[Declude.Virus] mabuto virus
Hi, I have a bounced mail from my postmaster account trying to warn someone about the W32/[EMAIL PROTECTED] virus they sent. 1) Is this a verry new virus? Neither f-prot, Sophos nor Symantec even heard of it but the f-prot partner site http://www.authentium.com/has heard of it, but that's all the information I can find on that site, they have heard of it and are catching it. 2) Is this a forging virus we need to add to the list? If so, does Declude allready have it in his forging virus list? Groetjes, Bonno Bloksma
Re: [Declude.Virus] mabuto virus
I have a bounced mail from my postmaster account trying to warn someone about the mailto:W32/[EMAIL PROTECTED]W32/[EMAIL PROTECTED] virus they sent. 1) Is this a verry new virus? Neither f-prot, Sophos nor Symantec even heard of it but the f-prot partner site http://www.authentium.com/http://www.authentium.com/ has heard of it, but that's all the information I can find on that site, they have heard of it and are catching it. I believe it came out about a week ago. 2) Is this a forging virus we need to add to the list? If so, does Declude allready have it in his forging virus list? It appears to be a forging virus, although we do not have enough information yet to determine that for certain (we have, however, added it to the forging virus database to be safe). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] mabuto virus
http://www.gordano.co.uk/kb.htm?q=2297talks about virus definitions from 28 July 2004 and Mabuto, so it can't be a new one from today. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Monday, August 09, 2004 12:23 PMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] mabuto virus Hi, I have a bounced mail from my postmaster account trying to warn someone about the W32/[EMAIL PROTECTED] virus they sent. 1) Is this a verry new virus? Neither f-prot, Sophos nor Symantec even heard of it but the f-prot partner site http://www.authentium.com/has heard of it, but that's all the information I can find on that site, they have heard of it and are catching it. 2) Is this a forging virus we need to add to the list? If so, does Declude allready have it in his forging virus list? Groetjes, Bonno Bloksma
RE: [Declude.Virus] mabuto virus
2) Is this a forging virus we need to add to the list? If so, does Declude allready have it in his forging virus list? It appears to be a forging virus, although we do not have enough information yet to determine that for certain (we have, however, added it to the forging virus database to be safe). I've seen 5 Mabuto's from 29 July on. Up to now there was no NDR's for our Virus warnings but looking at the mail headers it seems that he's forging with real existing email addresses. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] JS/illWill
I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
Re: [Declude.Virus] JS/illWill
Yep, I've seen a bunch of them this morning, as well. Here, only McAfee and BitDefender are currently catching it. I have reported the virus to ClamAV, F-Prot, and TrendMicro. Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 9:22 AM Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
RE: [Declude.Virus] JS/illWill
Interesting in that the virus listed spreads by visiting a website. What is it you are catching? In the last hour or so I have been getting a lot of banned zip-exe files where the D file is only about 10kb. I sent one to virustrap for diagnosis. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, August 09, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/illWill Yep, I've seen a bunch of them this morning, as well. Here, only McAfee and BitDefender are currently catching it. I have reported the virus to ClamAV, F-Prot, and TrendMicro. Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 9:22 AM Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
RE: [Declude.Virus] Useful antivirus feed from Symantec
I've been using this Trendmicro feed since 2001: (I think they were the first to have it) http://www.trendmicro.com/syndication/vinfo/default.asp They also had a code to install their free online virus scanner on your pages and a World map to track virus activity: http://www.trendmicro.com/syndication/wtc/ Al Dioni - Original Message - De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Panda Consulting S.A. Luis Alberto Arango Enviado el: Viernes, 06 de Agosto de 2004 09:13 p.m. Para: [EMAIL PROTECTED] Asunto: RE: [Declude.Virus] Useful antivirus feed from Symantec Excellent.. thanks... -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, August 06, 2004 10:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Useful antivirus feed from Symantec McAfee/NAI... http://securityalerts.mcafee.com/mcalerts/?cid=9921 Darin. - Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 06, 2004 9:00 PM Subject: RE: [Declude.Virus] Useful antivirus feed from Symantec Sophos http://www.sophos.com/virusinfo/infofeed/ declude has it on their home page I couldn't find anything similar at mcafee's site. regards -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, August 06, 2004 6:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Useful