Title: Message
The usual new
subscriber test. Sorry for the inconvenience, this list seems pretty
quiet!
Andrew Colbeck
Technical Specialist
Bentall Capital LP
[EMAIL PROTECTED]
(604) 661-5047
Yeah, I'm sorry to say, the list is definitely down. I am just sending you
this reply to let you know that I didn't get your test message - well,
because the list is down... ;-)
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, December
Hey, folks.
What if I want to have multiple response lines in the antivirus
scanner's report.txt?
fpcmd.exe emits a line with Infection: before the filename if it's a
virus.
But if it's malware, it emits a line with is a security risk named
before the filename.
Since I bought the Lite edition,
]
On Behalf Of Colbeck, Andrew
Sent: Friday, December 10, 2004 3:31 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Parallel processing
I'm using the f-prot command line scanner, and the lines in the
virus.cfg look like this:
SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive
Colbeck, Andrew wrote:
I'm using the f-prot command line scanner, and the lines in the
virus.cfg look like this:
SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb
/noboot /nomem /packed /report=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT Infection:
That's working fine
I've seen a variant of RBOT that was similar; the naming format is try
to confuse you that it is part of windows update, which is wuauserv.exe
There is a gray area between the antivirus scanners and the spyware
scanners in picking this stuff up. You'll want to get that machine
patched, the
It's not free. There is a paper tiger licence that goes with it. They
depend upon your honesty to purchase and renew the licence.
Andrew 8)
p.s. If I had a nickle for every home computer that I cleaned up because
the user was sure that the were protected, but the complimentary
licence had
Hermann, since we're not seeing a response in this list, I'd suggest
that your directly contact [EMAIL PROTECTED] about this.
I hope that what you're assuming is NOT true. Given that Declude Virus
unpacks all of the attachments and calls your antivirus scanner(s) on
the unpacked attachments, I
I'm using the f-prot command line scanner, and the lines in the
virus.cfg look like this:
SCANFILEC:\F-Prot\fpcmd.exe /ai /type /silent /archive=5 /dumb
/noboot /nomem /packed /report=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT Infection:
That's working fine, but in my testing I'm only
Title: Message
I
think I ran into this too; for my part, it was a thinko.
The
correct usage is:
AVAFTERJM ON
but
with all the talk on this forum about "AVAFTERJM", that's all I used (that is, I
left out the "ON" part).
Andrew
8)
-Original Message-From:
[EMAIL
Ditto. I thought Declude called the scanner(s) on the d*.smd, plus
extracted all the segments out and scanned those too. Is that
incorrect?
Also, does Declude recursively unpack MIME segments, if one of the
attachments is itself a .eml file or .smd file, would any attachments
inside it be
Thanks, Scott. I constructed 2 tests anyway, one with an executable in
an attached .eml file and one where that executable is a virus.
It *looks* like this is a special case, i.e. where all unpacked
attachments, including .smd are unpacked, and then the folder scanned:
So with a single message,
Hey, Declude Support, I'm interested in a manual installation, too!
...
Now, I don't want to sound like I'm shooting the messenger, but I hope
you guys aren't doing this on your production server.
Since I'm interested in the manual installation, I'll install it on the
development server, note
It turns out that Jerrod's problem is actually a worm that attacks PHPbb
(patched Nov 18th, 2004) ... he's probably still busy on that, but for
for everyone else's benefit:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SAN
TY.A
http://isc.sans.org/diary.php?date=2004-12-21
With Adapter Fault Tolerance, you only have one MAC. The inactive
card's actual MAC address is suppressed, and the driver uses the LAA
(Locally Administered Address) ability to use that MAC when it becomes
the active card. There is a tiny pause where the switch has to learn
that the MAC has
Title: Message
My
reading this morning on canoe.ca was that their purchase in 2003 of RAV is going
to surface as a subscription based retroactive cleaning system for only the
topmost current viruses. Microsoft is still going to encourage the
purchase of big-name vendors' products for
Title: Message
Microsoft has made progress on
rebranding Giant AntiSpyware as a Microsoft product. See here for the free
beta which expires in about a year:
http://www.microsoft.com/athome/security/spyware/software/about.mspx
My
take on this is that they've re-branded it, but not yet
Interesting.
