RE: [Declude.Virus] Virus Config Update
If you have avgscan.exe use that, otherwise avg.exe SCANFILE C:\Progra~1\Grisoft\AVG7\avg.exe /NOBOOT /NOMEM /NOSELF /ARC /REPORT=report.txt VIRUSCODE 4 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 9 REPORT identified or SCANFILE C:\Progra~1\Grisoft\AVG7\avgscan.exe /NOMEM /NOSELF /ARC /REPORT=report.txt VIRUSCODE 4 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 9 REPORT identified David Barker www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Wednesday, November 23, 2005 10:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Virus Config Update Wednesday, November 23, 2005, 2:55:34 PM, David Barker <[EMAIL PROTECTED]> wrote: Snip DB> The complete SCANFILE config would be something like this: DB> SCANFILE C:\Progra~1\Grisoft\AVG7\avg.exe /NOBOOT /NOMEM /NOSELF /ARC Is it avgscan.exe or avg.exe in the above for the 32 bit scanner? Snip DB> David B DB> www.declude.com DB> --- DB> This E-mail came from the Declude.Virus mailing list. To DB> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DB> type "unsubscribe Declude.Virus". The archives can be found DB> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364 Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus Config Update
Wednesday, November 23, 2005, 2:55:34 PM, David Barker <[EMAIL PROTECTED]> wrote: Snip DB> The complete SCANFILE config would be something like this: DB> SCANFILEC:\Progra~1\Grisoft\AVG7\avg.exe /NOBOOT /NOMEM /NOSELF /ARC Is it avgscan.exe or avg.exe in the above for the 32 bit scanner? Snip DB> David B DB> www.declude.com DB> --- DB> This E-mail came from the Declude.Virus mailing list. To DB> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DB> type "unsubscribe Declude.Virus".The archives can be found DB> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
The second part of that list has been updated BANNAME Alice.zip BANNAME Androw.zip BANNAME Ann.zip BANNAME Christian.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Ellen.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Isabell.zip BANNAME James.zip BANNAME Josias.zip BANNAME Judeth.zip BANNAME Katheryne.zip BANNAME Margerye.zip BANNAME Marie.zip BANNAME Martha.zip BANNAME Marye.zip BANNAME Nathaniel.zip BANNAME Nathanyell.zip Darin. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:56 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > For those of us poor saps who don't have Pro, here's a compiled list from > a > couple of sources of zip filenames to ban. > > Due to the variation in filenames, it would be useful to have BANNAME > allow > some minimal pattern matching. That would have made this list a bit > shorter. > > # Added 11/21/2005 to handle new Sober.X/Z variants > BANNAME downloadm.zip > BANNAME Ebay.zip > BANNAME Ebay-User_RegC.zip > BANNAME Email.zip > BANNAME Email_text.zip > BANNAME injection.zip > BANNAME mail.zip > BANNAME mailtext.zip > BANNAME reg_pass.zip > BANNAME reg_pass-data.zip > > BANNAME Service.zip > BANNAME Webmaster.zip > BANNAME Postman.zip > BANNAME Info.zip > BANNAME Hostmaster.zip > BANNAME Postmaster.zip > BANNAME Admin.zip > > BANNAME Service-TextInfo.zip > BANNAME Webmaster-TextInfo.zip > BANNAME Postman-TextInfo.zip > BANNAME Info-TextInfo.zip > BANNAME Hostmaster-TextInfo.zip > BANNAME Postmaster-TextInfo.zip > BANNAME Admin-TextInfo.zip > > BANNAME Downloads.zip > BANNAME BKA.zip > BANNAME Internet.zip > BANNAME Post.zip > BANNAME Anzeige.zip > BANNAME BKA.Bund.zip > > BANNAME AkteDownloads.zip > BANNAME AkteBKA.zip > BANNAME AkteInternet.zip > BANNAME AktePost.zip > BANNAME AkteAnzeige.zip > BANNAME AkteBKA.Bund.zip > > BANNAME Kandidat.zip > BANNAME WWM.zip > BANNAME Auslosung.zip > BANNAME Casting.zip > BANNAME Gewinn.zip > BANNAME Info.zip > BANNAME RTL-Admin.zip > BANNAME RTL.zip > BANNAME Webmaster.zip > BANNAME RTL-TV.zip > > BANNAME Kandidat_Text.zip > BANNAME WWM_Text.zip > BANNAME Auslosung_Text.zip > BANNAME Casting_Text.zip > BANNAME Gewinn_Text.zip > BANNAME Info_Text.zip > BANNAME RTL-Admin_Text.zip > BANNAME RTL_Text.zip > BANNAME Webmaster_Text.zip > BANNAME RTL-TV_Text.zip > > > > Darin. > > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using "BANZIPEXTS > ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 12:12 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> It is coming in with alot of different zip file names and body names now, > I >> blocked all zip files and submitted samples >> >> I am really getting hit hard >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> - Original Message - >> From: "Matt" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, November 21, 2005 2:51 PM >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >>
