> Could not find parse string Infection: in report.txt > > Means that it did not find the word infection in the file
Correct, that is what the Declude line means. Other codes like 8 don't include the Infection: text, so an f-prot result line like: dddd.exe is a security risk named W32/Mitglieder.gen Won't pick up the name because "Infection:" simply wasn't in the line. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Goran Jovanovic > Sent: Friday, June 16, 2006 4:18 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus > > Yup I got it. I think that the message > > Could not find parse string Infection: in report.txt > > Means that it did not find the word infection in the file > > SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT > /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt > VIRUSCODE1 3 > VIRUSCODE1 6 > VIRUSCODE 8 > VIRUSCODE 9 > VIRUSCODE 10 > REPORT1 Infection: > > Goran Jovanovic > Omega Network Solutions > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Darrell ([EMAIL PROTECTED]) > > Sent: Friday, June 16, 2006 6:59 PM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] new virus > > > > > > Goran, > > > > Do you have exit code 8 also listed for F-Prot in your > virus.cfg? If > not > > you should. > > > > Darrell > > > -------------------------------------------------------------- > ---------- > > Check out http://www.invariantsystems.com for utilities for Declude > And > > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, > > MRTG > > Integration, and Log Parsers. > > > > ----- Original Message ----- > > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > > To: <declude.virus@declude.com> > > Sent: Friday, June 16, 2006 6:04 PM > > Subject: RE: [Declude.Virus] new virus > > > > > > My F-Prot is finding it but it does not know what it is. > Both the MAIL > > FROM and the RCPT TO are the same address > > > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability > flags = 64 > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: > > [text/html][7bit; Length=43 Checksum=2820] > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip > [base64; > > Length=10548 Checksum=1347367] > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with > exe > > extension. > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner > 1 reports > > exit code of 8 > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse > > string Infection: in report.txt > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are > INFECTED [: > 8] > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A > VIRUS > > [MIME: 2 10657] > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: > > [EMAIL PROTECTED] [outgoing from 209.239.24.62] > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 > > > > Goran Jovanovic > > Omega Network Solutions > > Tel: 416 322-0333 > > Cell: 416 805-HELP (4357) > > [EMAIL PROTECTED] > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of > > > Colbeck, Andrew > > > Sent: Friday, June 16, 2006 5:31 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] new virus > > > > > > This is what I've received recently: > > > > > > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam > e=BKDR%5FB > > > REPBOT%2EA&VSect=T > > > > > > My F-Prot and Trend Micro do detect it. When I submit the > executable > > > inside the payload to http://virusscan.jotti.org or > > > http://www.virustotal.com I get these results: > > > > > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > Authentium 4.93.8 > > > 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus > > > found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 > > > 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 > 06.16.2006 no virus > > > found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 > DrWeb 4.33 > > > 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.40 > 06.16.2006 > > > no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus > found Ewido > > > 3.5 06.16.2006 no virus found Fortinet 2.77.0.0 06.16.2006 > > > W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 > W32/Brepibot.gen Ikarus > > > 0.2.65.0 06.16.2006 photo3.exe Kaspersky 4.0.2.24 06.16.2006 > > > Backdoor.Win32.Breplibot.ai McAfee 4786 06.16.2006 > W32/Brepibot.gen > > > Microsoft 1.1441 06.16.2006 no virus found > > > NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 > 06.16.2006 > > > W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file > Sophos 4.06.0 > > > 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E > > > TheHacker 5.9.8.160 06.16.2006 no virus found > > > > > > > > > Andrew 8) > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf > > > > Of Colbeck, Andrew > > > > Sent: Friday, June 16, 2006 2:21 PM > > > > To: declude.virus@declude.com > > > > Subject: RE: [Declude.Virus] new virus > > > > > > > > It might be this, if my F-Prot is more up to date than > yours, as > > > > mine has identified a few zip files with a plus sign in > the name > > > > as W32/Brepibot.gen > > > > > > > > > http://www.f-secure.com/weblog/archives/archive-062006.html#00000902 > > > > > > > > The fake HELO names were CNN.com and TradersWorld.com if that's > > > > any use. > > > > > > > > Andrew 8) > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > > Of > > > > > Ncl Admin > > > > > Sent: Friday, June 16, 2006 2:03 PM > > > > > To: declude.virus@declude.com > > > > > Subject: Re: [Declude.Virus] new virus > > > > > > > > > > Yes, > > > > > > > > > > 04dotzip just came through here but McAfee stopped it. But > > > > F-prot not > > > > > getting it. > > > > > > > > > > At 04:30 PM 6/16/2006 -0400, you wrote: > > > > > >>>> > > > > > Is anyone else seeing new virus zip files getting past F-Prot? > > > > > the last one was just numbers.zip Earlier a few came through > > > > > with name.zip > > > > > > > > > > Bruce Loughlin > > > > > > > > > > --- > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, > > > > > just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe > > > > > Declude.Virus". The archives can be found at > > > > > http://www.mail-archive.com. > > > > > <<<< > > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, > > > > > just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
