RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
Should the built in declude virus scanner scan inside of zip files (when we used f-prot it did)? Are there any settings to get it to scan the zip files. We did have to exclude password protected zip files in the past and we still do but need the virus scanner to scan zip attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, July 21, 2008 6:59 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
I had to send a copy to Trend Micro (my AV provider), about an hour later they had it taken care of in a new set of definitions. I just blocked ZIP's until the fix came through. Sure, it got me a few complaints but at least it kept everyone from opening it. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Tuesday, July 22, 2008 2:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? Should the built in declude virus scanner scan inside of zip files (when we used f-prot it did)? Are there any settings to get it to scan the zip files. We did have to exclude password protected zip files in the past and we still do but need the virus scanner to scan zip attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, July 21, 2008 6:59 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
I just took the ban off of zips and it looks like it's catching this virus now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Tuesday, July 22, 2008 1:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? Should the built in declude virus scanner scan inside of zip files (when we used f-prot it did)? Are there any settings to get it to scan the zip files. We did have to exclude password protected zip files in the past and we still do but need the virus scanner to scan zip attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, July 21, 2008 6:59 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
We are seeing them come in. The common static denominators are: 1. Subject line UPS Tracking Number 2. Body contains Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office Your UPS Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, July 21, 2008 4:23 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus (.exe) in a zip attachment? We juat saw a new apparent virus/phishing threat come across trying to imposter as a failed UPS delivery notice. The file attached was called UPS_INVOICE_978172.zip and included a .exe file within. Is their anyway to catch these in the BanFile area of Declude? We do allow banned files within a zip in our current config. It would have to be set up as a wild card I imagine (assuming the numbers in the file name would change). We've only seen one of these so far, so do not have anything else to compare to to see if name is changing or not. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:11 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus with .rar attachment Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] new virus with .rar attachment
Symantec is being short-sighted. This is the same spammer sending this virus that was responsible for the seeded outbreak around New Year's. He starts his attacks at a moment's notice and ends them just as quickly. He can change his text faster than Symantec will ever be able to keep up with should he care to do so. He sends these through his network of spam zombies which he typically uses to send out stock spam. McAfee was detecting this within 2 hours of it first being seen. I saw hundreds of these within those two hours though. Thankfully it appears that almost all if not all were blocked as spam. Another saving grace is the fact that it came out as an encrypted RAR which very few people have support for. Be absolutely certain that he will be back. Matt Gary Steiner wrote: Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:11 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus with .rar attachment Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] new virus with .rar attachment
ClamAV is now picking this up as Email.Phishing.RB-686 Original Message From: Gary Steiner [EMAIL PROTECTED] Sent: Wednesday, April 25, 2007 1:48 PM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
p.s. No, the conversation thread at the end of my posting was not relevant to the antivirus tip, that was simply poor copy and paste on my part. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
Andrew.. Why not block any .exe attachments? In our system AVG is detecting it. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Saturday, December 30, 2006 12:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] New virus to add to your banned names in virus.cfg http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the CPR version to obtain the beta of the next pattern update. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, December 26, 2006 6:05 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to block an IP Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: J Porter [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
Why not block any .exe attachments? I don't block .EXE attachments, but that policy may work for others. In my company, we find it very common to receive executables in email, as well as viruses that are plain executables, therefore we neither silently discard them, nor do we reply to likely spoofed mailfrom, nor do we annoy the recipient. I use Declude on a gateway server, and I use Trend Micro ScanMail for Exchange on my internal servers. On those internal servers, I scan for viruses and I ban executable attachments (not the whole message) and notify the recipient and our Help Centre. From the message body, the recipient can determine whether the attachment is valid; the Help Centre could re-send the executable but it would be blocked by Outlook anyway, so the usual case is then for the recipient to ask the sender to re-send the executable in a zip file. In our system AVG is detecting it. Shortly before I sent that first message, F-Prot received a pattern update and was detecting the greeting cards as W32/Tibs.gen4 and the postcard as W32/Tibs.RA ... And submitting the greeting card to the Sunbelt malware sandbox showed a huge amount of activity. I suspect that this will be a real nuisance for those infected. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, December 30, 2006 9:30 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New virus to add to your banned names in virus.cfg Andrew.. Why not block any .exe attachments? In our system AVG is detecting it. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Saturday, December 30, 2006 12:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] New virus to add to your banned names in virus.cfg http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the CPR version to obtain the beta of the next pattern update. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, December 26, 2006 6:05 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to block an IP Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: J Porter [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Tuesday, October 10, 2006 10:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus? Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I posted virustotal results a half hour ago... did you see them? Darin. - Original Message - From: Grant Griffith [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Tuesday, October 10, 2006 2:17 PM Subject: RE: [Declude.Virus] New Virus? It does have a .zip file that contains a .exe file inside it. The message says it contains a .pdf file, but it is really an .exe file. I am running it thru virustotal.com now. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, October 10, 2006 1:32 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Tuesday, October 10, 2006 10:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus? Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
