Wasn't, but I am now.
Thanks
Greg
John Tolmachoff (Lists) wrote:
Everyone is banning vbe attachments, correct?
---
[This E-mail scanned for viruses by Findlay Internet]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
of spam seen around the seeding of these threats.
So whatever your favorite AV . . . Keep It CURRENT.
Looks like McAfee was blocking many (all?) of this batch as an unknown
virus (New Poly Win32).
Greg Little
Colbeck, Andrew wrote:
Bagle usually comes in several waves of slight variations
For a work around,
What about changing the extension?
If if it is not *.ZIP, will it still fail the test?
Greg
Grant Griffith wrote:
Have a customer trying to send an message and it is being caught saying
Invalid ZIP Vulnerability. Anyone know what this is? Nothing in the
Declude manual on
worth the effort. I also use it to block
XXX pages.
Greg Little
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
&qu
it could
install its memory resident program.
SysInternals has some great tools for Watching processes, Controlling
startups, etc.
http://www.sysinternals.com/SystemInformationUtilities.html
Greg Little
PS Does this pest have a name?
---
[This E-mail scanned for viruses by Findlay Internet
Although McAfee 4.5 has been trying hard to kill off 4.5 for a while, I
have not seen it yet.
It is the only version to use if you have Win 98/ME.
We still have a few desktops using 98. (They were updating fine last
time I checked)
But for a mail server I'd expect that you are on a more
bject
line, File name, Sender, etc. the next version of this pest is as much
a target and it's hard to guess what that will look like.
Greg Little
Kevin Shimwell wrote:
Message
Good
morning
Im
getting alot of calls from yesterday on customers getting and attached
zip. with and ex
Here's some background info on this pest (from another list).
Greg Little
Original Message
Subject:
[AVS] (Fwd) 'Update your windows machine' fraudulent email
Date:
Fri, 08 Apr 2005 09:27:43 -0700
From
If their mail server had a better Admin,
they would know to be very careful about sending ANY "you have a virus"
messages.
Greg
Markus Gufler wrote:
This notice is sent as a courtesy so that you have the option of contacting
your user and helping them get rid of the virus. This message
http://msmvps.com/trafton/
Just added HLP to my block list.
(anyone what to vote, we just shut down the internet)
Greg
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the
I think I understand the question.
I only get banned extension notices when there is no known virus.
I route these banned notices to a folder in my mail program for special
attention (the virus name is in the subject).
The banned e-mails get checked by hand.
If it looks legit, I send a form
I use McAfee Enterprise 7.1 for Command line and on-access scanning.
Remember to exclude most of your mail/spool folders from on access scanning.
Greg
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Findlay Internet]
--
Greg Little
Programmer/Analyst
The Findlay Publishing Co. (or The Courier
mail server.
So far the volume is low (I have yet to get one here).
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1d
But this one or another member of it's family is going to get very wide
spread.
Greg Little
PS Anybody know how the other AV companies a
We are on exactly the same track.
If this kind of attack catches on, and the e-mail can look like almost
anything. Passing everything to the more CPU consuming AV engine may be
needed.
This attack will work just fine in a plain text (non-HTLM) e-mail. (Will
the link work easy?)
Greg
Matt
expect we will
hear a lot more on these in the coming weeks.
Greg Little
John Tolmachoff (Lists) wrote:
Any one know what the link in the body is so we can add filters for it?
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http
While we are on wish list.
Conversion to a next product is HUGE, for those of us with
000's of mail boxes, spread across 100+ organizations, transition
effort to any new product can be a bigger expense than the purchase
price.
(Why do you think so many people who sound like they don't really
Some (Most?) of the AV vendors have patches already. Looks like it was
quietly announce to the AV vendors about 2 to 3 weeks ago.
This mostly impacts e-mail scanning. It's worth the effort to check, if
you have one of these vendors. (Some require upgraded software).
This vulnerability affects
Doug,
The fault is in the detection test not the JPG.
And in the fact that this Vulnerability is so new that there has not
been the usual time for careful testing before this test was released.
(This is also why the test is found in an interim not a fully tested
release.) Scott got us a
I should eliminate (comment out) at least the JPG line right away.