Re: [Declude.Virus] OT: Virus Backscatter
Sorry... didn't realize that's what you were asking... Darin. - Original Message - From: "marc catuogno" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 11:27 AM Subject: Re: [Declude.Virus] OT: Virus Backscatter Actually I was talking about the notices from other postmasters - I have almost no bounce messages, I don't notify on banned files and so on for just that very reason. -- Original Message -- From: "Darin Cox" <[EMAIL PROTECTED]> Reply-To: Declude.Virus@declude.com Date: Wed, 23 Nov 2005 10:02:38 -0500 >We went with AVAFTERJM ON to minimize this. That way most get held as spam >instead of being detected by Virus as a banned files, and don't generate >banned file notifications. Others may have better ways to handle filtering >these out, but that worked well for us. > >Darin. > > >- Original Message - >From: "Marc Catuogno" <[EMAIL PROTECTED]> >To: >Sent: Wednesday, November 23, 2005 9:12 AM >Subject: [Declude.Virus] OT: Virus Backscatter > > >The latest outbreak has caused me a great deal of backscatter. You sent a >banned file, virus in an attachment sent by you, undeliverables and so. I >am very hesitant to try to create rules in JM to stop all notices like this >because some of them are necessary. I've pretty much told the users to >ignore them unless it looks like something they may have sent, but some >people are getting really flooded. >What is everyone else doing? > >--- >[This E-mail scanned for viruses by Declude Virus] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > For those of us poor saps who don't have Pro, here's a compiled list from > a > couple of sources of zip filenames to ban. > > Due to the variation in filenames, it would be useful to have BANNAME > allow > some minimal pattern matching. That would have made this list a bit > shorter. > > # Added 11/21/2005 to handle new Sober.X/Z variants > BANNAME downloadm.zip > BANNAME Ebay.zip > BANNAME Ebay-User_RegC.zip > BANNAME Email.zip > BANNAME Email_text.zip > BANNAME injection.zip > BANNAME mail.zip > BANNAME mailtext.zip > BANNAME reg_pass.zip > BANNAME reg_pass-data.zip > > BANNAME Service.zip > BANNAME Webmaster.zip > BANNAME Postman.zip > BANNAME Info.zip > BANNAME Hostmaster.zip > BANNAME Postmaster.zip > BANNAME Admin.zip > > BANNAME Service-TextInfo.zip > BANNAME Webmaster-TextInfo.zip > BANNAME Postman-TextInfo.zip > BANNAME Info-TextInfo.zip > BANNAME Hostmaster-TextInfo.zip > BANNAME Postmaster-TextInfo.zip > BANNAME Admin-TextInfo.zip > > BANNAME Downloads.zip > BANNAME BKA.zip > BANNAME Internet.zip > BANNAME Post.zip > BANNAME Anzeige.zip > BANNAME BKA.Bund.zip > > BANNAME AkteDownloads.zip > BANNAME AkteBKA.zip > BANNAME AkteInternet.zip > BANNAME AktePost.zip > BANNAME AkteAnzeige.zip > BANNAME AkteBKA.Bund.zip > > BANNAME Kandidat.zip > BANNAME WWM.zip > BANNAME Auslosung.zip > BANNAME Casting.zip > BANNAME Gewinn.zip > BANNAME Info.zip > BANNAME RTL-Admin.zip > BANNAME RTL.zip > BANNAME Webmaster.zip > BANNAME RTL-TV.zip > > BANNAME Kandidat_Text.zip > BANNAME WWM_Text.zip > BANNAME Auslosung_Text.zip > BANNAME Casting_Text.zip > BANNAME Gewinn_Text.zip > BANNAME Info_Text.zip > BANNAME RTL-Admin_Text.zip > BANNAME RTL_Text.zip > BANNAME Webmaster_Text.zip > BANNAME RTL-TV_Text.zip > > > > Darin. > > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using "BANZIPEXTS > ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 12:12 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> It is coming in with alot of different zip file names and body names now, > I >> blocked all zip files and submitted samples >> >> I am really getting hit hard >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> - Original Message - >> From: "Matt" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, November 21, 2005 2:51 PM >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is >> > still >> > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and >> > McAfee seems to have had this one tagged prior to the outbreak starting >> > since none have slipped through yet. >> > >> > Matt >> > >> > >> > >> > Rick Davidson wrote: >> > >> >> heads up folks, I am stopping a new zip virus with the following > junkmail >> >> rules, this is all I have seen so far. Contains an exacutable payload >> >> called File-packed_dataInfo.exe >> >> >> >> Rick Davidson >> >> National Systems Manager >> >> North American Title Group >> >> 440-639-060