If you want to submit a virus, don't forget about ClamAV: http://www.clamav.net/sendvirus.html The nice thing about them is when they've used your sample to update their definitions, they will actually send you an email telling you this. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 1:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Tuesday, October 10, 2006 10:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus? Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
My logs tell me that we received more than the usual number of viruses yesterday. These were split into two groups, a version of Bagle that was released back in June, and a new worm which Trend Micro calls WORM_STRATION.BD In the samples I looked at, the messages were fake bounces with an executable attachment which had a.dat.pif extension. Here's the writeupon that: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSTRATION%2EBHVSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Wednesday, August 30, 2006 2:01 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
The Internet Storm Center also notes two items... That a new-ish botnet has been found: http://isc.sans.org/diary.php?storyid=1657 Previously, that there is elevated port scanning for 139/TCP: http://isc.sans.org/diary.php?storyid=1654 In that second link,they note two malwares that are attacking the "Server" service that Microsoft patched most recently in August with MS06-040: https://www.microsoft.com/technet/security/bulletin/ms06-040.mspx Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, August 31, 2006 8:59 AMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] new virus? My logs tell me that we received more than the usual number of viruses yesterday. These were split into two groups, a version of Bagle that was released back in June, and a new worm which Trend Micro calls WORM_STRATION.BD In the samples I looked at, the messages were fake bounces with an executable attachment which had a.dat.pif extension. Here's the writeupon that: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSTRATION%2EBHVSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Wednesday, August 30, 2006 2:01 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
I checked and saw just a few of them. Luis Arango From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: MiƩrcoles, 30 de Agosto de 2006 04:01 p.m.To: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the check prices macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the dropper file that the macro drops. If it's there, the macro was executed, and the dropper has probably also download further malware. Modern versions of Office will, by default, not execute the macro so you might be safe. I don't know if Symantec has signatures for this document, the dropper or the payload it downloads. Trend Micro does, so you could use their web based HouseCall antivirus scanner from here: http://housecall.trendmicro.com/ Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Wednesday, June 28, 2006 6:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the check prices macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Hi John: I have received 3 of these that are not in zip files. My_new_comp.doc About_me.doc Hp_laptops.doc All are similar in concept: With the following in the body and different subjects. Name after hello is also different. --- Hello Cristian Asanachescu Regards, Cristian Asanachescu Or - Hello Patricia Myrose Regards, Patricia Myrose - All files are 52 KB attachments. I am trying to see why it was not caught as virus.. It does not look right. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 5:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt - Thanks for keeping track of all of this for the rest of us. Rob -Original Message- David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
All of these issues are why I am still on version 2.x.x as well. I have been waiting for their resolution for some time while patiently paying my support fee's. At 01:48 PM 6/28/2006 -0400, you wrote: David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, From my point of view, the problem with that response is that if Imail handle all the issues presented by abnormal mail messages, we would not need Declude. Imail handles normal messages just fine. If it were not for viruses and spammers, we would not see these problems. We got Declude to handle viruses and spammers. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 28, 2006 3:08 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, Mail servers have absolutely no requirement to inspect the contents of the data. This is Declude's job to do. Additionally, most mail clients do support both the CR flaw as well as the long base64 encoding flaw, so anything making it past Declude due to the holes created by these bugs is a critical flaw. There are so many things out there that violate the RFC's, it's almost not even worth arguing about who's responsibility it is since these things definitely exist and need to be dealt with appropriately. The issue with the CR's and Declude is not technically a vulnerability for any application out there besides Declude itself. Vulnerabilities in Declude have historically been formatting supported by mail clients which could be used to sneak past encoded attachments or scripting which could cause auto-execution or bypassing of virus scanners. The vulnerability only exists because Declude's SUBJECT action and header appending does not work appropriately, and some people chose to filter on such things instead of relying on other actions. I do in fact receive legitimate E-mail that have only CR's. Any PHP programmer out there can make this mistake just like multiple vendors are violating RFC's by including a space in the SMTP commands where they don't belong, or adding headers that don't properly bracket IP's, etc. If this is introduced as a vulnerability, I want to turn it off. The reason is because I don't want to scan a directory full of Q and D files searching for false positives, and I know that they will exist. Others may be less anal about this, or have different traffic patterns that