I just saw two today. This may not be what you're seeing, JT, but here goes:
What I saw were two broken Sober.X messages that were bounced with the original message (the viral message) truncated. F-Prot didn't trigger on the broken attachment and the bounce didn't trigger my custom filters to weed out junk bounces. The messages made it into my internal mail system, where they were caught by Trend Micro ScanMail for Exchange. When I looked up the details on the virus that was named, the alias matched the Symantec name for the virus. Given that it was broken, I regard this as a spam issue, and not a case of F-Prot failing to detect the damaged Sober virus. If I can get the original, I'll submit to F-Prot anyway in the hope that they will come with a signature. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of JT > Sent: Thursday, January 05, 2006 10:39 AM > To: [email protected] > Subject: RE: [Declude.Virus] Sober.X Variant > > John, > > Thanks for the help! > > Regards, > JT > > On Thu, 2006-01-05 at 09:31 -0800, John T (Lists) wrote: > > Into the Virus.cfg file: > > > > BANEZIPEXTS ON > > BANZIPEXTS ON > > > > John T > > eServices For You > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of JT > > > Sent: Thursday, January 05, 2006 9:20 AM > > > To: [email protected] > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > John, > > > > > > What do I need to do to block banned extensions within zip files > > > > > > Thanks, > > > JT > > > > > > On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote: > > > > That means you are not blocking banned extensions > within zip files? > > > > > > > > John T > > > > eServices For You > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > > > > On Behalf Of JT > > > > > Sent: Thursday, January 05, 2006 8:45 AM > > > > > To: [email protected] > > > > > Subject: RE: [Declude.Virus] Sober.X Variant > > > > > > > > > > What I am experiencing is that the server lets the virus go > > > > > through > > the > > > > > system. It scans and result is clean, the end user gets the > > > > > email and their Symantec Enterprise snags it and tags it as > > > > > [EMAIL PROTECTED] > > > > > > > > > > On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: > > > > > > Is this what you are seeing? > > > > > > > > > > > > http://www.sophos.com/virusinfo/analyses/w32feebsa.html > > > > > > > > > > > > John T > > > > > > eServices For You > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] > > > > > > > On Behalf Of JT > > > > > > > Sent: Thursday, January 05, 2006 6:44 AM > > > > > > > To: [email protected] > > > > > > > Subject: [Declude.Virus] Sober.X Variant > > > > > > > > > > > > > > Has anyone seen an influx of this virus come through? I've > > upgraded to > > > > > > > the latest F-Prot and it seems like it still > sneaking through. > > > > Although > > > > > > > the Z variant is being stopped by F-prot. Any light that > > > > > > > could be > > shed > > > > > > > on this would be greatly appreciated. > > > > > > > > > > > > > > Also I've tried setting up ClamAV for Windows on > our imail > > > > > > > server > > as a > > > > > > > scanner. I've got it to scan but it randomly generated an > > > > > > > exit > > code of > > > > > > > 50. Does anyone know what exit code 50 from ClamAV means? > > > > > > > > > > > > > > Thanks, > > > > > > > JT > > > > > > > > > > > > > > --- > > > > > > > [This E-mail was scanned for viruses by Declude EVA > > www.declude.com] > > > > > > > > > > > > > > --- > > > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > > > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], and > > > > > > > type "unsubscribe Declude.Virus". The archives > can be found > > > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > --- > > > > > > [This E-mail was scanned for viruses by Declude EVA > > > > > > www.declude.com] > > > > > > > > > > > > --- > > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > > unsubscribe, just send an E-mail to > [EMAIL PROTECTED], and > > > > > > type "unsubscribe Declude.Virus". The archives > can be found > > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > --- > > > > > [This E-mail was scanned for viruses by Declude EVA > > > > > www.declude.com] > > > > > > > > > > --- > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > > at http://www.mail-archive.com. > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude EVA > > > > www.declude.com] > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