[Declude.Virus] Virus Config Update
1. I have noticed that a new virus exit code being reported on AVG Exit Code 9 - Double extension If you are running AVG and want to block double extensions eg. Password.doc .exe Add the following line to your virus.cfg VIRUSCODE 9 Other additional codes are: 4 - suspicion detected by heuristic analysis 5 - virus found by heuristic analysis 6 - specific virus detected 7 - active virus in memory detected The complete SCANFILE config would be something like this: SCANFILEC:\Progra~1\Grisoft\AVG7\avg.exe /NOBOOT /NOMEM /NOSELF /ARC /REPORT=report.txt VIRUSCODE 4 VIRUSCODE 5 VIRUSCODE 6 VIRUSCODE 7 VIRUSCODE 9 REPORT identified 2. If you are running F-PROT ensure that you do NOT have a switch in your SCANFILE /NOFLOPPY This has been reported as not supported in the latest versions of F-Prot and causes virus to get through David B www.declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Declude virus notification
So the implication is that Declude knows about this and it will be fixed in the next release, whenever that may be. Original Message > From: "Bill Landry" <[EMAIL PROTECTED]> > Sent: Tuesday, November 22, 2005 5:36 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Declude virus notification > > We had the same problem, at least with v3.0.5.20, which was not sending > notification for all virus caught. We are running a patched version of > v3.0.5.20 now (v3.0.5.20.DF3) and that has resolved the issue. Don't know > when Declude plans to make it's next release, but you might request the > pre-release if you need to have the notifications. > > Bill > - Original Message - > From: "Gary Steiner" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 22, 2005 2:14 PM > Subject: [Declude.Virus] Declude virus notification > > > I've been running with 3.x for over a month, but I just now realized that > since I upgraded I am no longer receiving the "Declude Virus caught a virus" > messages. Declude is catching viruses, I'm just not receiving email > notification. I don't believe I changed anything in the virus.cfg file that > would account for this. What other possible causes could there be? > > Gary > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is > still > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > McAfee seems to have had this one tagged prior to the outbreak starting > since none have slipped through yet. > > Matt > > > > Rick Davidson wrote: > >> heads up folks, I am stopping a new zip virus with the following junkmail >> rules, this is all I have seen so far. Contains an exacutable payload >> called File-packed_dataInfo.exe >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubsc
[Declude.Virus] New Bagle variant Update
There seems to be another Variant with the same desciption as in my message before but the exe in the zip-file is named 12.exe This is not detected by F-Prot and Mcafee. Virustotal says: Antivirus Version Update Result AntiVir 6.32.0.6 11.23.2005 TR/Bagle.EC Avast 4.6.695.0 11.23.2005 Win32:Beagle-FR AVG 718 11.23.2005 I-Worm/Bagle Avira 6.32.0.6 11.23.2005 TR/Bagle.EC BitDefender 7.2 11.23.2005 Trojan.Bagle.BK CAT-QuickHeal 8.00 11.23.2005 (Suspicious) - DNAScan ClamAV devel-20051108 11.23.2005 no virus found DrWeb 4.33 11.23.2005 no virus found eTrust-Iris 7.1.194.0 11.23.2005 no virus found eTrust-Vet 11.9.1.0 11.23.2005 no virus found Fortinet 2.48.0.0 11.23.2005 suspicious F-Prot 3.16c 11.23.2005 no virus found Ikarus 0.2.59.0 11.23.2005 no virus found Kaspersky 4.0.2.24 11.23.2005 no virus found McAfee 4634 11.22.2005 no virus found NOD32v2 1.1300 11.23.2005 probably unknown NewHeur_PE virus Norman 5.70.10 11.23.2005 no virus found Panda 8.02.00 11.23.2005 no virus found Sophos 3.99.0 11.23.2005 no virus found Symantec 8.0 11.22.2005 no virus found TheHacker 5.9.1.043 11.23.2005 no virus found VBA32 3.10.5 11.23.2005 suspected of Email-Worm.Bagle.22 For all who can't simple block exe inside zips as suggested by John, it's mabe a good idea to temporaly add BANEXT EXE and BANEZIPS ON to your config and try to update virus signatures. Markus
