RE: [Declude.Virus] Seemingly bad virus this morning

[Colbeck, Andrew]

Hmm, yes.   Something along the lines of:   wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini   and then parsing out the line:   FileName=dat-4579.zip   or   DATVersion=4579   in order to construct the filename... but it seems like re-inventing the wheel.  The readme.txt talks about a SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader.     Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, September 12, 2005 1:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot.  I just figured out that my McAfee update script is no longer working.  Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com  /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? ----- Original Message ----- From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <Declude.Virus@declude.com> Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERS END NOTCONTAINS boundary="-------- BODY END NOTCONTAINS attachment; filename=" BODY END NOTCONTAINS .zip" Content-Transfer-Encoding BODY 15 CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.