isolates them from such issues, or might simply not care. Ultimately however, if you just simply placed the Declude inserted headers in the best possible place (before the first CRCR) then this wouldn't be an issue. I find it hard to believe that no one there can figure out how to do that. Regardless of who is right or wrong, right now every Declude user is vulnerable to viruses that may exploit the holes created by the base64 encoding error and the invalid character in the Mail From error. There is a virus that has been spreading for over a year that bypasses Declude's Virus' calling of virus scanners due to the long encoding lines, and the only reason why this hasn't become an issue is because he only sends EXE's which most of us block by default and only causes backscatter. If someone were to write a virus that was in a zip or a DOC though, which most of us don't block, it would bypass our virus scanners 100% of the time. If they wanted to exploit some scripting holes in mail clients, all they would have to do is send with a non ASCII character in the Mail From and they're good to go right past Declude. This is why these things are critical in nature. I don't want to continually bring this stuff up, I just want you guys to get it. Pretend for a second that I am right, and then look back at what you are doing. Please. Matt David Barker wrote: Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
as every instance we have seen of this has been invalid email. I certainly regularly receive incorrectly formatted email. I'm pretty small volumne, but looking over my logs (I have an external test for this condition), it is 111 non-spam messages this month. My email volume is pretty low. But I'm not looking forward to hand correcting 120 of these a month. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 28, 2006 2:07 PM Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I haven't seen any yet; I don't know if F-Prot is catching them. From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I don't know where that character in front of my From sentence came from. The first character on that line should have been an F. It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 28, 2006 2:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus I haven't seen any yet; I don't know if F-Prot is catching them. From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Sure it is not some form or the Pebcak virus Andrew? Sorry, couldn't resist. I needed the laugh. ;-) John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 28, 2006 2:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Importance: Low I don't know where that character in front of my From sentence came from. The first character on that line should have been an F. It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
http://www.f-secure.com/weblog/archives/archive-062006.html#0909 The writeup is interesting in the follow-on details but the information that Markus posted earlier is more helpful to us in keeping the darn thing out of users' mailboxes. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 27, 2006 12:08 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
JT Declude, this is a feature who's time has come. Hear, hear! The ability to ban filenames that are contained in archives would be a good feature, and most of the code must be in place, because Declude Virus already pulls apart at least the zip file format for selective file scanning. It is also well placed in the market. I checked my up-to-the-minute ScanMail for Exchange from Trend Micro, and they don't have that feature. I also tested it to see whether filename blocking would work anyway, and no, it didn't. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 3:38 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Importance: High I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus
If they are encrypted zips ensure you have: BANEXT EZIP in your virus.cfg David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce LoughlinSent: Friday, June 16, 2006 4:31 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re: [Declude.Virus] new virus
Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.0006.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.3306.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.4006.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet2.77.0.006.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.006.16.2006 photo3.exe Kaspersky 4.0.2.2406.16.2006 Backdoor.Win32.Breplibot.ai McAfee 478606.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.0006.16.2006 no virus found ClamAVdevel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.3306.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT23.72.4006.16.2006 no virus found eTrust-Vet12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.006.16.2006 W32/Brepibot.AS!tr F-Prot3.16f 06.16.2006 W32/Brepibot.gen Ikarus0.2.65.006.16.2006 photo3.exe Kaspersky 4.0.2.2406.16.2006 Backdoor.Win32.Breplibot.ai McAfee478606.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http
Re: [Declude.Virus] new virus
Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 06.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.40 06.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.0 06.16.2006 photo3.exe Kaspersky 4.0.2.24 06.16.2006 Backdoor.Win32.Breplibot.ai McAfee 4786 06.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found
RE: [Declude.Virus] new virus
Yup I got it. I think that the message Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 REPORT1 Infection: Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, June 16, 2006 6:59 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 06.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.40 06.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.0 06.16.2006 photo3.exe Kaspersky 4.0.2.24 06.16.2006 Backdoor.Win32.Breplibot.ai McAfee 4786 06.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip
RE: [Declude.Virus] new virus
Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file Correct, that is what the Declude line means. Other codes like 8 don't include the Infection: text, so an f-prot result line like: .exe is a security risk named W32/Mitglieder.gen Won't pick up the name because Infection: simply wasn't in the line. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 16, 2006 4:18 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus Yup I got it. I think that the message Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt VIRUSCODE13 VIRUSCODE16 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 REPORT1 Infection: Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, June 16, 2006 6:59 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 06.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.40 06.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.0 06.16.2006 photo3.exe Kaspersky 4.0.2.24 06.16.2006 Backdoor.Win32.Breplibot.ai McAfee 4786 06.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus
RE: [Declude.Virus] New Virus?