[Declude.Virus] New Bagle variant
In the last 2 hours I can see something new.F-Prot is catching it with result code 8 as unknown virusLooking at the first examples:Subject: a random name like Alice, Emanuel, Martha, Cybil, Ester, Body: empty htmlAttachment: ZIP-file with another random name like them in the subject lineInside the ZIP is an exe-file 1.exeThe entire message has around 10 kByteVirustotal result says This is a report processed by VirusTotal on 11/23/2005 at 18:40:34 (CET) after scanning the file "Emanuel.zip" file. Antivirus Version Update Result AntiVir 6.32.0.6 11.23.2005 TR/Bagle.EC Avast 4.6.695.0 11.23.2005 Win32:Beagle-FR AVG 718 11.23.2005 I-Worm/Bagle Avira 6.32.0.6 11.23.2005 TR/Bagle.EC BitDefender 7.2 11.23.2005 Trojan.Downloader.Bagle.F CAT-QuickHeal 8.00 11.23.2005 (Suspicious) - DNAScan ClamAV devel-20051108 11.23.2005 Worm.Bagle.Gen-9 DrWeb 4.33 11.23.2005 Win32.HLLM.Beagle.9219 eTrust-Iris 7.1.194.0 11.23.2005 no virus found eTrust-Vet 11.9.1.0 11.23.2005 no virus found Fortinet 2.48.0.0 11.23.2005 suspicious F-Prot 3.16c 11.23.2005 security risk named W32/Mitglieder.GH Ikarus 0.2.59.0 11.23.2005 no virus found Kaspersky 4.0.2.24 11.23.2005 Trojan-Downloader.Win32.Bagle.f McAfee 4634 11.22.2005 no virus found NOD32v2 1.1300 11.23.2005 Win32/Bagle.DR Norman 5.70.10 11.23.2005 W32/[EMAIL PROTECTED] Panda 8.02.00 11.23.2005 no virus found Sophos 3.99.0 11.23.2005 no virus found Symantec 8.0 11.22.2005 no virus found TheHacker 5.9.1.043 11.23.2005 Trojan/Downloader.Bagle.f VBA32 3.10.5 11.23.2005 suspected of Email-Worm.Bagle.22
Re: [Declude.Virus] OT: Virus Backscatter
Actually I was talking about the notices from other postmasters - I have almost no bounce messages, I don't notify on banned files and so on for just that very reason. -- Original Message -- From: "Darin Cox" <[EMAIL PROTECTED]> Reply-To: Declude.Virus@declude.com Date: Wed, 23 Nov 2005 10:02:38 -0500 >We went with AVAFTERJM ON to minimize this. That way most get held as spam >instead of being detected by Virus as a banned files, and don't generate >banned file notifications. Others may have better ways to handle filtering >these out, but that worked well for us. > >Darin. > > >- Original Message - >From: "Marc Catuogno" <[EMAIL PROTECTED]> >To: >Sent: Wednesday, November 23, 2005 9:12 AM >Subject: [Declude.Virus] OT: Virus Backscatter > > >The latest outbreak has caused me a great deal of backscatter. You sent a >banned file, virus in an attachment sent by you, undeliverables and so. I >am very hesitant to try to create rules in JM to stop all notices like this >because some of them are necessary. I've pretty much told the users to >ignore them unless it looks like something they may have sent, but some >people are getting really flooded. >What is everyone else doing? > >--- >[This E-mail scanned for viruses by Declude Virus] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Declude virus notification
Gary: I got to looking and I don't see notices going out (with 3.0.5.20). Testing by sending EICAR to myself, I found if I removed the SKIPIFFORGING line in the recip.eml, the notice would go out -- but wouldn't if it was in place. I don't think EICAR, being a test "virus", is considered a forging virus. It should have come through anyway. Anyone else having problems? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, November 22, 2005 4:14 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Declude virus notification I've been running with 3.x for over a month, but I just now realized that since I upgraded I am no longer receiving the "Declude Virus caught a virus" messages. Declude is catching viruses, I'm just not receiving email notification. I don't believe I changed anything in the virus.cfg file that would account for this. What other possible causes could there be? Gary --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking PIF Files
