[Declude.Virus] Log entries
08/22/2003 09:01:15 Q221e106 Could not find parse string Found in report.txt 08/22/2003 08:58:07 Q211910e WARNING: Couldn't remove .vir directory d:\IMail\spool\D211910e.vir\: EXTRA FILES THERE. 08/22/2003 08:58:07 Q211910e Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. Can someone please explain what these two entries mean? I am blocking the usual list of extensions but a client emailed this morning saying he received a .pif and a .scr. Running 1.72i Thanks, Doug MCKee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Log entries
08/22/2003 09:01:15 Q221e106 Could not find parse string Found in report.txt This will happen if the virus scanner detects a virus, but the report.txt file that it creates does not include the virus name where Declude Virus expects it (more specifically, in this case, the word Found was not in the report.txt file). This can happen if the virus scanner detects a suspicious file (in which case it won't know the name of the virus). 08/22/2003 08:58:07 Q211910e WARNING: Couldn't remove .vir directory d:\IMail\spool\D211910e.vir\: EXTRA FILES THERE. 08/22/2003 08:58:07 Q211910e Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. In this case, you can look at the d:\IMail\spool\D211910e.vir\ directory to see what file(s) are in there. If there is a report.txt file in there, it may be that a bug in Declude Virus prevented it from being deleted, since the word Found wasn't in there. I am blocking the usual list of extensions but a client emailed this morning saying he received a .pif and a .scr. The best thing to do here is look at the Declude Virus log file entries to see if there were any errors/warnings for that specific E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Postmaster Email Alert
Is there a way to make Declude email postmaster at the originating IP address reverse DNS domain and not the domain in the FROM field which is usually spoofed? -- Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Postmaster Email Alert
Is there a way to make Declude email postmaster at the originating IP address reverse DNS domain and not the domain in the FROM field which is usually spoofed? No. The SKIPIFVIRUSNAMEHAS option is used for cases like this. We have considered using reverse DNS, IPWHOIS, [EMAIL PROTECTED], etc., but none seem to work well most of the time. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Using FORGINGVIRUS with more than one virus
In my virus_cfg.txt file, I have: FORGINGVIRUSKlez To add the sobig virus, do I add another line? like this? FORGINGVIRUSKlez FORGINGVIRUSSobig [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Using FORGINGVIRUS with more than one virus
Yep..Exactly...you got it. Have a great day. -Original Message- From: Paul Fuhrmeister [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Using FORGINGVIRUS with more than one virus In my virus_cfg.txt file, I have: FORGINGVIRUSKlez To add the sobig virus, do I add another line? like this? FORGINGVIRUSKlez FORGINGVIRUSSobig [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Using FORGINGVIRUS with more than one virus
In my virus_cfg.txt file, I have: FORGINGVIRUSKlez To add the sobig virus, do I add another line? like this? FORGINGVIRUSKlez FORGINGVIRUSSobig That is correct. You may want to take a look at the default files at http://www.declude.com/virus/manual.htm to see what other viruses we recommend including. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Postmaster Email Alert
And the reason being is that many if not most mail server are not configured to accept messages to the IP address. Also, in the case of Sobig, that would not work anyway, as the IP address is of the workstation infected, which could be anywhere. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, August 22, 2003 7:56 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Postmaster Email Alert Is there a way to make Declude email postmaster at the originating IP address reverse DNS domain and not the domain in the FROM field which is usually spoofed? No. The SKIPIFVIRUSNAMEHAS option is used for cases like this. We have considered using reverse DNS, IPWHOIS, [EMAIL PROTECTED], etc., but none seem to work well most of the time. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] McAfee Enterprise 7.0 not picking up Sobig.F
Hello R., Thursday, August 21, 2003, 2:59:18 PM, you wrote: I did that with eicar and the On-Demand Scanner picked it up. However, when I did it with Sobig.F, there was no attachment. Then I noticed that it was a bounced message from another server (not using SKIPIFVIRUSNAMEHAS). I'm now wondering if that is why McAfee On-Demand/Declude is not picking it up, because the virus is part of the bounced message and it appears to not be executable. However, F-Prot and McAfee On-Access both detect Sobig.F in the SMD file. ?? RSP Most AV programs will not detect corrupt, non-viable variants, which often RSP includes bounce messages (because those bounce messages are usually truncated). RSP -Scott RSP --- RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers. RSP Declude Virus: Catches known viruses and is the leader in mailserver RSP vulnerability detection. RSP Find out what you have been missing: Ask for a free 30-day evaluation. We started seeing something similar about 2:00 a.m. I started getting warnings Trend that it was picking up viruses in my /spam folder. Don't know how many going through because can't scan the /spool with Trend. Trying to figure out if they're non-viable. Even if they are Declude/F-prot should be stopping them though because we had a similar problem a few weeks ago and added VIRUSCODE 8 in order to stop suspicious files. -David -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