On the one hand, using RAR compression is likely to get the trojan
message past antivirus scanners to lots of users.
On the other hand, I hope that anyone who has taken the step to install
the free unrar or actually bought RAR has enough of a clue to discard
this email as an obvious
My configuration is catching it. I've attached the entire configuration
file with my email address and licence munged. I've also attached what
my log lines look line when the virus is caught.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for some months. What I do is
for reporting completeness, I do a nightly scan of my spam folder to
find out how many viruses were caught as spam.
January didn't work, and I didn't
Title: Message
I
don't mean scanning the files in the root repetitively. In
particular, FileMon was showing me that scan.exe was READing D:\ (as opposed to
OPEN, CLOSE, QUERY INFORMATION, or SET INFORMATION - all of which are other
request types that FileMon can log).
Actually, it might
Title: Message
I
should have also mentioned that the script first makes a list of the files to
scan, then tells scan.exe to scan the files in the list.
I
don't just tell scan.exe to scan the folder (if I had, I could buy the behaviour
of reading the directory over and over again).
Andrew
Thank you, Barry.
Scott, I wish you all the best in your future endeavours... it's been a
swell ride!
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 21, 2005 10:10 AM
To: Declude.Virus@declude.com
For the writeup from TrendMicro, see
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYD
OOM.BE
And for a practical tip, add to your virus.cfg:
BANNAME example.com.zip
Where example.com is of course replaced by your own Internet domain(s).
Andrew 8)
---
[This E-mail was
Kevin, you're probably using your ISP's DNS servers to do the RBL
lookups for you. Either your operating system is configured with
Covad's DNS servers, or you have your own DNS server configured to do
DNS forwarding.
What you want to do is run your own DNS server, and NOT have it
configured for
... and, Kevin, you should get back to Covad and tell them that you will
remediate the problem. This will let them know that you play nice, and
stop them from taking actions against your traffic!
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
You probably want to take this in baby steps. Let's start with - are
you sure that you're not already running a DNS server on your
mailserver? Then you can go on with using Add/Remove to add the DNS
server.
To avoid any issue with your mailserver needing DNS records at all, just
change your
Title: Message
http://www.f-prot.com/download/release_notes_archive/Release-Notes-Windows-3.16b.txt
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Goran JovanovicSent: Monday, April 11, 2005 12:36
PMTo: Declude.Virus@declude.comSubject:
Go to the www.declude.com website and click on Tech Support, you end up
on a dense page but the manuals are there for each product.
I didn't know either; about two weeks ago I was surprised that the
manual wasn't in the software download, so I sent an email to tech
support and that was the
Title: Message
John,
I don't think you mention whatkind offile was in your encrypted
zip. I just took a try at repeating the test as it may be applicable to my
own environment.
I
block encrypted banned extensions with:
BANEZIPEXTS ON
and
.doc file is not in my list of banned extensions,
I've seen one sample in the last few minutes. It arrives as jokes.zip, and
www.virustotal.com describes the enclosed 123456.exe as:
This is a report processed by VirusTotal on 04/16/2005 at 00:11:32 (CET) after
scanning the file 123456.exe file.
Antivirus Version Update Result
AntiVir
Title: Message
The
return code = 8 in F-Prot does mean "suspicious file" and not "virus". In
this case, they are not calling the executable Bagle, they are calling it
Mitglieder, which is a Bagle-related file andis commonly seen as a
dropper.
I sent
a support request asking them
Title: Message
http://www.f-prot.com/support/contact_support.html
Andrew
8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of MattSent: Thursday, April 21, 2005 9:22
AMTo: Declude.Virus@declude.comSubject: Re:
[Declude.Virus] How to
Title: Message
Thanks
for the insight, Matt.
