And another one: BANNAME Mail-Datei.zip
http://vil.nai.com/vil/content/v_136970.htm I found this latest one after noticing that F-Secure identified 4 versions on Nov-14 and a new one today. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Tuesday, November 15, 2005 10:16 AM > To: [email protected] > Subject: Re: [Declude.Virus] New Sober to be released, > possible variation? > > Another one to block... > > BANNAME Accept_e-Text.zip > > The list so far is > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W > variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip > BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip > BANNAME reg_text.zip BANNAME registration.zip BANNAME > tabelle.zip BANNAME word-text.zip > > As mentioned before, we keep these in place even after the > virus definitions are catching them. That way new variants > that use the names are caught before definitions are available. > > Darin. > > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, November 15, 2005 11:57 AM > Subject: RE: [Declude.Virus] New Sober to be released, > possible variation? > > > There are very interesting details in Trend Micro's writeup. > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam > e=WORM%5FS > OBER%2EAD&VSect=T > > i.e. it uses its own SMTP server plus a hardcoded list of accounts and > IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious > Software Removal Tool. > > It may be worth mentioning that the BANNAME list that Darin provided > will be useful for those of us using F-Prot only, as they are > still not > detecting the variant I've been receiving since this thread started. > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 6:05 AM > > To: [email protected] > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > Most the new Sober variants are expected to be low volume, so > > I'm not surprised that Netsky.P continues to outstrip them. > > > > Security vendors are varying as to what they are detecting > > with 6 new Sober variants yesterday and today. Best bet is > > to ban the files at least until virus definition files have > > caught up. We keep the bans in place for the usual overlap > > in new variants. > > > > Darin. > > > > > > ----- Original Message ----- > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Tuesday, November 15, 2005 8:44 AM > > Subject: RE: [Declude.Virus] New Sober to be released, > > possible variation? > > > > > > Thank you Darin. > > > > just curious after watching our virus logfiles today > > Anyone else can confirm that there are only a few of the > > today new virus and > > far more netsky (most .p variant) showing up in the logfiles? > > > > Today I've had some reports that certain varaints of the new > > virus slipped > > trough while it was definitively catching some others. > > > > Markus > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > > Sent: Tuesday, November 15, 2005 2:33 PM > > > To: [email protected] > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > I just went through all of the reports. Here's a list of new > > > filenames to > > > ban: > > > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > > BANNAME email_photo.zip > > > BANNAME excel_table.zip > > > BANNAME liste.zip > > > BANNAME reg_text.zip > > > BANNAME registration.zip > > > BANNAME tabelle.zip > > > > > > > > > Darin. > > > > > > > > > ----- Original Message ----- > > > From: "Doug Anderson" <[EMAIL PROTECTED]> > > > To: <[email protected]> > > > Sent: Tuesday, November 15, 2005 8:24 AM > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > Looks like varying attachment names. I got one thats > excel_table.zip > > > > > > ----- Original Message ----- > > > From: "David Dodell" <[EMAIL PROTECTED]> > > > To: "John T (Lists)" <[email protected]> > > > Sent: Tuesday, November 15, 2005 6:50 AM > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: > > > > > > > >> Sophos is now calling it Sober-R. > > > > > > > > Possible variation received this morning ... the text discussed > > > > receiving a problem email, and the attachment was > email_photo.zip > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