The new test (when it's fully ready) provides a great safty net to
backup the AV programs. The new test will ignore these lines and bad
JPEGs will be caught.
The test is available by install a new interim version of Declude.
To keep it brief.
Scott has a new JPEG test in Ver. 1.80, but it appears to still have a
flaw.
(Stopping a FEW normal JPEGs, mostly from MACs.)
So, for the next few hours (days?), you can error on the side of
caution or risk.
But when it's fully ready, it's a must have update.
Greg
R. Scott
As I recall, IF a virus scanner calls it bad, there is no further checking.
(So, if your AV vender is doing their job right, you would have to
disable the AV scanner(s) to test.)
Greg
Keith Johnson wrote:
I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All
I
Good catch.
ALL AV scanners will run.
If one or serveral scanners finds a virus, then I belive the new JPEG
tests in 1.80 will be ignored.
(This would complicate confirmation testing for the new JPEG test)
Greg
Nick wrote:
On 28 Sep 2004 at 10:43, Greg Little wrote:
Greg,
As I
The most positive step for now is to patch, patch, patch. (At least get
the big holes)
Windows, IE, Office, lots of other current MS products.
Lots of 3rd party products (some of the manufactures will be out of
business)
Who knows about old MS products.
I have not seen a good tool yet for
in addition to the one from MS updates.
http://isc.sans.org/gdiscan.php
The notes say to
Ignore files in directories like Windows\$NtUniinstallKBx\
and
Windows\WinSxS. These are old versions left behind for uninstal
purposes.
I included the results from my PC. It looks
We've got too many threads tracking this.
(And way too many nightmare ideas.) As simple as, a Word or WordPad
Document with an infected JPG (or link) that infects PCs with all their
Windows updates (but not their Office updates).
I'm with you. I've got that gut feeling this one is going to get
"froms" are random names also, so forging is
likely.
Greg Little
Declude Virus Ver. 1.79 caught the the JS/Zerolin trojan !!! virus in [Unknown: Err]
from [EMAIL PROTECTED] to: [EMAIL PROTECTED], [EMAIL PROTECTED].
from [EMAIL PROTECTED] to:
from [EMAIL PROTECTED] to:
for that to waking up.
An odd file name. All my "froms" are random names also, so forging is
likely.
Greg Little
Declude Virus Ver. 1.79 caught the the JS/Zerolin trojan !!! virus in [Unknown: Err]
from [EMAIL PROTECTED] to: [EMAIL PROTECTED], [EMAIL PROTECTED].
from [EMAIL
outside of Zips but let all the Zips
(except password protected) through.
Greg Little
R. Scott Perry wrote:
BANZIPEXTS ON is in v1.79. For any file extension that you ban with
the BANEXT option, it will then be blocked if it is in a .ZIP file as
well
Also the older Engines will NOT catch all the viruses.
Current engine is almost as important as currnent DATs (virus definition
files).
At least one of the sites having trouble has been trying the current engine.
(I would double check and do a re-boot to make sure the new engine is used.)
Greg
corner for Corp
questions also.)
http://forums.mcafeehelp.com
Greg Little
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just
falls into a hole and neither sender or receiver knows.
I get the Full load, viruses, blocks, vulnerable, etc. to sort through
if anything else needs to be done. (and see trends)
Like on blocked files. Some are real users and some are New viruses.
Greg Little
---
[This E-mail scanned for viruses
No one has found a way to write a program that fits in 1 byte yet, so
I'm guess leftovers from a provious virus clean up.
Greg
Jim Matuska (by way of R. Scott Perry )
wrote:
I have
been seeing a few 1 byte .vbs files being delivered to user accounts,
some of them are forged too. None are
You can use recip.eml to send a note that says "you were sent a virus",
but none of the the current active viruses and only about half of the
older ones have a valid sender. So, sending "an unknown person", who is
claiming to be somebody else, is infected and knows your e-mail address
is worse
://vil.nai.com/vil/content/v_125302.htm
http://vil.nai.com/vil/content/v_125303.htm
http://vil.nai.com/vil/content/v_100992.htm
--
Greg Little
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail
Looks like a match for this new worm
W32/Wallon.worm.a
http://vil.nai.com/vil/content/v_125096.htm
The message body
simply contains a hyperlink, which is designed to trick users into
thinking that they are going to a Yahoo News site, when in fact they
are redirected to a page on the
100696.htm
(This is a typical McAfee write-up for a spyware, Adware-180Solutions)
Greg
Greg Little wrote:
The only other really effective way to "prevent further infections" is
to block access to the whole internet.
