RE: [Declude.Virus] How to check VIRUSCODEs

[John Tolmachoff \(Lists\)]

Encrypted zip containing an exe and zip extension was changed.   John T eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 21, 2005 9:21 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] How to check VIRUSCODEs   John, If you don't mind sharing, what was the issue that you had last week with F-Prot throwing a code 8 on legitimate E-mail?  Or did I get that wrong? Thanks, Matt John Tolmachoff (Lists) wrote: From my understanding is that code 8 means the file is suspect but does not exactly match a known pattern in the definition file. It is not automatically flagged for encrypted zips.   John T eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 20, 2005 8:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] How to check VIRUSCODEs   What you have means that a matching virus code was found for each scanner.  If a scanner throws a code besides one that you specify, it will be logged in much the same way that the virus is shown.  The following is exactly what F-Prot will show when it throws a code of 8 and when you aren't configured to tag that as a virus:     04/20/2005 00:28:37 Qda6b06e0014e9ee2 Error 8 in virus scanner 1. We're going on 5 or 6 days now where F-Prot has been throwing a Virus Code 8 for some newer Bagle variants, and it is starting to look more and more like this is purposeful, though if so it would also be short-sighted.  Maybe someone should contact F-Prot and ask for an explanation and indicate that it would be helpful not to mix the codes like this for known viruses.  Apparently Virus Code 8 can hit non-viruses, and I think it will throw that code when it detects an encrypted zip of any sort, but I'm not certain about that either.  I would certainly prefer to not have to rely on Virus Code 8 in F-Prot because I don't want to be deleting E-mail that doesn't contain a virus and where Declude offers better granularity (such as only banning encrypted zips with a banned extension within it). Has anyone contacted F-Prot? Matt Goran Jovanovic wrote: This was originally a thread from the Junkmail list but I am moving it over to the virus list.   > Check your virus log and you may see some code 8 > errors in it. Adding viruscode 8 will at least stop them.   How do you see if there are any code 8s in the virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and for McAfee is only 13   An example of a virus   04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: demo.exe [base64; Length=40800 Checksum=4318001] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file with exe extension [application/x-msdownload]. 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: Virus= W32/Plexus.G Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are INFECTED [ W32/Plexus.G: 13] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: CONTAINS A VIRUS [MIME: 2 40959] 04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 213.59.118.9] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...     The only thing that I see that resembles my viruscodes is the line “File(s) are INFECTED [ W32/Plexus.G: 13]” and the 13 in this line is from McAfee (scanner2). I do not see any result from F-Prot (scanner1).   I am logging on high. Am I missing something here?          Goran Jovanovic      The LAN Shoppe       > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED]] On Behalf Of Tyler Jensen > Sent: Wednesday, April 20, 2005 8:22 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] New Spam or Virus????!! > > I had something similar over the weekend. Standard zip file. If you are > using F-Prot you may want to add VirusCode 8 to the config. This will stop > them as Unknown Virus. Check your virus log and you may see some code 8 > errors in it. Adding viruscode 8 will at least stop them. > > Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling > it w32/mitglieder.c. I submitted my findings to Declude support earlier in > the week and spoke with a someone yesterday. Sent the file to him and he > said the AVG called it a Bagle of some sort. > > What is strange is outside of email, f-prot was detecting it. But without > viruscode 8, nothing. > > Tyler > > > ---------- Original Message ---------------------------------- > From: "Chuck Schick" <[EMAIL PROTECTED]> > Reply-To: Declude.JunkMail@declude.com > Date:  Wed, 20 Apr 2005 18:05:08 -0600 > > >Starting to see messages that have a zip attachement with the format > 5.zip > >or 7.zip  - I do not know if it is spam or a virus.  Anyone else seeing > >this?  Virus scanner is not catching it so I do not know if it is a virus > or > >not. > > > >Chuck Schick > >Warp 8, Inc. > >(303)-421-5140 > >www.warp8.com > > > >--- > >This E-mail came from the Declude.JunkMail mailing list.  To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail".  The archives can be found > >at http://www.mail-archive.com. > >--- > >[This E-mail scanned for viruses by Declude Virus] > > > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list.  To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail".  The archives can be found > at http://www.mail-archive.com.   -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================