We are
used to seeing virus authors doing their seeding from the home-user cable, DSL
and even dial-up pools, but these samples were definitely spammer web and email
server blocks, and not XBL listings and not collateral damage SBL
listings.
I've seen no change in the cpu usage on my F-Prot implementation of
Declude Virus.
My server picked up the most recent update an hour ago, so that may be
important to you.
In checking that I was confused, because the time stamp hadn't been hit
yet. From viewing all three date columns in
Title: Message
Hmm,
it won't help any directly, but I can tell you that I've had zero instances of
this timeout error so far this month.
For
what it's worth, the only errors in my vir04??.log file are all about
double-scanning by Declude (for a message with a single addressee). I see
The could not parse string occurs whenever F-Prot returns a result
that *isn't* equal to 3. Only return code 3 provides a string in the
result file that says Infection: followed by the virus name.
I'd like to help you out with this Matt, but with only one antivirus
scanner, I don't see the
Title: Message
Matt,
no there is no related Q line in my log files above that
error.
And
given the load on my server, there is no way to correlate a useful gap between
my DECmmdd.log and VIRmmdd.log files; rather, I expect random
gaps.
Also,
I've noticed that F-Prot has definitely
Title: Message
I
downloaded and manually scanned the file with F-Prot and McAfee multiple
times.
Desktop, WXP SP2, P4, 2.8 GHz
F-Prot
-5 seconds
McAfee
-0.4 seconds
Server, W2K SP4, P3, 866 Hz
F-Prot
-10.1 seconds
McAfee
-1.21 seconds
F-Prot
is indeed returning an errorlevel of 8 on
-Prot, but it is in fact being
detected. Maybe Declude should change the logging to indicate the exit
code in other log levels when it matches a VIRUSCODE value.That leaves
two real issues; 1) Time/CPU utilization with F-Prot, and 2) F-Prot continuing
to report viruses with an exit code of 8
ontinuing to report viruses with an exit code of
8.MattMatt wrote:
Colbeck,
Andrew wrote:
F-Prot is indeed returning an errorlevel of 8 on this, and it's
definitely way out of line with the scanning time on this
file.Your script no
Well, you've got two problems here, Daniel.
The first is that the script depends on an external program called wget
that you probably don't have installed.
The second is that this script should be deprecated, because the FTP
method is no longer provided by F-Prot!
As Jim and Keith pointed out,
F-Prot may have already fixed their pattern file. My current sign.def
is timestamped:
05/02/2005 03:53 AM
and checking their website and downloading the current version manually
shows that the current version is:
05/02/2005 01:32 PM
Can anybody with the issue confirm which pattern file they
Thanks, Chuck. I appreciate your contribution. I've added several
strings from this Zaep email to my filter that blocks lousy
Challenge-Response emails.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Monday, May 02, 2005
I don't think the engine version matters, just the pattern file.
I've confirmed that the culprit is this, the most recent sign.def from
05/02/2005 01:32 PM
And yes, I've sent in a support request via their web page; I'd like to
supply them with several samples.
I've also played around with
that you sent. I hope
that that message indicates whether we've downloaded the latest - not
whether we are actually using the latest defs.
Colbeck, Andrew wrote:
I don't think the engine version matters, just the pattern file.
I've confirmed that the culprit is this, the most recent sign.def from
Matt posted the authoritative roundup in a head to head comparison when
he revamped his Declude Virus setup.
Unless he chimes in here with an updated answer, the answer is somewhere
in the archives.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
at:
SIGN.DEF 2-may-2005, 13:32 CET
SIGN2.DEF 2-may-2005, 16:46 CET
Using f-prot 3.16b
Groetjes,
Bonno Bloksma
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, May 02, 2005 8:37 PM
Subject: RE: [Declude.Virus] Viruses appearing
, though, it says that my defs are up-to-date,
even though I replaced the newest ones with the ones that you sent. I
hope that that message indicates whether we've downloaded the latest -
not whether we are actually using the latest defs.
