Here are two different captures of what the thing looks like (including the '=' at the end of the line). These are appended to "normal" spammy looking emails. (I've replaced 'object data' with 'xxxxx' so that it doesn't hit virus filters.)
</font></CENTER><xxxxx=3D"http://&#= 119;ww.fatbonusc&#= 97;sino.com/pag= 01;.php"> <xxxxx=3D"http://www&= #46;fatbonuscasi&#= 110;o.com/page.p= 04;p"></body> which decode to (respectively) </font></CENTER><xxxxx=3D"http://&#= 119;ww.fatbonusc&#= 97;sino.com/pag^A= 01;.php"> <xxxxx=3D"http://www&= #46;bwpapagoinn.&#= 99;om/page.php" width=3D= "14" height=3D"14"> </BODY> Using this handy one-liner that I got from Bob Apthorpe on spamassassin-users cat sample_spam.txt | spamassassin -d | \ perl -MHTML::Entities -pe 'decode_entities($_);' | less I've got plenty of samples, and was trying to figure out how to write a signature for them, but am in the middle of a firewall emergency. -ron > -----Original Message----- > From: Kevin W. Gagel [mailto:[EMAIL PROTECTED] > Sent: Friday, May 21, 2004 8:16 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Exploit-ObjectData trojan > > > Not only does ClamAV seem to miss it but so does uvscan. I > have ClamAV and > uvscan both scan email here. My Virscan Enterprise 7.1 > catches these all the > time. I just haven't had time to investigate fully. > > > ----- Original Message Follows ----- > From: "Jona Tallieu" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Exploit-ObjectData trojan > Date: Fri, 21 May 2004 11:15:50 +0200 > > > > Hi all, > > > > It seems Clam does not detect following trojan, which our McAfee > > engine did detect: > > > > Exploit-ObjectData trojan > > > > http://vil.nai.com/vil/content/v_100715.htm > > > > Is this normal? > > > > > > Thnx. > > > > J. > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: Oracle 10g > > Get certified on the hottest thing ever to hit the > market... Oracle 10g. > > Take an Oracle 10g class now, and we'll give you the exam FREE. > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > > _______________________________________________ > > Clamav-users mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/clamav-users > > ==================== > Kevin W. Gagel > Network Administrator > (250) 561-5848 local 448 > (250) 562-2131 local 448 > > -------------------------------------------------------------- > The College of New Caledonia, Visit us at http://www.cnc.bc.ca > Virus scanning is done on all incoming and outgoing email. > -------------------------------------------------------------- > > > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... > Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > _______________________________________________ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