Upon further investigation and uploading to VirusTotal, these are a group that came in from one IP that had corrupted/incomplete file attachments and were non-viable Kasper viruses. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Saturday, February 25, 2006 9:04 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? Seeing HQX, BHX and UUEs being blocked this morning. John T eServices For You Seek, and ye shall find! --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Should we be blocking .mim file types? One of the new viruses that was blocked was a .mim file type. What is it used for? Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Markus GuflerSent: Wednesday, January 18, 2006 1:39 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL
RE: [Declude.Virus] New Virus?
No, you shouldn't block .mim attachments. The .mim attachment means that there was a MIME formatted, which is encoding that converts binary attachments and non-ASCII text to nice and safe 7 bit ASCII encoding to make SMTP servers happy. You are mostly likely to see this when an entire message is inserted as an attachment, for example, to preserve the headers. Your antivirus solution will decode that attachment and find a virus inside. F-Prot and Trend Micro offerings certainly do. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ReimerSent: Wednesday, January 18, 2006 1:43 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? Should we be blocking .mim file types? One of the new viruses that was blocked was a .mim file type. What is it used for? Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Markus GuflerSent: Wednesday, January 18, 2006 1:39 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 200
RE: [Declude.Virus] New Virus?
A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. kapser.gif Description: kapser.gif
RE: [Declude.Virus] New Virus?
I've seen many of this Kapser.A today. I've added it to the forging virus list and (oops) forgot to write it on the Declude.Virus list. As we can see more and more that AV-Companies has forgotten how to call one Virus using one name we should maybe begin to enhance their naming convention by an initial name of the av-company. Something like: F-ProtW32/[EMAIL PROTECTED] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 17, 2006 11:21 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I should probably correct myself about this. postmaster.eml is fine, it's the otherpostmaster.eml and sender.eml that should be modified. Personally I would also remove them from the standard part of the manual and only include them as a footnote. Since recipient.eml and postmaster.eml are sent to local accounts, you can't make a good argument for changes there. Matt Colbeck, Andrew wrote: I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 17, 2006 3:36 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
A virus by any other name would stink just as much: http://isc.sans.org/diary.php?rssstoryid=1051 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, January 17, 2006 2:54 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I've seen many of this Kapser.A today. I've added it to the forging virus list and (oops) forgot to write it on the Declude.Virus list. As we can see more and more that AV-Companies has forgotten how to call one Virus using one name we should maybe begin to enhance their naming convention by an initial name of the av-company. Something like: F-ProtW32/[EMAIL PROTECTED] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 17, 2006 11:21 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
I haven't seen it. It's also not unusual for F-Prot to have a signature for a virus, but no write up on their website. If the virus was caught, you could submit the attachment to one of the free websites that will check an executable against multiple virus engines and give you a summary of which engines detect it, and what they they call it, e.g. http://www.virustotal.com/ http://virusscan.jotti.org/ Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe
Re: [Declude.Virus] New Virus Strain Pounding my systems
Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list
Re: [Declude.Virus] New Virus Strain Pounding my systems
The second part of that list has been updated BANNAME Alice.zip BANNAME Androw.zip BANNAME Ann.zip BANNAME Christian.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Ellen.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Isabell.zip BANNAME James.zip BANNAME Josias.zip BANNAME Judeth.zip BANNAME Katheryne.zip BANNAME Margerye.zip BANNAME Marie.zip BANNAME Martha.zip BANNAME Marye.zip BANNAME Nathaniel.zip BANNAME Nathanyell.zip Darin. - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 3:56 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently
Re: [Declude.Virus] New Virus Strain Pounding my systems
McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
I have only seen a 5 of these with the following subjects. hi,_ive_a_new_mail_address hi, ive a new mail address Paris Hilton Nicole Richie and the following attachment File-packed_dataInfo.exe I have no idea what the payload is as we delete .exe files before virus scanning. All other viruses today have been [EMAIL PROTECTED] viruses Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson Sent: Monday, November 21, 2005 11:34 AM To: Declude.virus@declude.com Subject: [Declude.Virus] New Virus Strain Pounding my systems heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe BODY 0 CONTAINS mailtext.zip BODY 0 CONTAINS downloadm.zip BODY 0 CONTAINS mail.zip BODY 0 CONTAINS reg_pass-data.zip BODY 0 CONTAINS Account and Password Information are attached! Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