No only that - but what's this web address that will be updated. If it's an IP - then it should be easy to contact the upstream provider. If it's a FQDN - then it should be easy for the registrar to lock this particular domain against updates I don't see why this is supposedly so difficult to accomplish? Because it is happening at *exactly* the same time. The timing is based on precise clocks, and even if the web site gets shut down in 1 minute, that's potentially many thousands of computers that may have downloaded the file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Pentagon
The Pentagon would never buy Declude. It's not pricey enough, it's too straight forward and easy to use, you don't have to hire a consultant to study it for several million dollars, and it's name is not Pentagon proper. Perhaps Scott can rename it to Declude Electronic Communication Attack Software Defense System and become a consultant for the government Sorry, I couldn't resist. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
According to this NBC news report, it will occur every Friday and Sunday. http://www.nbc4.tv/technology/2426381/detail.html?treets=latml=la_natlbreak ts=Ttmi=la_natlbreak_15913_01270008222003 John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com
RE: [Declude.Virus] Sobig- Phase II bombardment
See http://isc.sans.org/diary.html?date=2003-08-22 Sobig Update Cycle SoBig-F, the most recent incarnation in the family of Sobig mass mailing viruses, will be entering its update cycle today at 19:00 UTC. Between 19:00 and 22:00 UTC, the virus will attempt to contact a predefined set of hosts to download updates. At this point, it is not know what the update will do. The list of master servers can be updated remotely by using signed UDP packets to port 995-999. Fritz Frederick P. Squib, Jr. Network Operations Citizens Telephone Company of Kecksburg Citizens Internet Services http://www.wpa.net --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
Exactly, if the servers are known, why doesn't the upstream providers be pro-active and block those ip's from being accessed ? -- Original Message -- From: Andy Schmidt [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 14:20:53 -0400 No only that - but what's this web address that will be updated. If it's an IP - then it should be easy to contact the upstream provider. If it's a FQDN - then it should be easy for the registrar to lock this particular domain against updates I don't see why this is supposedly so difficult to accomplish? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Friday, August 22, 2003 01:23 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig- Phase II bombardment The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines download a program from this address - and run it. At this moment snipped -- Avolve Support Get High Speed Internet - Go Wireless ! http://www.avolvewireless.net -- --- [This E-mail scanned for viruses by Declude Virus By Avolve.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig - Narrowing down on source
http://www.washingtonpost.com/wp-dyn/articles/A32161-2003Aug22.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
Thanks for the heads-up, Kris. We have applied filter rules to all of our Internet routers to block all outbound IP access to the IP addresses listed below and to block all outbound udp access to port 8998. Bill - Original Message - From: Kris Rickerson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 22, 2003 10:33 AM Subject: RE: [Declude.Virus] Sobig- Phase II bombardment It would seem to me that someone's decoded this encrypted list and if we knew what it was we could setup access lists to block connections to the 20 machines. Ask, and you shall receive. -- Subject: ISS Security Brief: Sobig.F Second Phase Action -BEGIN PGP SIGNED MESSAGE- Computers infected with the Sobig.F worm are programmed to automatically download an executable of unknown function from a hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is recommending wholesale outbound filtering of the following IP addresses: 67.73.21.6 68.38.159.161 67.9.241.67 66.131.207.81 65.177.240.194 65.93.81.59 65.95.193.138 65.92.186.145 63.250.82.87 65.92.80.218 61.38.187.59 24.210.182.156 24.202.91.43 24.206.75.137 24.197.143.132 12.158.102.205 24.33.66.38 218.147.164.29 12.232.104.221 68.50.208.96 The request method uses UDP port 8998. X-Force also recommends that this port be filtered outbound. Kris Rickerson Server Administrator Middle Georgia College - Cochran, GA 31014 [EMAIL PROTECTED] --- This is the material, by the way, that has kept me virtually anonymous in America. Meanwhile, they're draining the Pacific and putting up bench seats for Carrot Top's next Showtime special. Carrot Top -- for people who didn't get Gallagher. Gallagher -- the comedian who made his name by destroying good food with a sledge hammer at the end of his show. Gee, I wonder why we're hated the world over? - Bill Hicks (1961-1994) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