They came from the default list in Symantec Anti-Virus Gateway. It just seemed to be a rather complete list (although by default Symantec blocked *.mdb) so I adopted it. I suppose you could argue that you send out an infected DLL and get the use to drop it somewhere then something else can hook it and then you get hit. Perhaps a bit of a longer shot Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Wednesday, November 23, 2005 10:32 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Blocking PIF Files > > Well, those are files which of them selves are not executable, rather they > are files which require something else been do to use them. > > I am not sure of the value of blocking those. > > John T > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Goran Jovanovic > > Sent: Wednesday, November 23, 2005 7:15 AM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] Blocking PIF Files > > > > I also ban some more > > > > BANEXT bin > > BANEXT class > > BANEXT dll > > BANEXT jsc > > BANEXT ocx > > BANEXT sys > > BANEXT vxd > > > > Goran Jovanovic > > Omega Network Solutions > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > > [EMAIL PROTECTED] On Behalf Of Darin Cox > > > Sent: Wednesday, November 23, 2005 10:00 AM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] Blocking PIF Files > > > > > > Here's a list compiled over the years of extensions we ban. The top > > two > > > you > > > will want to consider your userbase before banning, the rest should be > > > fine. > > > Note that we couple this with a banned file notification to the > > intended > > > recipient, which includes a link to requeue the file for delivery if > > it is > > > legitimate. > > > > > > > > > BANEXT EZIP > > > BANEXT rar > > > > > > BANEXT bas > > > BANEXT bat > > > BANEXT ceo > > > BANEXT chm > > > BANEXT cmd > > > BANEXT com > > > BANEXT cpl > > > BANEXT exe > > > BANEXT hta > > > BANEXT inf > > > BANEXT ins > > > BANEXT isp > > > BANEXT js > > > BANEXT jse > > > BANEXT lnk > > > BANEXT msi > > > BANEXT msp > > > BANEXT mst > > > BANEXT pcd > > > BANEXT pif > > > BANEXT reg > > > BANEXT scr > > > BANEXT sct > > > BANEXT shb > > > BANEXT shs > > > BANEXT vb > > > BANEXT vbe > > > BANEXT vbs > > > > > > BANEXT ws > > > BANEXT wsc > > > BANEXT wsf > > > BANEXT wsh > > > > > > > > > Darin. > > > > > > > > > - Original Message - > > > From: "Dan Geiser" <[EMAIL PROTECTED]> > > > To: > > > Sent: Wednesday, November 23, 2005 9:26 AM > > > Subject: [Declude.Virus] Blocking PIF Files > > > > > > > > > Hello, All, > > > I don't know whether this would be more appropriate for the virus list > > or > > > the junkmail list so please point me towards junkmail if appropriate. > > > > > > What is the proper technique for blocking messages that have an > > attachment > > > that ends in a "pif" extension like "your_letter.pif"? > > > > > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > > > > > Thanks In Advance! > > > Dan Geiser > > > [EMAIL PROTECTED] > > > > > > --- > > > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking PIF Files
Well, those are files which of them selves are not executable, rather they are files which require something else been do to use them. I am not sure of the value of blocking those. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Goran Jovanovic > Sent: Wednesday, November 23, 2005 7:15 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Blocking PIF Files > > I also ban some more > > BANEXTbin > BANEXTclass > BANEXTdll > BANEXTjsc > BANEXTocx > BANEXTsys > BANEXTvxd > > Goran Jovanovic > Omega Network Solutions > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > > [EMAIL PROTECTED] On Behalf Of Darin Cox > > Sent: Wednesday, November 23, 2005 10:00 AM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Blocking PIF Files > > > > Here's a list compiled over the years of extensions we ban. The top > two > > you > > will want to consider your userbase before banning, the rest should be > > fine. > > Note that we couple this with a banned file notification to the > intended > > recipient, which includes a link to requeue the file for delivery if > it is > > legitimate. > > > > > > BANEXT EZIP > > BANEXT rar > > > > BANEXT bas > > BANEXT bat > > BANEXT ceo > > BANEXT chm > > BANEXT cmd > > BANEXT com > > BANEXT cpl > > BANEXT exe > > BANEXT hta > > BANEXT