antivirus feed from Symantec And Sophos, etc., etc. Darin. - Original Message - From: Glen Harvy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 06, 2004 7:26 PM Subject: RE: [Declude.Virus] Useful antivirus feed from Symantec Hi, Isn't something similar available from McAfee? _ Glen Harvy Aquarius Communications for all your Internet Needs. Phone 9977 3788 Fax 9977 3844 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Saturday, 7 August 2004 06:45 To: [EMAIL PROTECTED] Subject: [Declude.Virus] Useful antivirus feed from Symantec For those of you wanting to have a private or public information of latest and top viruses, removal tools and security advisories from Symantec you can use this page http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi it gives you proper instructions to add a few lines of code in a web page in order to start using it. I believe it is a cool feed. Regards -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com- ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses
RE: [Declude.Virus] JS/illWill
We're seeing it too. McAfee on desktop catching as a "trojan". AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Monday, August 09, 2004 11:23 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
RE: [Declude.Virus] JS/illWill
Declude is indeed stopping it if configured correctly. That is how I am stopping them. BANZIPEXTS BANEXT EXE John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, August 09, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill We're seeing it too. McAfee on desktop catching as a trojan. AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, August 09, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
RE: [Declude.Virus] JS/illWill
Problem is, I want to get "good" zipped exe's. Oh well. Until the AV programs start catching it, I've made our e-mail less useful by blocking any zips with exe's in them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Monday, August 09, 2004 12:50 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] JS/illWill Declude is indeed stopping it if configured correctly. That is how I am stopping them. BANZIPEXTS BANEXT EXE John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert GrosshandlerSent: Monday, August 09, 2004 10:31 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] JS/illWill We're seeing it too. McAfee on desktop catching as a "trojan". AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Monday, August 09, 2004 11:23 AMTo: [EMAIL PROTECTED]Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
[Declude.Virus] strange zip file
We just received a strange zip file with the files as follows price/price.exe price.html price.html installs the .exe Our scanners didn't pick up anything strange.. but there is no way I would open it. I sent it to virustrap, Scott could you take a look. Regards Luis Arangoo __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS/illWill
Here is what I instruct my clients and users: (SAFETY FIRST) This policy is in place for the security and safety of our clients. If you need help or have questions or comments regarding this policy, please contact us at [EMAIL PROTECTED] PLEASE NOTE! Due to the increase of virus activity using encrypted password protected zip files, we are forced to permanently ban them. Also, normal zip type files containing one or more banned extensions will be banned. If you need the banned zip file, you will need to follow one of the following options: 1. Compress (zip) the file using WinZip or other such program. You must then rename the resulting files extension to something else like .moc. 2. Change the extension. You could do this by right-clicking on the file, and rename. A suggestion would be to rename only the extension to something else, like .moc, then in the body of the message, instruct the recipient on what to change the extension to. 3. Reply to this message and we will review and requeue the message for delivery. (This is only available to local users. (Example, if you are sending a banned attachment to a user at mail.eservicesforyou.net, that user would have to request the review and release of the message.) NOTE: This may take a few hours to occur. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, August 09, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill Problem is, I want to get good zipped exe's. Oh well. Until the AV programs start catching it, I've made our e-mail less useful by blocking any zips with exe's in them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, August 09, 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill Declude is indeed stopping it if configured correctly. That is how I am stopping them. BANZIPEXTS BANEXT EXE John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, August 09, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill We're seeing it too. McAfee on desktop catching as a trojan. AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, August 09, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htmit's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus
Re: [Declude.Virus] strange zip file
We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus!??!