I submit this one for the laugh factor only. Just got one of these claiming to be from [EMAIL PROTECTED] (Center for Disease Control) with a download manager to view Paris Hilton/Nicole Richie videos! Finally the federal government has got something right -- anything to do with Hilton Richie should be handled by the CDC. :) John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 2:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
Looks like F-Prot is now catching it as SoberZ John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
I would but my conundrum is that we receive alot of our loan packages in executable format and the lenders could careless about what I have to say about that... So I have to temporarily block them then have someone watch for legit files and release them from quaratine as they come in. f-prot was right on top of it with a def release. kudos to them. John C that is hilarious! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
This is not about executable formt is is about banning zips and encrypted zip files. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson Sent: Monday, November 21, 2005 5:51 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems I would but my conundrum is that we receive alot of our loan packages in executable format and the lenders could careless about what I have to say about that... So I have to temporarily block them then have someone watch for legit files and release them from quaratine as they come in. f-prot was right on top of it with a def release. kudos to them. John C that is hilarious! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using BANZIPEXTS ON and BANEZIPEXTS ON. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I am seeing it also. I already submitted it to Mcafee... My desktop AV (Trend) is detecting it as a Bagle variant... Don - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:59 AM Subject: [Declude.Virus] New virus out? One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I have seen the following attachments... 1.zip 5.zip 6.zip 7.zip 8.zip price_new.zip be_not_jealous.zip price_new_16_04_05.zip So far... Don - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 10:22 AM Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
Various named zip files. The D*.smd file is 26KB in length. No subject line. Varing IP addresses and apparent forged from address. Blank HTML body. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 8:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I just received an EXTRA.DAT file from Mcafee...to detect this.. I also submitted it to F-Prot I will try attaching the EXTRA.DAT file to this email Don - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 10:31 AM Subject: RE: [Declude.Virus] New virus out? I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] EXTRA.DAT Description: Binary data
RE: [Declude.Virus] New virus out?
Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as W32/[EMAIL PROTECTED]. That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used plug n play code to mix and match one delivery agent with another payload in one viral executable. I haven't seen any of the new MyTob yet, but for more detailed info: WORM_MyTob.BI http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FM YTOB%2EBIVSect=P Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 31, 2005 8:00 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New virus out? One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) after scanning the file 8.zip file. Antivirus Version Update Result AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR AVG 718 05.31.2005 no virus found Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR BitDefender 7.0 05.31.2005 [EMAIL PROTECTED] ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352 eTrust-Iris 7.1.194.0 05.31.2005 no virus found eTrust-Vet 11.9.1.0 05.31.2005 no virus found Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr Ikarus 2.32 05.31.2005 no virus found Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo McAfee 4502 05.30.2005 no virus found NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus Norman 5.70.10 05.30.2005 W32/Downloader Panda 8.02.00 05.31.2005 Suspect File Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo Symantec 8.0 05.30.2005 Trojan.Tooso.B VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 6:39 PM Subject: RE: [Declude.Virus] New virus out? Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as W32/[EMAIL PROTECTED]. That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used plug n play code to mix and match one delivery agent with another payload in one viral executable. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
On my 8.zip sample, McAfee finds W32/[EMAIL PROTECTED] so VirusTotal probably has an older McAfee update. VirusTotal doesn't use Trend Micro, but they don't think it warrants a new signature. They already catch it as TROJ_BAGLE.GEN Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gianbattista Toffetti Carughi Sent: Tuesday, May 31, 2005 9:59 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) after scanning the file 8.zip file. Antivirus Version Update Result AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR AVG 718 05.31.2005 no virus found Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR BitDefender 7.0 05.31.2005 [EMAIL PROTECTED] ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352 eTrust-Iris 7.1.194.0 05.31.2005 no virus found eTrust-Vet 11.9.1.0 05.31.2005 no virus found Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr Ikarus 2.32 05.31.2005 no virus found Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo McAfee 4502 05.30.2005 no virus found NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus Norman 5.70.10 05.30.2005 W32/Downloader Panda 8.02.00 05.31.2005 Suspect File Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo Symantec 8.0 05.30.2005 Trojan.Tooso.B VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 6:39 PM Subject: RE: [Declude.Virus] New virus out? Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as W32/[EMAIL PROTECTED]. That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used plug n play code to mix and match one delivery agent with another payload in one viral executable. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus new__price.zip
