Yes. I also like to add known file names so that when the user receives a message about a banned file, if they see the file name they are less likely to send me a message saying that the banned file could be OK as it looks like from some one they know.
John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Mark Reimer > Sent: Tuesday, November 15, 2005 12:49 PM > To: [email protected] > Subject: RE: [Declude.Virus] New Sober to be released, possible variation? > > If we are banning extensions within zip files we should be ok right? > > Mark Reimer > IT Project Manager > American CareSource > 800-370-5994 ext. 267 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) > Sent: Tuesday, November 15, 2005 2:30 PM > To: [email protected] > Subject: RE: [Declude.Virus] New Sober to be released, possible > variation? > > > And another: > > BANNAME packed-password_text.zip > > John T > eServices For You > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 10:16 AM > > To: [email protected] > > Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > > > > Another one to block... > > > > BANNAME Accept_e-Text.zip > > > > The list so far is > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > BANNAME Accept_e-Text.zip > > BANNAME email_photo.zip > > BANNAME excel_table.zip > > BANNAME foto.zip > > BANNAME liste.zip > > BANNAME reg_text.zip > > BANNAME registration.zip > > BANNAME tabelle.zip > > BANNAME word-text.zip > > > > As mentioned before, we keep these in place even after the virus > definitions > > are catching them. That way new variants that use the names are caught > > before definitions are available. > > > > Darin. > > > > > > ----- Original Message ----- > > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Tuesday, November 15, 2005 11:57 AM > > Subject: RE: [Declude.Virus] New Sober to be released, possible variation? > > > > > > There are very interesting details in Trend Micro's writeup. > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS > > OBER%2EAD&VSect=T > > > > i.e. it uses its own SMTP server plus a hardcoded list of accounts and > > IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious > > Software Removal Tool. > > > > It may be worth mentioning that the BANNAME list that Darin provided > > will be useful for those of us using F-Prot only, as they are still not > > detecting the variant I've been receiving since this thread started. > > > > Andrew 8) > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > > Sent: Tuesday, November 15, 2005 6:05 AM > > > To: [email protected] > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > Most the new Sober variants are expected to be low volume, so > > > I'm not surprised that Netsky.P continues to outstrip them. > > > > > > Security vendors are varying as to what they are detecting > > > with 6 new Sober variants yesterday and today. Best bet is > > > to ban the files at least until virus definition files have > > > caught up. We keep the bans in place for the usual overlap > > > in new variants. > > > > > > Darin. > > > > > > > > > ----- Original Message ----- > > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > > To: <[email protected]> > > > Sent: Tuesday, November 15, 2005 8:44 AM > > > Subject: RE: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > Thank you Darin. > > > > > > just curious after watching our virus logfiles today > > > Anyone else can confirm that there are only a few of the > > > today new virus and > > > far more netsky (most .p variant) showing up in the logfiles? > > > > > > Today I've had some reports that certain varaints of the new > > > virus slipped > > > trough while it was definitively catching some others. > > > > > > Markus > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > > > Sent: Tuesday, November 15, 2005 2:33 PM > > > > To: [email protected] > > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > > possible variation? > > > > > > > > I just went through all of the reports. Here's a list of new > > > > filenames to > > > > ban: > > > > > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > > > BANNAME email_photo.zip > > > > BANNAME excel_table.zip > > > > BANNAME liste.zip > > > > BANNAME reg_text.zip > > > > BANNAME registration.zip > > > > BANNAME tabelle.zip > > > > > > > > > > > > Darin. > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Doug Anderson" <[EMAIL PROTECTED]> > > > > To: <[email protected]> > > > > Sent: Tuesday, November 15, 2005 8:24 AM > > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > > possible variation? > > > > > > > > > > > > Looks like varying attachment names. I got one thats excel_table.zip > > > > > > > > ----- Original Message ----- > > > > From: "David Dodell" <[EMAIL PROTECTED]> > > > > To: "John T (Lists)" <[email protected]> > > > > Sent: Tuesday, November 15, 2005 6:50 AM > > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > > possible variation? > > > > > > > > > > > > > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: > > > > > > > > > >> Sophos is now calling it Sober-R. > > > > > > > > > > Possible variation received this morning ... the text discussed > > > > > receiving a problem email, and the attachment was email_photo.zip > > > > > > > > > > --- > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > > at http://www.mail-archive.com. > > > > > > > > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail has been scanned for viruses] > > > > > --- > [This E-mail has been scanned for viruses] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
