mfg
i.a.
gez. markus
guhl
***********************************
lds nrw
dez.
235
tel.: 0211 9449 2578
fax.: 0211 9449 8344
mailto:[EMAIL PROTECTED]
***********************************
-----Urspr�ngliche Nachricht-----
Von: Markus Gufler [mailto:[EMAIL PROTECTED]
Gesendet am: Mittwoch, 24. M�rz 2004 17:20
An: [EMAIL PROTECTED]
Betreff: RE: [Declude.Virus] netsky p ?
Hi MarkusI'm pretty sure that somewhere a NAV-Engine has removed all this attachments.Don't look at the mailfrom addresses. Even if they came from the same machine and so trough the same Mailserver (running the NAV-Engine) they will have all different mailfrom addresses (by most mailworms that are common in the last weeks and months)Or in other words: I f you look at the mailheaders of this 60 messages I assume you will see that they're comming al from the same Client, or at least trough the same Mailserver to your Mailserver.Look also at the content of the attached txt file: There should be something like "Norton Antivirus hat Dateien mit gef�hrlichem Inhalt gefunden und entfernt"We can see many attachments like "deleted0.txt" and we use them with BANNAME to avoid that our customers receive useless messages send from viruses because another "dumb" AV-Filter don't know that the sender address was forged and a Netsky-Message has nothing to do on our customers inbox. Indipentendtly if with our without virus attachment.So at the moment we useBANNAME deleted0.txt
BANNAME _______warn.txtThe first one is used by some *nix mailserver av-engine.The second one I've seen comming from RAV-protected Mailservers.Now we will add also:BANNAME Norton AntiVirus gel�scht1.txt
BANNAME Norton AntiVirus deleted1.txtAnyone else has seen other attached information files about removed viruses and can share it?Thank you!Markus
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guhl, Markus (LDS)
Sent: Wednesday, March 24, 2004 4:59 PM
To: [EMAIL PROTECTED]
Subject: AW: [Declude.Virus] netsky p ?hi markus,
no i don't think that this was the case. the mails (about 60) came all from different adresses (some faking real adresses, some random adresses). the mails also fake the name of the sending mailserver (using the name of my server) and looking at the iframe-thing i think there was no dangerous attachment at all. i found some articles (i.e. http://web.zdnet.de/itsupport/virencenter/dict/virus/virus4317-wc.html) about an older exploite that makes me wonder if there might be a new mutant of netsky?!?
mfg
i.a.
gez. markus guhl***********************************
lds nrw
dez. 235
tel.: 0211 9449 2578
fax.: 0211 9449 8344
mailto:[EMAIL PROTECTED]
***********************************
-----Urspr�ngliche Nachricht-----
Von: Markus Gufler [mailto:[EMAIL PROTECTED]]
Gesendet am: Mittwoch, 24. M�rz 2004 16:34
An: [EMAIL PROTECTED]
Betreff: RE: [Declude.Virus] netsky p ?
> right now i use jm to fight this stuff (they all had
> "Norton AntiVirus gel�scht1.txt" but they are no real
> virusmessages)."Norton AntiVirus gel�scht1.txt" is german an means "Norton Antivirus
deleted1.txt"
So I asume there was an NAV Engine before your server in the delivery-chain
that has removed a dangerous attachment and so your AV-Engine can't detect
it anymore.Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
