies. In order to keep admin's informed about unexpected licensing errors there should be a new parameter like LICENSEALERT = [EMAIL PROTECTED] in each config file. So If there is something going wrong with the licensing even if I'm a legal customer I can read this immediatly in my inbox and have no problems while sleeping at night because I haven't checked todays logfiles. We're talking about software that has to work around the clock. If this software is not doing his job and let pass malicious content I want back money - much more then I've payd for because I've damage on my side. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Getting hammered by viruses
Hmmm can't see any step near to 2004-11-16 but the virus creating this big wall of infected messages is Zafi.D, appeared some days ago. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, December 16, 2004 4:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Getting hammered by viruses Hi Markus, Sounds like you're experiencing what we saw starting on November 16th... a tenfold increase in spam overnight. After a little over a week ours settled down ton about 3 times the amount of spam prior to the 16th. That has been steady ever since. We've attributed it to the recent spate of viruses, creating zombies. Analysis shows our zombie spam has increased dramatically, requiring more reliance on content filtering and dynamic IP detection. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:24 AM Subject: [Declude.Virus] Getting hammered by viruses Anyone else is seeing this? Last week we had an average of 2750 viruses each day. Two days ago this number increased to 9000. Yesterday we've catched 19000 viruses. From the other 16000 messages 9600 was spam. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Getting hammered by viruses
Anyone else is seeing this? Last week we had an average of 2750 viruses each day. Two days ago this number increased to 9000. Yesterday we've catched 19000 viruses. From the other 16000 messages 9600 was spam. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Zafi.d
I've seen in in the last hours and now read it on a newsletter. It seems that a new wave of worm infected messages is out. Zafi.d sends messages in different european languages having christmas content (for example in Italian with the subject line Buon natale) It seems that Zafi.d is forging like Zafi.b (for thus who has set as forged only .b and not .a which is not forging) F-Prot has catched the attached files (something.jpg[random-numbers].pif / .cmd / ...) as unknown virus Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Zafi.d
and seems to be using a dictionary of common usernames instead of working off of a compromised address book -- yet another reason to get rid of nobody aliases ;-) As I can see it does search in adress books of infected machines. Maybe it's trying also common usernames as the multilanguage content seems to be another attempt to bring out something creative Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Wurmark.A
Sophos has identified this as a forgingworm (http://www.sophos.com/virusinfo/analyses/w32wurmarka.html) It's known from 2004-12-01 soI believe it's not a high-volume worm. However thanks for pointing that out. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Sunday, December 05, 2004 3:10 PMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] Wurmark.A Hi Scott, We've been getting a number of Wurmark.A postmaster notifications. It seems to be a forging virus. Should this be added to the Declude Forging Virus list? Thanks, Darin.
[Declude.Virus] Something strange out...
From this morning on (09:00 am GMT+1) on we can see a lot of unknown viruses As this messages contains from one to many recipients there are comming back a lot of NDR's from our warning messages. (Scott: you know we can not SKIPIF unknown virus) So at the momen I've disabled all warning messages on our server. Looking at the messages there are often file attachments (pif, scr xls.zip ...) Here's a sample content of the body: Note that HTWM, htwm.de in this case is part of the forged sender. It is different in practically every infected message. The same for INDEPENDENT and www.independent.it - in this case the recipients Domain. = This mail was generated automatically. More info about --HTWM-- under: http://www.htwm.de --- Occured_Errors: 26.186.253.126_does_not_like_sender. # 547: mailbox_unavailable # 158: This_account_has_been_disabled_[#206]. # 373: Remote_host_said:_Requested_action_not_taken # 516: MAILBOX NOT FOUND End --- The corrected mail is attached. Auto_Mail.System: [htwm] *-*-* Attachment: No Virus found *-*-* INDEPENDENT- Anti_Virus Service *-*-* http://www.independent.it = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Something strange out...
Additional notes: Seems like F-Prot with Viruscode 8 is catching this for over an hour now. Mcafee does not. As there are always (?) pif,scr,... attachments it will be catched also by banned extensions. (Do you send out bannotifies?) But I've seen also .xls.zip attachments hold as unknwon virus by f-prot. There are also other similar body parts written in german but with the same error part. === ... 109.175.41.103_does_not_like_sender. % 499: Remote_host_said:_Requested_action_not_taken STOP mailer === Seems like this new worm intends to create a little bit of confusion on user side. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Something strange out...