inf > > BANEXT ins > > BANEXT isp > > BANEXT js > > BANEXT jse > > BANEXT lnk > > BANEXT msi > > BANEXT msp > > BANEXT mst > > BANEXT pcd > > BANEXT pif > > BANEXT reg > > BANEXT scr > > BANEXT sct > > BANEXT shb > > BANEXT shs > > BANEXT vb > > BANEXT vbe > > BANEXT vbs > > > > BANEXT ws > > BANEXT wsc > > BANEXT wsf > > BANEXT wsh > > > > > > Darin. > > > > > > - Original Message - > > From: "Dan Geiser" <[EMAIL PROTECTED]> > > To: > > Sent: Wednesday, November 23, 2005 9:26 AM > > Subject: [Declude.Virus] Blocking PIF Files > > > > > > Hello, All, > > I don't know whether this would be more appropriate for the virus list > or > > the junkmail list so please point me towards junkmail if appropriate. > > > > What is the proper technique for blocking messages that have an > attachment > > that ends in a "pif" extension like "your_letter.pif"? > > > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > > > Thanks In Advance! > > Dan Geiser > > [EMAIL PROTECTED] > > > > --- > > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
Dan, sorry, my information was perhaps not correct. BANEXT PIF should run in Standard and Pro version. Darin is more experient with this and he mailed that the BANZIPEXTS/BANEZIPEXTS only run in the pro version. Uwe - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:52 PM Subject: Re: [Declude.Virus] Blocking PIF Files Thanks, Uwe. Do you know if both of the below techniques work in with Declude Virus Standard? Thanks, Dan - Original Message - From: "Info Wind" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:47 AM Subject: Re: [Declude.Virus] Blocking PIF Files virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a "pif" extension like "your_letter.pif"? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blocking PIF Files
I also ban some more BANEXT bin BANEXT class BANEXT dll BANEXT jsc BANEXT ocx BANEXT sys BANEXT vxd Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.Virus- > [EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Wednesday, November 23, 2005 10:00 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Blocking PIF Files > > Here's a list compiled over the years of extensions we ban. The top two > you > will want to consider your userbase before banning, the rest should be > fine. > Note that we couple this with a banned file notification to the intended > recipient, which includes a link to requeue the file for delivery if it is > legitimate. > > > BANEXT EZIP > BANEXT rar > > BANEXT bas > BANEXT bat > BANEXT ceo > BANEXT chm > BANEXT cmd > BANEXT com > BANEXT cpl > BANEXT exe > BANEXT hta > BANEXT inf > BANEXT ins > BANEXT isp > BANEXT js > BANEXT jse > BANEXT lnk > BANEXT msi > BANEXT msp > BANEXT mst > BANEXT pcd > BANEXT pif > BANEXT reg > BANEXT scr > BANEXT sct > BANEXT shb > BANEXT shs > BANEXT vb > BANEXT vbe > BANEXT vbs > > BANEXT ws > BANEXT wsc > BANEXT wsf > BANEXT wsh > > > Darin. > > > - Original Message - > From: "Dan Geiser" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 23, 2005 9:26 AM > Subject: [Declude.Virus] Blocking PIF Files > > > Hello, All, > I don't know whether this would be more appropriate for the virus list or > the junkmail list so please point me towards junkmail if appropriate. > > What is the proper technique for blocking messages that have an attachment > that ends in a "pif" extension like "your_letter.pif"? > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > Thanks In Advance! > Dan Geiser > [EMAIL PROTECTED] > > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: Virus Backscatter
We went with AVAFTERJM ON to minimize this. That way most get held as spam instead of being detected by Virus as a banned files, and don't generate banned file notifications. Others may have better ways to handle filtering these out, but that worked well for us. Darin. - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:12 AM Subject: [Declude.Virus] OT: Virus Backscatter The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
