And another: BANNAME packed-password_text.zip
John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darin Cox > Sent: Tuesday, November 15, 2005 10:16 AM > To: [email protected] > Subject: Re: [Declude.Virus] New Sober to be released, possible variation? > > Another one to block... > > BANNAME Accept_e-Text.zip > > The list so far is > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > BANNAME Accept_e-Text.zip > BANNAME email_photo.zip > BANNAME excel_table.zip > BANNAME foto.zip > BANNAME liste.zip > BANNAME reg_text.zip > BANNAME registration.zip > BANNAME tabelle.zip > BANNAME word-text.zip > > As mentioned before, we keep these in place even after the virus definitions > are catching them. That way new variants that use the names are caught > before definitions are available. > > Darin. > > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, November 15, 2005 11:57 AM > Subject: RE: [Declude.Virus] New Sober to be released, possible variation? > > > There are very interesting details in Trend Micro's writeup. > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS > OBER%2EAD&VSect=T > > i.e. it uses its own SMTP server plus a hardcoded list of accounts and > IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious > Software Removal Tool. > > It may be worth mentioning that the BANNAME list that Darin provided > will be useful for those of us using F-Prot only, as they are still not > detecting the variant I've been receiving since this thread started. > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Tuesday, November 15, 2005 6:05 AM > > To: [email protected] > > Subject: Re: [Declude.Virus] New Sober to be released, > > possible variation? > > > > Most the new Sober variants are expected to be low volume, so > > I'm not surprised that Netsky.P continues to outstrip them. > > > > Security vendors are varying as to what they are detecting > > with 6 new Sober variants yesterday and today. Best bet is > > to ban the files at least until virus definition files have > > caught up. We keep the bans in place for the usual overlap > > in new variants. > > > > Darin. > > > > > > ----- Original Message ----- > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Tuesday, November 15, 2005 8:44 AM > > Subject: RE: [Declude.Virus] New Sober to be released, > > possible variation? > > > > > > Thank you Darin. > > > > just curious after watching our virus logfiles today > > Anyone else can confirm that there are only a few of the > > today new virus and > > far more netsky (most .p variant) showing up in the logfiles? > > > > Today I've had some reports that certain varaints of the new > > virus slipped > > trough while it was definitively catching some others. > > > > Markus > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > > > Sent: Tuesday, November 15, 2005 2:33 PM > > > To: [email protected] > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > I just went through all of the reports. Here's a list of new > > > filenames to > > > ban: > > > > > > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants > > > BANNAME email_photo.zip > > > BANNAME excel_table.zip > > > BANNAME liste.zip > > > BANNAME reg_text.zip > > > BANNAME registration.zip > > > BANNAME tabelle.zip > > > > > > > > > Darin. > > > > > > > > > ----- Original Message ----- > > > From: "Doug Anderson" <[EMAIL PROTECTED]> > > > To: <[email protected]> > > > Sent: Tuesday, November 15, 2005 8:24 AM > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > Looks like varying attachment names. I got one thats excel_table.zip > > > > > > ----- Original Message ----- > > > From: "David Dodell" <[EMAIL PROTECTED]> > > > To: "John T (Lists)" <[email protected]> > > > Sent: Tuesday, November 15, 2005 6:50 AM > > > Subject: Re: [Declude.Virus] New Sober to be released, > > > possible variation? > > > > > > > > > > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: > > > > > > > >> Sophos is now calling it Sober-R. > > > > > > > > Possible variation received this morning ... the text discussed > > > > receiving a problem email, and the attachment was email_photo.zip > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
