Re: [Declude.Virus] Another new virus

[Matt]

FYI, I have found that F-Prot continues to throw Virus Code 8 for what McAfee is detecting as Bagle.gen even though 4 or so days have past.  I'm not clear on whether or not this is intentional in F-Prot or if this is one of their hiccups where they don't respond appropriately for a week after a new threat.  It is probably necessary for F-Prot users to use Virus Code 8 if they want to stop whatever is coming now. I also wanted to add that the zip file viruses did finally slip through my server on Saturday morning for a period of a few hours (when not caught by spam blocking).  I did verify that these were detectable with newer definitions, and although low in numbers, it appears that the recent slew of virus writers have figured out that the safest mechanism for sending infected executables is to zip them up in a standard archive since most admins don't block these.  Every virus attachment from the recent group has been a standard ZIP or RAR.  I have also seen notes that indicate as of a week ago, the writers have managed to produce 96 variants of Mytob, which means several per day.  These are apparently being launched into the wild by hijacked machines used to seed, and I believe that this was the sort of activity that I saw Saturday morning.  I assume that is is being used to replenish bot networks that might have become too old with previously exploited machines. I'm not surprised at the zip leakage, but no one that I have talked to wants me to start blocking these zips because it is limiting to their use of E-mail.  Instead, I am going to code up a new test that looks for a typically virus sized zip attachment and does some heuristics on the E-mail to see if these were generated by a client mailer or a nondescript mass-mailing mechanism (a virus).  I'm confident that I can do this in a way that can capture most if not all zip viruses that have been in the wild in the last year though I am concerned about the potential of false positives and that will be the biggest problem in figuring out how to do this. Matt John Tolmachoff (Lists) wrote: Looks like another outbreak in progress. File appears to be your_text . zip without the spaces. Appears to be another MyTob. John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Friday, April 15, 2005 3:14 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Another new virus I've seen one sample in the last few minutes. It arrives as jokes.zip, and www.virustotal.com describes the enclosed 123456.exe as: This is a report processed by VirusTotal on 04/16/2005 at 00:11:32 (CET) after scanning the file "123456.exe" file. Antivirus Version Update Result AntiVir 6.30.0.7 04.15.2005 no virus found AVG 718 04.15.2005 no virus found BitDefender 7.0 04.15.2005 BehavesLike:Win32.SiteHijack ClamAV devel-20050307 04.15.2005 Worm.Bagle.BB DrWeb 4.32b 04.15.2005 Win32.HLLM.Beagle.37888 eTrust-Iris 7.1.194.0 04.15.2005 Win32/Glieder.T!Trojan eTrust-Vet 11.7.0.0 04.15.2005 no virus found Fortinet 2.51 04.15.2005 no virus found F-Prot 3.16b 04.15.2005 no virus found Ikarus 2.32 04.15.2005 Email-Worm.Win32.Bagle.pac Kaspersky 4.0.2.24 04.16.2005 Email-Worm.Win32.Bagle.pac McAfee 4470 04.15.2005 W32/[EMAIL PROTECTED] NOD32v2 1.1064 04.15.2005 Win32/TrojanDownloader.Small.ZL Norman 5.70.10 04.14.2005 W32/Downloader Panda 8.02.00 04.15.2005 W32/Bagle.CA.worm Sybari 7.5.1314 04.15.2005 Troj/BagleDl-N Symantec 8.0 04.15.2005 Trojan.Tooso.F VBA32 3.10.3 04.15.2005 Email-Worm.Win32.Bagle.pac VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español ---------------------------------------------------------------------------- ---- www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [EMAIL PROTECTED] Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Friday, April 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Another new virus I am getting lots of banned attachment notices and lots of bounces in the last 90 minutes. THANKFULLY, I am blocking zip files which contain executables otherwise these would have all be delivered to users. Any one have an idea of what this one is, it is kind of acting like Bagle. John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E- mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================