I have received two suspicious emails this morning with the attachment of newprice.zip. Obviously neither AVG on my desktop nor FProt on the server have flagged it as a virus. But since I know neither of the senders it looks like a virus. Anyone know anything about it. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Useful antivirus feed from Symantec
Thanks a lot.. useful Luis -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Alvaro Dioni Sent: Monday, August 09, 2004 12:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Useful antivirus feed from Symantec I've been using this Trendmicro feed since 2001: (I think they were the first to have it) http://www.trendmicro.com/syndication/vinfo/default.asp They also had a code to install their free online virus scanner on your pages and a World map to track virus activity: http://www.trendmicro.com/syndication/wtc/ Al Dioni - Original Message - De: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] En nombre de Panda Consulting S.A. Luis Alberto Arango Enviado el: Viernes, 06 de Agosto de 2004 09:13 p.m. Para: [EMAIL PROTECTED] Asunto: RE: [Declude.Virus] Useful antivirus feed from Symantec Excellent.. thanks... -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, August 06, 2004 10:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Useful antivirus feed from Symantec McAfee/NAI... http://securityalerts.mcafee.com/mcalerts/?cid=9921 Darin. - Original Message - From: Panda Consulting S.A. Luis Alberto Arango [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 06, 2004 9:00 PM Subject: RE: [Declude.Virus] Useful antivirus feed from Symantec Sophos http://www.sophos.com/virusinfo/infofeed/ declude has it on their home page I couldn't find anything similar at mcafee's site. regards -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, August 06, 2004 6:38 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Useful antivirus feed from Symantec And Sophos, etc., etc. Darin. - Original Message - From: Glen Harvy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 06, 2004 7:26 PM Subject: RE: [Declude.Virus] Useful antivirus feed from Symantec Hi, Isn't something similar available from McAfee? _ Glen Harvy Aquarius Communications for all your Internet Needs. Phone 9977 3788 Fax 9977 3844 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Saturday, 7 August 2004 06:45 To: [EMAIL PROTECTED] Subject: [Declude.Virus] Useful antivirus feed from Symantec For those of you wanting to have a private or public information of latest and top viruses, removal tools and security advisories from Symantec you can use this page http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi it gives you proper instructions to add a few lines of code in a web page in order to start using it. I believe it is a cool feed. Regards -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting - www.pandacons.com- ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com- ] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus
RE: [Declude.Virus] strange zip file
F-Prot just updated, catches it as HTML/[EMAIL PROTECTED], ClamAV as Trojan.JS.RunMe. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Monday, August 09, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html price.html installs the .exe Our scanners didn't pick up anything strange.. but there is no way I would open it. I sent it to virustrap, Scott could you take a look. Regards Luis Arangoo __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] suggestion for the Virus Manual
Scott: Just a suggestion for Declude Virus Manual and sample virus config file Could you add a section that explains how the following work BANZIPEXTS BANEZIPEXTS As far as I have seen the only way to learn how it works is by reading the release notes and the list. New users and old ones will benefit from it Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JS/illWill
Want to know what less useful really means, try being like us with only Declude AV Standard. We can't ban certain extensions in zip files. Plus we can only use one scanner with Standard so we constantly get bit having to wait until the AV companies update their signatures. John Olden - Systems Administrator Champaign Park District - Original Message - From: Robert Grosshandler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 1:02 PM Subject: RE: [Declude.Virus] JS/illWill Problem is, I want to get good zipped exe's. Oh well. Until the AV programs start catching it, I've made our e-mail less useful by blocking any zips with exe's in them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, August 09, 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill Declude is indeed stopping it if configured correctly. That is how I am stopping them. BANZIPEXTS BANEXT EXE John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, August 09, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill We're seeing it too. McAfee on desktop catching as a trojan. AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, August 09, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htm it's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] suggestion for the Virus Manual
They usually update the manual when a released version is out and that has not happened in a long time. I am guessing they are working on a better manual and releasing something before too long. Grant -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Monday, August 09, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] suggestion for the Virus Manual Scott: Just a suggestion for Declude Virus Manual and sample virus config file Could you add a section that explains how the following work BANZIPEXTS BANEZIPEXTS As far as I have seen the only way to learn how it works is by reading the release notes and the list. New users and old ones will benefit from it Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] strange zip file