Worm.Win32.Bagle.AL price.zip price2.zip price_new.zip price_08.zip 08_price.zip newprice.zip new_price.zip new__price.zip Michael Jaworski Puget Sound Network, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, March 01, 2005 7:25 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New virus new__price.zip Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus new__price.zip
Seems there is something going on, please check your virus logs. ... There are comming in a lot of messages (SMD-file has a filesize of 23 kByte) containing zip-files like BANNAME new__price.zip BANNAME price_new.zip BANNAME price.zip BANNAME price2.zip F-Prot or Mcafee is already catching this as an unknown virus. In the meantime i've blocked .zip attachments on my server. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus new__price.zip
Had some caught with Declude Spam before it hit the virus scanners. Tyler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, March 01, 2005 10:25 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New virus new__price.zip Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus new__price.zip
I am seeing it detected as Bagle.BL by F-Prot. It is not being detected by Mcafee right now. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus new__price.zip
F-Prot was catching some price...zips Mcafee caught one at 6:30 But then this appears: 03/01/2005 09:09:30 Q8599093a02820e36 MIME file: price.zip [base64; Length=15789 Checksum=2053241] 03/01/2005 09:09:30 Q8599093a02820e36 Banning .ZIP file with exe extension. 03/01/2005 09:09:33 Q8599093a02820e36 Could not find parse string Infection: in report.txt With no one catching it. Maybe a couple of mutations of the virus out there. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, March 01, 2005 9:25 AM Subject: [Declude.Virus] New virus new__price.zip Seems there is something going on, please check your virus logs. ... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerabilty at all The IFRAME vulnerability exists on the site contained in the body link Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] . These messages do not contain an attachment. But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work". I not expect Declude's checking to catch this one. I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server. So far the volume is low (I have yet to get one here). http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1d But this one or another member of it's family is going to get very wide spread. Greg Little PS Anybody know how the other AV companies are doing on catching the virus generated e-mails? Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
Since these are HTML segments, my guess this is another case of where Declude Virus Pro's Prescan would need to be turned off for these to be scanned. I am catching these segments with Prescan off with Clam and Mcafee. - Original Message - From: Greg Little To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 10:05 AM Subject: Re: [Declude.Virus] New virus with unusual deployment McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] . These messages do not contain an attachment.But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work".I not expect Declude's checking to catch this one.I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server.So far the volume is low (I have yet to get one here).http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1dBut this one or another member of it's family is going to get very wide spread.Greg LittlePS Anybody know how the other AV companies are doing on catching the virus generated e-mails?Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
Anyone hear of this one. It just popped in on an old e-mail account I reactivated for SPAM testing/control/rule building. There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is it a new variant? It seems to be a new virus/variant. People are going to open it because it looks to them like a domain name (example.com) rather than filename (puppy.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Hi Jeff, I just got one of these as well with our domain.com.zip and inside it was a domain.com.htm.(a lot of spaces).com My winzip would not extract it to the desktop. Neither F-Prot nor McAfee on the e-mail server found it and my desktop Symantec v9 did not find it either. Bad news Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, July 26, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New Virus? Anyone hear of this one. It just popped in on an old e-mail account I reactivated for SPAM testing/control/rule building. There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is it a new variant? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Scott, Do you want a copy of it? If so to what address? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, July 26, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New Virus? Anyone hear of this one. It just popped in on an old e-mail account I reactivated for SPAM testing/control/rule building. There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is it a new variant? It seems to be a new virus/variant. People are going to open it because it looks to them like a domain name (example.com) rather than filename (puppy.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