Here's a list compiled over the years of extensions we ban. The top two you will want to consider your userbase before banning, the rest should be fine. Note that we couple this with a banned file notification to the intended recipient, which includes a link to requeue the file for delivery if it is legitimate. BANEXT EZIP BANEXT rar BANEXT bas BANEXT bat BANEXT ceo BANEXT chm BANEXT cmd BANEXT com BANEXT cpl BANEXT exe BANEXT hta BANEXT inf BANEXT ins BANEXT isp BANEXT js BANEXT jse BANEXT lnk BANEXT msi BANEXT msp BANEXT mst BANEXT pcd BANEXT pif BANEXT reg BANEXT scr BANEXT sct BANEXT shb BANEXT shs BANEXT vb BANEXT vbe BANEXT vbs BANEXT ws BANEXT wsc BANEXT wsf BANEXT wsh Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:26 AM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a "pif" extension like "your_letter.pif"? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
> If you also want to block them in zips and encrypted zip: > BANZIPEXTS ON > BANEZIPEXTS ON Only works in Virus Pro. He said he has Virus Standard. Darin. - Original Message - From: "Info Wind" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:47 AM Subject: Re: [Declude.Virus] Blocking PIF Files virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files > Hello, All, > I don't know whether this would be more appropriate for the virus list or > the junkmail list so please point me towards junkmail if appropriate. > > What is the proper technique for blocking messages that have an attachment > that ends in a "pif" extension like "your_letter.pif"? > > We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. > > Thanks In Advance! > Dan Geiser > [EMAIL PROTECTED] > --- > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
Thanks, Uwe. Do you know if both of the below techniques work in with Declude Virus Standard? Thanks, Dan - Original Message - From: "Info Wind" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 9:47 AM Subject: Re: [Declude.Virus] Blocking PIF Files virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a "pif" extension like "your_letter.pif"? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking PIF Files
virus.cfg: BANEXT PIF If you also want to block them in zips and encrypted zip: BANZIPEXTS ON BANEZIPEXTS ON Uwe - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:26 PM Subject: [Declude.Virus] Blocking PIF Files Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a "pif" extension like "your_letter.pif"? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] OT: Virus Backscatter
Not OT, or? Some months ago there was a similar situation. I've set up a combination of 3 junkmail text filters. The first to identify such warning messages by looking for strings like found, identified, removed... The second one looks for items like virus, worm, attach, file ... The last one looks for virus names like Sober, Netsky, ... Then there is on additional text filter who looks for certain combinations of the 3 other filters. The filter files are for my needs here in english, german, italian and some in spanish too. If you need them I can send it to you directly or on the junkmail list. BTW: this days I can't notice such a wide backscatter like some month ago. At the moment I've disabled this filters. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: Virus Backscatter
I use a customized version of Mailpure's antiav filter. I then combo this with a mailfrom-postmaster filter to add points when the bounce comes from a postmaster. - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 8:12 AM Subject: [Declude.Virus] OT: Virus Backscatter The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Blocking PIF Files
Hello, All, I don't know whether this would be more appropriate for the virus list or the junkmail list so please point me towards junkmail if appropriate. What is the proper technique for blocking messages that have an attachment that ends in a "pif" extension like "your_letter.pif"? We are currently using Declude 2.0.6 JunkMail Pro and Virus Standard. Thanks In Advance! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: Virus Backscatter
The latest outbreak has caused me a great deal of backscatter. You sent a banned file, virus in an attachment sent by you, undeliverables and so. I am very hesitant to try to create rules in JM to stop all notices like this because some of them are necessary. I've pretty much told the users to ignore them unless it looks like something they may have sent, but some people are getting really flooded. What is everyone else doing? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.