Here's another body sample: === Your password was changed successfully! ++ User-Service: http://www.news.vva.de ++ MailTo: [EMAIL PROTECTED] *-*-* Attachment: No Virus found *-*-* THALER- Anti_Virus Service *-*-* http://www.thaler.it === news.vva.de is the forged sender. thaler.it the local recipient. Attached was a file news.pif Filenames seems to be absolutely random. I asume randomly choosed from what can be found on the infected machine. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Something strange out...
Ok, both F-Prot and McAfee are catching it now as Sober.j Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Friday, November 19, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Something strange out... Hello, this is a new Sober. Alex -Original Message- From: Markus Gufler [mailto:[EMAIL PROTECTED] Sent: Friday, November 19, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Something strange out... From this morning on (09:00 am GMT+1) on we can see a lot of unknown viruses As this messages contains from one to many recipients there are comming back a lot of NDR's from our warning messages. (Scott: you know we can not SKIPIF unknown virus) So at the momen I've disabled all warning messages on our server. Looking at the messages there are often file attachments (pif, scr xls.zip ...) Here's a sample content of the body: Note that HTWM, htwm.de in this case is part of the forged sender. It is different in practically every infected message. The same for INDEPENDENT and www.independent.it - in this case the recipients Domain. = This mail was generated automatically. More info about --HTWM-- under: http://www.htwm.de --- Occured_Errors: 26.186.253.126_does_not_like_sender. # 547: mailbox_unavailable # 158: This_account_has_been_disabled_[#206]. # 373: Remote_host_said:_Requested_action_not_taken # 516: MAILBOX NOT FOUND End --- The corrected mail is attached. Auto_Mail.System: [htwm] *-*-* Attachment: No Virus found *-*-* INDEPENDENT- Anti_Virus Service *-*-* http://www.independent.it = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Corrupt price.exe ?
Some minutes ago I've received a message with price.exe as attachment. (John: due to ISP activity we cant simply block exe's :-) I've forwarded the file (67 Bytes) to virustotal.com and the response was: Virus Total _ Codification 7bit Unsupported or malformed attached file codification (Response to a message sent on Tue, 16 Nov 2004 11:38:48 +0100) So according to the file size it seems there is a corrupt/incomplete variant of this virus out and it's worth to block with BANNAME price.exe if it's not possible to block all exe files. Have I missed something? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Bagz
Neither F-Prot (3.15b) nor AVG (7.0.289) appear to be catching this. Hm searching on http://vil.nai.com/vil/default.asp for bagz returns a lot of variants. Seems not to be an absolutely new one... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Lovgate.Y forging...
Looks like Lovgate.Y is become a forging worm. Up to now I haven't had it on my FORGINGVIRUS list but today are turned back several NDR's for our virus warnings send to the recipient. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Unknown virus warnings
Hi all, Today I can see a large number of non delivery reports comming back to our server containing the original virus warning (recip.eml) This is the begin of our recip.eml file: === SKIPIFSENDER [Forged] SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS MyDoom SKIPIFVIRUSNAMEHAS Netsky SKIPIFVIRUSNAMEHAS Bagle SKIPIFVIRUSNAMEHAS Unknown Virus ONLYSENDIFREMOTESENDER To: %ALLRECIPS% From: [EMAIL PROTECTED] ... === All returning NDR's are warnings about a Unknown Virus so I can't understand why they are send out because the according SKIPIFVIRUSNAMEHAS line is there as we haven't changed any content of this file in the last 3 weeks. NDR'S are comming back from all around the world. Any ideas? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] HEADS UP there is something strange out
My F-prot/Mcafee scanners are detecting a hug enumbers of Unknown Viruses this morning. Looking at the original message headers there are always HELO strings like Beatrix.net Arianna.net Margareth1.org Margareth1.com This moment I've received a warning from my own server that I has send a virus to another local recipient. Looking to thy smtp-logfile the sending IP was not mine. Even if all eml-file (recip, sender_local, sender_remote) contains a line SKIPIFVIRUSNAMEHAS Unknown Virus This warnings are still send out I've tried also to add FORGINGVIRUS Unknown Virus But the warnings are still send out. Thes same thing is happening also on another Imail/declude server. What the hell is going on here? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.