Thanks I just did.. Luis -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] suggestion for the Virus Manual
I also suggest to dedicate some lines to the BANNAME option as well. Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Monday, August 09, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] suggestion for the Virus Manual Scott: Just a suggestion for Declude Virus Manual and sample virus config file Could you add a section that explains how the following work BANZIPEXTS BANEZIPEXTS As far as I have seen the only way to learn how it works is by reading the release notes and the list. New users and old ones will benefit from it Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] strange zip file
Have also received price.zip and price_08.zip. I've ended up blocking all zip files until defs are update (not running Declude Pro). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] strange zip file
FYI: Getting over 200 in the past 30 minutes Different file names new__price.zip new_price.zip price_new.zip price__new.zip price.zip newprice.zip 08_price.zip price_08.zip price2.zip Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Monday, August 09, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] strange zip file Thanks I just did.. Luis -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS/illWill
I too run standard, and it's true that I think banned extensions within zips would be a very nice feature. But since it's like this, I live with it. What you should do is keep checking these lists for things such as this new virus. When you see someone say they found a suspicious file, ask them what the filename is and ban the file. If it looks like multiple filenames with a zip ending, then ban all zip files. This is what I'm currently doing. Until I know for certain that the defs have been updated for F-Prot, then I'll turn off the zip banning (F-Prot just downloaded/installed an update). If clients complain, explain that it's just your security protocols. Ask them if they'd rather have an hour of heartache compared to possible days of heartache or no computer at all (then tell them to switch to Linux; hahaha). They tend to like the earlier than the later. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Olden Sent: Monday, August 09, 2004 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/illWill Want to know what less useful really means, try being like us with only Declude AV Standard. We can't ban certain extensions in zip files. Plus we can only use one scanner with Standard so we constantly get bit having to wait until the AV companies update their signatures. John Olden - Systems Administrator Champaign Park District - Original Message - From: Robert Grosshandler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 1:02 PM Subject: RE: [Declude.Virus] JS/illWill Problem is, I want to get good zipped exe's. Oh well. Until the AV programs start catching it, I've made our e-mail less useful by blocking any zips with exe's in them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, August 09, 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill Declude is indeed stopping it if configured correctly. That is how I am stopping them. BANZIPEXTS BANEXT EXE John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, August 09, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill We're seeing it too. McAfee on desktop catching as a trojan. AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, August 09, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htm it's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Variable to skip banned extension
Is there a way to skip bannotify.eml for some attachments, such as skipping for the file names of the new virus? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] strange zip file
Hi: As far as I can tell, it's been discovered by McAfee for a few hours (as usually is the case, when I see these exchanges on this list)! 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanner 1: Virus= the W32/Bagle.aq!zip Attachment=price2.zip [17] O 08/09/2004 13:30:51 Qb4c66687008ebd6f Test3.3f3b3684.1.zip.5932.4.predef.declude.com the W32/Bagle.aq!zip price2.zip 08/09/2004 13:30:51 Qb4c66687008ebd6f File(s) are INFECTED [ the W32/Bagle.aq!zip: 13] 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanned: CONTAINS A VIRUS [MIME: 2 6058] 08/09/2004 13:30:51 Qb4c66687008ebd6f From: [Forged] To: [EMAIL PROTECTED] [outgoing from 65.118.130.2] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, August 09, 2004 02:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] strange zip file Have also received price.zip and price_08.zip. I've ended up blocking all zip files until defs are update (not running Declude Pro). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] strange zip file
It appears as though frisk is calling it Virus Name: : HTML/[EMAIL PROTECTED] On Monday, August 9, 2004 1:16 PM, Andy Schmidt [EMAIL PROTECTED] wrote: Hi: As far as I can tell, it's been discovered by McAfee for a few hours (as usually is the case, when I see these exchanges on this list)! 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanner 1: Virus= the W32/Bagle.aq!zip Attachment=price2.zip [17] O 08/09/2004 13:30:51 Qb4c66687008ebd6f Test3.3f3b3684.1.zip.5932.4.predef.declude.com the W32/Bagle.aq!zip price2.zip 08/09/2004 13:30:51 Qb4c66687008ebd6f File(s) are INFECTED [ the W32/Bagle.aq!zip: 13] 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanned: CONTAINS A VIRUS [MIME: 2 6058] 08/09/2004 13:30:51 Qb4c66687008ebd6f From: [Forged] To: [EMAIL PROTECTED] [outgoing from 65.118.130.2] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, August 09, 2004 02:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] strange zip file Have also received price.zip and price_08.zip. I've ended up blocking all zip files until defs are update (not running Declude Pro). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Variable to skip banned extension