Greg
PS These Spyware programs have gotten at least as ann
I've been successful on similar junk by unchecking the pest's startup
commands in MSConfig.
(Also a good research tool)
Spybot Search and Destroy has an innoculate function.
At a quick glance they add 00's of entries into the HOSTS file. The idea
is that www.WorthlessTrash.com will resolve to
It is consistant with the description for Bagle.AA .
McAfee released new DATs about an hour ago. (Others should be
available, now or soon)
Bagle.AA
http://vil.nai.com/vil/content/v_124875.htm
Greg Little
PS Interesting Note. This one (AA) was moving very fast.
This on just made
Most likely Bagle.AA .
McAfee released new DATs about an hour ago. (Others should be
available, now or soon)
Bagle.AA
http://vil.nai.com/vil/content/v_124875.htm
Greg Little
Jim Matuska wrote:
Has anyone seen any new viruses that
are using a .cpl extension? I just received a 24k
I assume you don't want to send useless (or confusing) messages as the
result of a virus.
Unfortunately most of the banned extension hits are nothing but trash
that should be thrown away.
What I've gone to here is sending the Banned e-mails only to the techs
(mostly me). Then I get to make
but in this case one of the customers we
host "stacy-insurance.com" sent a few Netsky's. So we contacted them
and the viruses quit coming.
(For spoofing viruses, which is almost all now days, you won't know the
user name, but may be able to get the domain.)
Greg Little
Declude Virus Ver. 1
I'll second the need and usefullness of seeing the full file name.
(This becomes more complicated with files inside of zips)
Whenever I get a banned e-mail, I get to decide if it is normal customer
traffic (send an explaination of what extensions are blocked and how to
work around the blocking)
I use a much more low tech technique for this.
Declude E-Mails me (and a couple of other techs) every time it finds a
virus, Vulnerability or Banned Ext. .
This is around a 1,000 per day lately. (Most of which are just more
Netsky or Vulnerability junk to ignore)
In the body of the e-mail I
differently), I doubt this trick will catch-on.
But if it does, Scott will give us yet another switch for this
combination or teach us a combination that does this. ;)
PS Thank you.
I plan to share this trick with my local users that want to sneak
passworded zips through the server.
Greg Little
Jeff
.
For the sites that need to handle EZips, it might be a way to open the
door and still keep most of the protections in place.
--
Greg Little
Kami Razvan wrote:
Scott:
Just an idea...
What if you extend the idea of White list password to Declude Virus- for
password protected zip files
.
When will it end?? (or at least slow down)
PS Scott,
Thanks for the recently added Vulnerability blocking. (for Q R S T)
--
Greg Little
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E
from the current wave of viruses, they will be
changing their cycle.
Greg Little
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe
the
solution you need.
Greg Little
Venkateswarlu Swarna wrote:
In mcafee
virus scan 8 (Active shield) we don't have option to exclude users and Imail
spool folders.
---
[This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http
invalid archive format says to me that it may be a corrupted/incomplete copy of the
virus.
If that's the case, inconsistent identification would be normal.
Sending a copy of the zip to [EMAIL PROTECTED] would let Scott have more info.
Greg Little
EMail Admin wrote:
Scott,
I just had a user
ro viruses (and some of the other non-forging) you
do want both to get a notice.
Greg Little
This is from F-Secures site
http://www.f-secure.com/v-descs/swen.shtml
The attachment name,
subject and part of the infected message is
randomly composed from text strings hardcoded in the worm's
settles a little. They are evolving daily, just like
Declude. If someone wants to test, e-mail me or AVERT (off list).
Greg Little
Dear Greg,
The following is true:
"We DO still detect the !pwdzip at the gateway.
We DO NOT detect the !pwdzip at the desktop."
Howe
52 matches
Mail list logo