RE: [Declude.Virus] Seemingly bad virus this morning

[Colbeck, Andrew]

Scott, in various older versions of wget, the -N parameter as well as the --header=Accept-Encoding:gzip parameter plain old didn't work.  Pick up the current version here:   http://xoomer.virgilio.it/hherold/#Files   and it should be fine.   Andrew 8)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, September 12, 2005 2:28 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt,   Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. ----- Original Message ----- From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download.  This also doesn't get the beta DAT's. I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip).  It is easy enough to replace that with any other command line unzipping tool.  Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 2>&1 | find "100%%" IF ERRORLEVEL 1 GOTO END C:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\   :END ENDLOCAL Matt Markus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary.   You need some command line tools like unzip and wget and adapt the path information in the script for your needs.   This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers.   Markus   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Monday, September 12, 2005 10:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes.   Something along the lines of:   wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini   and then parsing out the line:   FileName=dat-4579.zip   or   DATVersion=4579   in order to construct the filename... but it seems like re-inventing the wheel.  The readme.txt talks about a SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader.     Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Monday, September 12, 2005 1:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot.  I just figured out that my McAfee update script is no longer working.  Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com  /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? ----- Original Message ----- From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <Declude.Virus@declude.com> Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERS END NOTCONTAINS boundary="-------- BODY END NOTCONTAINS attachment; filename=" BODY END NOTCONTAINS .zip" Content-Transfer-Encoding BODY 15 CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.