RE: [Declude.Virus] New Virus?

[Colbeck, Andrew]

No, you shouldn't block .mim attachments.   The .mim attachment means that there was a MIME formatted, which is encoding that converts binary attachments and non-ASCII text to nice and safe 7 bit ASCII encoding to make SMTP servers happy.   You are mostly likely to see this when an entire message is inserted as an attachment, for example, to preserve the headers.   Your antivirus solution will decode that attachment and find a virus inside.  F-Prot and Trend Micro offerings certainly do.   Andrew 8)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Wednesday, January 18, 2006 1:43 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? Should we be blocking .mim file types? One of the new viruses that was blocked was a .mim file type. What is it used for?   Mark Reimer IT Project Manager American CareSource 214-596-2464 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Markus Gufler Sent: Wednesday, January 18, 2006 1:39 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? That's exactly how I use the notifications.   Markus   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, January 18, 2006 12:48 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I agree completely.   I use the postmaster notification only, so only internal notifications happen.  I use the FORGINGVIRUS statements to limit what we have to see.   Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL.  F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified.  After vetting the attachmeent, the message was internally re-queued for the user.   I can barely remember the incident before that.  The notifications always turn out to be flagging a new worm.   Andrew.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 17, 2006 3:36 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly.  From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses.  These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail.  I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.