John, How about: SKIPIFVIRUSNAMEHAS Klez (from example in manual) David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:12 PM Subject: [Declude.Virus] Variable to skip banned extension Is there a way to skip bannotify.eml for some attachments, such as skipping for the file names of the new virus? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Variable to skip banned extension
I believe John was asking about attachments, not viruses, which is a very good question...and something that I don't believe is available. I would certainly like to do it as well. That way we can avoid notifying users on banned files that are for know viruses where virus definitions have not yet been updated. Darin. - Original Message - From: David Franco-Rocha [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:37 PM Subject: Re: [Declude.Virus] Variable to skip banned extension John, How about: SKIPIFVIRUSNAMEHAS Klez (from example in manual) David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:12 PM Subject: [Declude.Virus] Variable to skip banned extension Is there a way to skip bannotify.eml for some attachments, such as skipping for the file names of the new virus? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] strange zip file
Apparently it's another variant of the ubiquitous Bagle worm. http://www.eweek.com/article2/0,1759,1633739,00.asp -M - Original Message - From: Bob McGregor To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:18 PM Subject: Re: [Declude.Virus] strange zip file It appears as though frisk is calling it Virus Name: : HTML/[EMAIL PROTECTED] On Monday, August 9, 2004 1:16 PM, Andy Schmidt [EMAIL PROTECTED] wrote: Hi: As far as I can tell, it's been discovered by McAfee for a few hours (as usually is the case, when I see these exchanges on this list)! 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanner 1: Virus= the W32/Bagle.aq!zip Attachment=price2.zip [17] O 08/09/2004 13:30:51 Qb4c66687008ebd6f Test3.3f3b3684.1.zip.5932.4.predef.declude.com the W32/Bagle.aq!zip price2.zip 08/09/2004 13:30:51 Qb4c66687008ebd6f File(s) are INFECTED [ the W32/Bagle.aq!zip: 13] 08/09/2004 13:30:51 Qb4c66687008ebd6f Scanned: CONTAINS A VIRUS [MIME: 2 6058] 08/09/2004 13:30:51 Qb4c66687008ebd6f From: [Forged] To: [EMAIL PROTECTED] [outgoing from 65.118.130.2] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze Sent: Monday, August 09, 2004 02:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] strange zip file Have also received price.zip and price_08.zip. I've ended up blocking all zip files until defs are update (not running Declude Pro). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, August 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] strange zip file We just received a strange zip file with the files as follows price/price.exe price.html This is a new virus; apparently, no AV companies are detecting it yet. You can use BANNAME price.exe and similar lines to block it (or BANEXT EXE and BANZIPEXTS ON with Declude Virus Pro). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS/illWill
For us, less useful means the inability to receive .exe's as zipped attachments, which is how people are used to sending them. John T. posted a nice set of instructions on how to get around that, but it requires that your sender know that he / she has to go through a couple of extra steps in order to get the zipped .exe to us. So, harder = less useful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Olden Sent: Monday, August 09, 2004 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/illWill Want to know what less useful really means, try being like us with only Declude AV Standard. We can't ban certain extensions in zip files. Plus we can only use one scanner with Standard so we constantly get bit having to wait until the AV companies update their signatures. John Olden - Systems Administrator Champaign Park District - Original Message - From: Robert Grosshandler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 1:02 PM Subject: RE: [Declude.Virus] JS/illWill Problem is, I want to get good zipped exe's. Oh well. Until the AV programs start catching it, I've made our e-mail less useful by blocking any zips with exe's in them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, August 09, 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill Declude is indeed stopping it if configured correctly. That is how I am stopping them. BANZIPEXTS BANEXT EXE John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Monday, August 09, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] JS/illWill We're seeing it too. McAfee on desktop catching as a trojan. AVG and F-Prot not catching it yet. Declude not stopping, either. newprice.zip is the attachment name. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Monday, August 09, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] JS/illWill I've seen several JS/IllWill messages in the past 20 minutes on our system Looking at http://vil.nai.com/vil/content/v_99242.htm it's an old virus (2001) and I can't remember another one in the past. But now I can see them comming from all different IP-Adresses. Mailfrom looks like real existing adresses but are definitively forged. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Variable to skip banned extension
Not sure if that will work for the banned attached file name, that is why I am asking. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Monday, August 09, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Variable to skip banned extension John, How about: SKIPIFVIRUSNAMEHAS Klez (from example in manual) David Franco-Rocha Declude Technical Support - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:12 PM Subject: [Declude.Virus] Variable to skip banned extension Is there a way to skip bannotify.eml for some attachments, such as skipping for the file names of the new virus? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.