Colbeck, Andrew wrote:
I don't think the engine
. These files are dated 3 May 2005 and users need only update
to avoid any further false positives.
Greetings,
Uwe
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 03, 2005 3:21 AM
Subject: RE: [Declude.Virus] F-Prot and HTML
Hmmm. Well, I went to the F-Prot website and picked out their link to
download the latest signatures.
They do not support the FTP method anymore, but:
wget -N http://updates.f-prot.com/cgi-bin/get_randomly?fp-def
and
wget -N http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2
do work
. Latest defs are Monday at 10:34am. I
just ran the FTP update script manually and it ran fine.
Here's what we use
open ftp.frisk.is
user
anonymous
[EMAIL PROTECTED]
cd pub
binary
hash
prompt
get fp-def.zip
get macrdef2.zip
close
quit
Darin.
- Original Message -
From: Colbeck, Andrew
Me three, as I have the same configuration.
For what it's worth, I have seen this exploit blocked on our web proxy
server many times, but I've only seen it a few times in email; each of
those times, the .jpg was not contained in the message, it was dropped
from inside a compressed executable, or
John, can you expand on that?
In my implementation, there is no difference in message treatment if a
vulnerability or virus is detected. Therefore, I am happy to stop the
virus scanning if a vulnerability is detected. That is, as long as
ALLOWVULNERABILITIESFROM is still respected.
Of course,
---
invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the
default configuration. Download a copy today -
http://www.invariantsystems.com
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Saturday, May 28, 2005 12
]
On Behalf Of Colbeck, Andrew
Sent: Saturday, May 28, 2005 5:58 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] EXITSCANONVIRUS
... that's reasonable, John.
How does it work up to now? If a vulnerability and a virus are
detected, which gets reported?
Andrew 8
Title: Message
Ouch.
We've
periodically had problems with Compaq (now HP) Proliant servers that have been
mostly about the pre-failure being too sensitive; it's now part of our best
practice to keep up with driver and ROM updates. This used to be
difficult, but now HP has a ROM update
Yes, a new Bagle and MyTob are out.
See:
http://isc.sans.org/diary.php?date=2005-05-31
http://www.viruslist.com/en/weblog
My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two that were caught by Declude Virus, but it
could be quite a few more
Trojan.Tooso.B
VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 6:39 PM
Subject: RE: [Declude.Virus] New virus out?
Yes, a new Bagle and MyTob are out.
See:
http
Title: Message
Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID
vulnerability detector.
They
are entirely different animals, which happen to have CLSID at their
heart.
The
only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus
scanner up to
Title: Message
Also,
if your server is highly stressed, IMail will steal messages from Declude
(alternately,"something"makes the file in use and Declude can't
process the message in a timely fashion and so fails open) and the file is
delivered by IMail without Declude writing the headers or
Title: Message
According to their website, this isa stability update; comparing a
new install on my test box shows that lots of datestamps have been updated but
actually notmany fileschanged. The Help file has not changed,
and there is no text file that describes the
changes/updates.
As an
Title: Message
Ah, I
didn't check the internals of the *.def files. I simply ran fpcmd manually
against the viral files I had stashed and noted how long it took and what the
errorlevel was afterwards.
I'll
re-subscribe to the announcements and see if that helps. I did check my
Declude log
Doug, you're probably scoring on multiple hops by setting your HOPHIGH
in global.cfg ...
If you don't want RBLs to score on multiple hops, just comment out that
HOPHIGH line.
Alternatively, rename your CBL test to CBL-DYNA (don't forget to change
the global.cfg definition plus the action line
from headers when shared because those that might help out
would often benefit from this information. Sometimes it doesn't really
matter of course, and Doug did give enough information to figure this
out, but the three received headers were confusing without a careful
read.
