Yup I got it. I think that the message Could not find parse string Infection: in report.txt
Means that it did not find the word infection in the file SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 REPORT1 Infection: Goran Jovanovic Omega Network Solutions > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Friday, June 16, 2006 6:59 PM > To: [email protected] > Subject: Re: [Declude.Virus] new virus > > > Goran, > > Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not > you should. > > Darrell > ------------------------------------------------------------------------ > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG > Integration, and Log Parsers. > > ----- Original Message ----- > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Friday, June 16, 2006 6:04 PM > Subject: RE: [Declude.Virus] new virus > > > My F-Prot is finding it but it does not know what it is. Both the MAIL > FROM and the RCPT TO are the same address > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: > [text/html][7bit; Length=43 Checksum=2820] > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; > Length=10548 Checksum=1347367] > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe > extension. > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports > exit code of 8 > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse > string Infection: in report.txt > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS > [MIME: 2 10657] > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 209.239.24.62] > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 > > Goran Jovanovic > Omega Network Solutions > Tel: 416 322-0333 > Cell: 416 805-HELP (4357) > [EMAIL PROTECTED] > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Colbeck, Andrew > > Sent: Friday, June 16, 2006 5:31 PM > > To: [email protected] > > Subject: RE: [Declude.Virus] new virus > > > > This is what I've received recently: > > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB > > REPBOT%2EA&VSect=T > > > > My F-Prot and Trend Micro do detect it. When I submit the executable > > inside the payload to http://virusscan.jotti.org or > > http://www.virustotal.com I get these results: > > > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > > Authentium 4.93.8 06.16.2006 W32/Brepibot.gen > > Avast 4.7.844.0 06.15.2006 no virus found > > AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN > > BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD > > CAT-QuickHeal 8.00 06.16.2006 no virus found > > ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 > > DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer > > eTrust-InoculateIT 23.72.40 06.16.2006 no virus found > > eTrust-Vet 12.6.2259 06.16.2006 no virus found > > Ewido 3.5 06.16.2006 no virus found > > Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr > > F-Prot 3.16f 06.16.2006 W32/Brepibot.gen > > Ikarus 0.2.65.0 06.16.2006 photo3.exe > > Kaspersky 4.0.2.24 06.16.2006 > > Backdoor.Win32.Breplibot.ai > > McAfee 4786 06.16.2006 W32/Brepibot.gen > > Microsoft 1.1441 06.16.2006 no virus found > > NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH > > Norman 5.90.21 06.16.2006 W32/Malware > > Panda 9.0.0.4 06.16.2006 Suspicious file > > Sophos 4.06.0 06.16.2006 Troj/Stinx-W > > Symantec 8.0 06.16.2006 Backdoor.Naninf.E > > TheHacker 5.9.8.160 06.16.2006 no virus found > > > > > > Andrew 8) > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of Colbeck, Andrew > > > Sent: Friday, June 16, 2006 2:21 PM > > > To: [email protected] > > > Subject: RE: [Declude.Virus] new virus > > > > > > It might be this, if my F-Prot is more up to date than yours, > > > as mine has identified a few zip files with a plus sign in > > > the name as W32/Brepibot.gen > > > > > > http://www.f-secure.com/weblog/archives/archive-062006.html#00000902 > > > > > > The fake HELO names were CNN.com and TradersWorld.com if > > > that's any use. > > > > > > Andrew 8) > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of > > > > Ncl Admin > > > > Sent: Friday, June 16, 2006 2:03 PM > > > > To: [email protected] > > > > Subject: Re: [Declude.Virus] new virus > > > > > > > > Yes, > > > > > > > > 04dotzip just came through here but McAfee stopped it. But > > > F-prot not > > > > getting it. > > > > > > > > At 04:30 PM 6/16/2006 -0400, you wrote: > > > > >>>> > > > > Is anyone else seeing new virus zip files getting past F-Prot? > > > > the last one was just numbers.zip > > > > Earlier a few came through with name.zip > > > > > > > > Bruce Loughlin > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > > > Declude.Virus". The archives can be found at > > > > http://www.mail-archive.com. > > > > <<<< > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > > just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
