Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should.
Darrell ------------------------------------------------------------------------ Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Friday, June 16, 2006 5:31 PM > To: [email protected] > Subject: RE: [Declude.Virus] new virus > > This is what I've received recently: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB > REPBOT%2EA&VSect=T > > My F-Prot and Trend Micro do detect it. When I submit the executable > inside the payload to http://virusscan.jotti.org or > http://www.virustotal.com I get these results: > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > Authentium 4.93.8 06.16.2006 W32/Brepibot.gen > Avast 4.7.844.0 06.15.2006 no virus found > AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN > BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD > CAT-QuickHeal 8.00 06.16.2006 no virus found > ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 > DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer > eTrust-InoculateIT 23.72.40 06.16.2006 no virus found > eTrust-Vet 12.6.2259 06.16.2006 no virus found > Ewido 3.5 06.16.2006 no virus found > Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr > F-Prot 3.16f 06.16.2006 W32/Brepibot.gen > Ikarus 0.2.65.0 06.16.2006 photo3.exe > Kaspersky 4.0.2.24 06.16.2006 > Backdoor.Win32.Breplibot.ai > McAfee 4786 06.16.2006 W32/Brepibot.gen > Microsoft 1.1441 06.16.2006 no virus found > NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH > Norman 5.90.21 06.16.2006 W32/Malware > Panda 9.0.0.4 06.16.2006 Suspicious file > Sophos 4.06.0 06.16.2006 Troj/Stinx-W > Symantec 8.0 06.16.2006 Backdoor.Naninf.E > TheHacker 5.9.8.160 06.16.2006 no virus found > > > Andrew 8) > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Colbeck, Andrew > > Sent: Friday, June 16, 2006 2:21 PM > > To: [email protected] > > Subject: RE: [Declude.Virus] new virus > > > > It might be this, if my F-Prot is more up to date than yours, > > as mine has identified a few zip files with a plus sign in > > the name as W32/Brepibot.gen > > > > http://www.f-secure.com/weblog/archives/archive-062006.html#00000902 > > > > The fake HELO names were CNN.com and TradersWorld.com if > > that's any use. > > > > Andrew 8) > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Ncl Admin > > > Sent: Friday, June 16, 2006 2:03 PM > > > To: [email protected] > > > Subject: Re: [Declude.Virus] new virus > > > > > > Yes, > > > > > > 04dotzip just came through here but McAfee stopped it. But > > F-prot not > > > getting it. > > > > > > At 04:30 PM 6/16/2006 -0400, you wrote: > > > >>>> > > > Is anyone else seeing new virus zip files getting past F-Prot? > > > the last one was just numbers.zip > > > Earlier a few came through with name.zip > > > > > > Bruce Loughlin > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > > Declude.Virus". The archives can be found at > > > http://www.mail-archive.com. > > > <<<< > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