Matt
Colbeck
Title: Message
12
hours after Darin's post, I see that the ISC Storm Center has seen
it.
http://isc.sans.org/diary.php?date=2005-06-25
"New Bagle VariantWe're receiving early reports of a new Bagle
variant making the rounds. At the time of writing, many Antivirus products are
not
Title: Message
Well,
the speculation on whether Microsoft would make good on their bounty to Sven
Jaschen's "friends" is over.
http://www.f-secure.com/weblog/
Andrew
8)
writers.
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Friday, July 08, 2005 11:40 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] NetSky and Sasser author
... And I just added FunLove to the list. W32/FunLove.4099 is the full
name given by F-Prot, but it is known as WORM_NETSKY.P to Trend Micro.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Thursday, July 21, 2005 12:50 AM
To scan a file with a
bunch of different scanners and get a single report from all of them, use this
site:
http://www.virustotal.com/
And if you want to see
what a malicious file does, use this site:
http://sandbox.norman.no/live.html
And the best way to get
rid of a file like that is
Oh, yes, and a few more
tips:
Configure the IE
preferences on the Tools, Options, Advanced tab:
In the Browsing
section:
UNCHECK "Enable Install
on Demand (Internet Explorer)"
UNCHECK "Enable Install
on Demand (Other)"
UNCHECK "Enable 3rd party
browser extensions (requires restart)"
In
Greg, my favourite technique for restarting explorer is:
CTRL-SHIFT-ESC to bring up Task Manager. Kill explorer.exe, then pull
down File, New Task and launch explorer.exe ... This works especially
well when you reboot but get no desktop. Also good things to launch are
cmd (and WinFile.exe
Oooh, the thread injection by the dll would make it hard to kill; you'd
have to use a tool like Process Spy that shows you dll files as well as
the executables.
That tool you downloaded probably didn't do the full job, though. It's
the Kill2Me tool by Merjin, author of HijackThis, and it's more
From the Kaspersky Lab blog at http://www.viruslist.com/en/weblog
Bagle's author back at work
Yury August 11, 2005 | 17:02 MSK
It looks as though the Bagle author is back from his vacation. Today
we've detected several new variants (actually old variants which have
been
David, with your version of Declude Virus, you'd have to turn off all 10
of the CR vulnerability checks at one go. I'm at the same or similar
version, and that's what I've decided to do. This directive goes in
your virus.cfg:
BANCRVIRUSESOFF
Andrew 8)
-Original Message-
From:
I hadn't until last night, Markus. But now I've got 35 copies from
different sources, all flagged by F-Prot as suspicious files. F-Prot
detects the executable inside a zip file as a Mitglieder variant, and
submitting it to http://www.VirusTotal.com shows that all the big name
vendors there are
Hmmm. I don't specifically remember that, John. But this is a handy
place to check:
http://www.dshield.org/warning_explanation.php
DShield is fed by volunteers who run whatever firewall or IDS they like
and submit the logs to DShield. It's an offshoot of the SANS Internet
Storm Center.
A site
According to this:
http://loadrunner.uits.iu.edu/weathermaps/abilene/
Most of the major links on the Internet are very busy. Interestingly,
the Houston-Atlanta link is back up, and was hard down due to Katrina
for a week.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
No problem, Darin.
We'll have Newfoundland reboot it. They're half an hour off of
everybody else.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Friday, September 09, 2005 10:55 AM
To: Declude.Virus@declude.com
. Then if someone wants
something done on a particular day, and you missed it, you
could just
walk over to
the
other side of the building, finish it, and tell them it's done.
Darin.
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus
Mr. Obvious says:
You would have to change the URL plus the name of the file
you're unzipping!
So that I didn't have to change my script much, I changed
my wget line to:
wget http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
-O dailyscan.zip
The -O
Hmm, yes.