Looks like a new MyDoom Virus going around. We are seeing a lot of them incoming and the latest Mcafee beta definition files detect is as MyDoom.O http://vil.nai.com/vil/content/v_127033.htm Don - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 10:19 AM Subject: RE: [Declude.Virus] New Virus? It seems to be a new virus/variant. People are going to open it because it looks to them like a domain name (example.com) rather than filename (puppy.com). Up to now I can't find any com.zip in the vir0726.log file But in the meantime I've banned .zip attachments on our server. BANEXT com.zip wouldn't work? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
I would recommend getting the dats (extra.dat) installed on this one. This is huge. We are getting hundreds a minute. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hickey Sent: Monday, July 26, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New Virus? Looks like a new MyDoom Virus going around. We are seeing a lot of them incoming and the latest Mcafee beta definition files detect is as MyDoom.O http://vil.nai.com/vil/content/v_127033.htm Don - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 10:19 AM Subject: RE: [Declude.Virus] New Virus? It seems to be a new virus/variant. People are going to open it because it looks to them like a domain name (example.com) rather than filename (puppy.com). Up to now I can't find any com.zip in the vir0726.log file But in the meantime I've banned .zip attachments on our server. BANEXT com.zip wouldn't work? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
The version I received had a file within the zip labeled aurorapr.com. Opening up within a hex editor to see what it may tell me. Thank God I check these types of messages within Linux. :) Anyway, looking at it doesn't look promising. It calls KERNEL32.DLL.ADVAPI32. If you want to see the hex_dump, contact me off-list and I'll forward it onto you. I've also submitted the file to F-Prot, so hopefully they'll get updated virus defs out quickly.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, July 26, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New Virus? Hi Jeff, I just got one of these as well with our domain.com.zip and inside it was a domain.com.htm.(a lot of spaces).com My winzip would not extract it to the desktop. Neither F-Prot nor McAfee on the e-mail server found it and my desktop Symantec v9 did not find it either. Bad news Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, July 26, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New Virus? Anyone hear of this one. It just popped in on an old e-mail account I reactivated for SPAM testing/control/rule building. There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is it a new variant? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
It seems to be a new virus/variant. People are going to open it because it looks to them like a domain name (example.com) rather than filename (puppy.com). Up to now I can't find any com.zip in the vir0726.log file But in the meantime I've banned .zip attachments on our server. BANEXT com.zip wouldn't work? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
Hi, I've allways been a favourite of having the forge list in the virus.cfg file, it will hide a forged sender in the e-mail to the recipient in case that is needed. In the *.eml files one can simply use a SKIPIFSENDER [Forged] line and never update any of those files again. The whole list is in *one* place where it can do the most good, any other place can simply use the info it provides. Scott, maybe updating the default config to reflect this would be a good idea. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 6:27 PM Subject: Re: [Declude.Virus] New Virus? Does anyone have an updated forge list? This question comes up quite often -- you can always find it in the sender.eml file at http://www.declude.com/virus/manual.htm . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Alert mailing list for urgent virus information
Sounds good. Now the question of the day is...how do we subscribe? Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 3:29 PM Subject: [Declude.Virus] New Virus Alert mailing list for urgent virus information FYI, at the request of our customers, we have just set a new mailing list called Virus Alert. The list is designed to let our customers know as soon as we find out about new, fast-spreading viruses. The goal is to help you be as protected as possible before virus definitions are updated. Unlike virus alert lists from AV companies, the only posts to this list will be ones that are urgent in nature (some people will be having this list forward to cell phones and pagers). We expect that this list will have perhaps several posts per month (as opposed to the several posts per day on most AV alert lists). We expect that when a new, fast-spreading virus appears, there will be several posts to this list. The first will be to inform that we believe a new, fast-spreading virus has been released. This will be posted as soon as we believe this to be the case. Then, if we discover information that can be used to block the virus before virus definitions are updated, we will post that. Finally, if an interim release of Declude Virus is required to catch the virus for some reason, we will post when that is ready. E-mails from this list will have [Virus Alert] in the subject. Note that this is a moderated list. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.