It make's me really wonder how many stupid people is not able to patch the own system (or at least outlook). Exactly! they can't do more. (except write a worm that install automatically all available patches from MS) What they (M$) really need to do, is make windows update integrated into Windows, the problem is they tell you Stay current with updates in a little box above the taskbar when you install Windows (XP at least), so you can elect to have them downloaded. or you have to download the critical notification tool. Instead, it should already be set to retrieve critical updates, and the notification should be a big window that says YOU HAVE CRITICAL PATCHES FOR YOUR SYSTEM AVAILABLE TO INSTALL! PLEASE CONSULT KB ARTICLE X TO ENSURE VALIDITY AND UPDATE ASAP FAILURE TO UPDATE LEAVES YOUR SYSTEM VULNERABLE TO HACKERS, WORMS, VIRUSES, ETC. To which you click some acknowledge button, but will come back if you don't update. People need to know they need to keep software like this updated. Plus M$ releasing a patch that doesn't cause more problems is nice too. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
What they (M$) really need to do, is make windows update integrated into Windows, the problem is they tell you Stay current with updates in a little box above the taskbar when There are huge debates about this. It's amazing that people are against this. Look at the newsgroups, etc... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
If it was easy, and if every computer user was computer literate and responsible, we wouldn't have jobs... Andy - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 22, 2003 3:17 PM Subject: RE: [Declude.Virus] Sobig- Phase II bombardment Sobig.G will have a line X-MailScanner: The Sobig.G virus is in the attachment, you will be infected if you open it... and Sobig.G will spread just as fast as Sobig.F. It make's me really wonder how many stupid people is not able to patch the own system (or at least outlook). I swear I will light 100 candles the day when a new Outlook-vulnerability worm will spread and removes any text, number and picture from any DOC, XLS, and PPT-files he can found. Other 100 candles if the worm places a You're really stupid! Patch your system or turn your computer of - immediatly! in any DOC-file. (Maybe also in other international languages) If the worms continue with the actual destructive functionality, most people will never patch the own system. They will only say: Ouch, how slow is the Internet today! What I will say: Not Sobig.f is frustrating but all this ignorant people that are not able to patch the own system. Culpability of MS? As I know they offer patches for all this vulnerabilities for a long time now. They can't do more. (except write a worm that install automatically all available patches from MS) Maybe the worm I wait for shouldn't delete anything, but change only some numbers in MS-Documents. I think that's enough to cause the attention of the end user - and not make work technicians like us day and night. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
Any one seeing hearing of any happenings on this? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
Any one seeing hearing of any happenings on this? F-Secure has reported that 1 of the 20 servers appears to be up, but it is so overwhelmed that viruses aren't getting anything from it. But that does mean that some could be getting through. All we've seen is what seems to be a precautionary measure from one ISP blocking home users from sending any ICMP or UDP packets, but it appears to just be a precautionary measure. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] VirusScan Enterprise 7.0 not detecting Sobig.F
What is sick is their scanner loaded on Dell computers is NOT picking up Sobig.F either. I just ran a complete scan on a client computer with the installed McAfee, and it came back clean. This was using their online scanner as installed on computers. Sick. I wonder how many home users out there think they are protected, but not? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Bill Newberg Sent: Friday, August 22, 2003 9:21 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] VirusScan Enterprise 7.0 not detecting Sobig.F I received the following from McAfee. Apparently, there is an EXTRA.DAT file to stop damaged Sobig.F. I attached it for anyone interested. I have not had a chance to install and test it yet. Bill Newberg Bill, There is an extra.dat I can give you which will help detect sobig.f.dam. This is a damaged version of sobig which gets missed intermittently by different scanners and sounds like what you are dealing with. The extra.dat will reside along side the normal dat files in \program files\common files\network associates\engine -- Lance _ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.