Something along the lines of:
wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini
and then parsing out the line:
FileName=dat-4579.zip
or
DATVersion=4579
in order to construct the filename... but it seems like
re-inventing the wheel. The readme.txt talks abouta
Scott, in various older versions of wget, the -N
parameteras well as the --header=Accept-Encoding:gzip parameterplain
old didn't work. Pick up the current version here:
http://xoomer.virgilio.it/hherold/#Files
andit should be fine.
Andrew 8)
From: [EMAIL PROTECTED]
which is all well and good, but...
It worked fine for the update.ini, but not for the .zip
file.The currentstable versionofwgetdoes in
download a full file every time.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Monday,
A very basic:
wget -N http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip
was not working when Scott (and then I) tried
it. But it does now, including with the -O parameter. I'd
hazard a guess that they have some kind of front-end webcache or cluster, and
FYI, Kaspersky reports that they're now up to something
like 20 new variants of Bagle between Monday and Tuesday.
Andrew 8)
... and F-Secure notes that they've hit a record of
publishing 12 pattern updates in one day.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Tuesday, September 20, 2005 11:28 AMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus]
PONG
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Thursday, September 29, 2005 8:15 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] PING
PING
---
This E-mail came from the Declude.Virus mailing list. To
#New
Sober.R aka CME-151
per http://cme.mitre.org... expectGerman right-wingpropaganda in a few days
Oct-05-2005 ACBANNAME pword_change.zipBANNAME
screen_photo.zipBANNAME KlassenFoto.zipBANNAME Regis.info.zipBANNAME
Privat-Foto.zipBANNAME Brief.zip
banned extensions for both flavours as
How about cock of the walk jokes?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Tuesday, October 11, 2005 2:44 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Slightly OT: Encrypting or
Forewarned is fore-armed. Blogged by F-Secure here:
http://www.f-secure.com/weblog/#0682
With a writeup on the virus itself here:
http://www.f-secure.com/v-descs/rbot.shtml
The email seeding run doesn't contain virus, just a scam plus a URL. I
haven't seen any yet, so I can't comment on
Current F-Prot definitions catch this as a Mitglieder variant, and Trend
Micro reports that they are investigating Bagle.AB
The zip files contain a non-password protected executable; I've noticed
the following names:
Loader.exe
t_535475.exe
Here is an F-Prot report on one catch:
A 20 year old man goes from abusing phish to being abused as a fish:
http://www.wired.com/news/print/0,1294,69480,00.html
Andrew 8)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.
Ouch. F-Prot is very popular on this group. This vulnerability may
never turn into an exploit, but it's better that we keep abreast of
issues like this.
F-Prot Antivirus Lets Remote Users Bypass the Scanning Engine with
Specially Crafted ZIP Files
http://isc.sans.org/diary.php?storyid=820
Hmmm, now that's interesting.
http://www.f-secure.com/weblog/#0705
Andrew.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at
There are very interesting details in Trend Micro's writeup.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS
OBER%2EADVSect=T
i.e. it uses its own SMTP server plus a hardcoded list of accounts and
IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious
are catching them. That way new variants
that use the names are caught before definitions are available.
Darin.
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, November 15, 2005 11:57 AM
Subject: RE: [Declude.Virus] New
You can upload it to this website where it will be scanned by all the
leading virus vendors that haven't sent them a cease-and-desist order:
http://www.virustotal.com/flash/index_en.html
And you can also upload it to here to have their 'bot run the
application in a sandbox and report back to you
Ouch. Not in the wild yet (most of these
vulnerabilities don't get to be in the wild), but serious nonetheless due to
it's potential. If you're not running keeping your Symantec up to date
with a subscription, you should:
I just saw two today. This may not be what you're seeing, JT, but here
goes:
What I saw were two broken Sober.X messages that were bounced with the
original message (the viral message) truncated. F-Prot didn't trigger
on the broken attachment and the bounce didn't trigger my custom filters
to
1 - 100 of 174 matches
Mail list logo
