RE: [Declude.Virus] Sober.z
Just looking at my server stats for yesterday, there were only two Sobers caught by EVA as viruses. All the rest were caught by Junkmail as spam. Original Message > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > Sent: Saturday, January 07, 2006 12:11 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Sober.z > > Easy way to check if your Declude Junkamil is catching your viruses. > Check for the subject lines and see if you held those messages (or > whatever you do with your spam). > > I just sorted out the subject lines for the sober.z only messages, and > here are the ones I received: > > Paris Hilton & Nicole Richie > You visit illegal websites > You_visit_illegal_websites > Your IP was logged > Your_IP_was_logged > > Andrew 8) > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew > > Sent: Friday, January 06, 2006 8:53 PM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] Sober.z > > > > I haven't checked today's results with fpcmd 3.16f, but here > > are yesterday's quick stats with fpcmd 3.16e > > > > 8 W32/[EMAIL PROTECTED] > > 3 W32/[EMAIL PROTECTED] > > 27 W32/[EMAIL PROTECTED] > > 1 W32/[EMAIL PROTECTED] > > 10 W32/[EMAIL PROTECTED] > > 9 W32/[EMAIL PROTECTED] > > 81 W32/[EMAIL PROTECTED] > > > > So, yes, Sober is detected by at least 3.16f ... and going > > the extra mile, I've just looked up a few samples from > > yesterday's log and scanned those manually with fpcmd, and > > sure enough, 3.16f also detects them and produces the same output. > > > > Perhaps you are not seeing Sober hits in Declude virus > > because you're using the AVAFTERJM setting and your Declude > > JunkMail is doing a fantastic job of catching them as spam > > before your Declude Virus would get called. > > > > Andrew. > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of J Porter > > > Sent: Friday, January 06, 2006 7:53 PM > > > To: Declude.Virus@declude.com > > > Subject: Re: [Declude.Virus] Sober.z > > > > > > Yep... I upgraded to FProt 3.16e and noticed the slowdown. > > I thought > > > it was a problem with that version, so I upgraded to the > > 3.16f which > > > was released today. Still no Sober viruses caught. > > > > > > I'm still wondering if I should go back to 3.16d. Anyone > > seeing Sober > > > caught with these last 2 updates of F-Prot?? > > > > > > ~Joe > > > > > > - Original Message - > > > From: "Bruce Loughlin" <[EMAIL PROTECTED]> > > > To: > > > Sent: Friday, January 06, 2006 10:03 AM > > > Subject: [Declude.Virus] Sober.z > > > > > > > > > > Has any one else noticed that sober.z just stopped today? > > > > > > > > I was getting hundreds a day and now I have 0. > > > > Wasn't this the day it was to morph? > > > > > > > > Bruce L. > > > > AFM > > > > > > > > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.z
I see the same results as Bruce. On Jan 5th I had 450 hits of Sober.z. On Jan 6th I had ZERO. I'm using Fprot and have not upgraded recently... Nothing to do with the version. Maybe the calm before the storm? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Friday, January 06, 2006 9:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: "Bruce Loughlin" <[EMAIL PROTECTED]> To: Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z > Has any one else noticed that sober.z just stopped today? > > I was getting hundreds a day and now I have 0. > Wasn't this the day it was to morph? > > Bruce L. > AFM > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses at HNB.com] > > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sober.z
These subjects pretty much ended on the 5th with only a few hitting on the 6th and none so far today. Curiously I was still running the b version, but it was detecting these. I'm not sure why I wasn't prompted for a download or notified before yesterday's E-mail from Frisk. Another good reason for using two scanners. Matt Colbeck, Andrew wrote: Easy way to check if your Declude Junkamil is catching your viruses. Check for the subject lines and see if you held those messages (or whatever you do with your spam). I just sorted out the subject lines for the sober.z only messages, and here are the ones I received: Paris Hilton & Nicole Richie You visit illegal websites You_visit_illegal_websites Your IP was logged Your_IP_was_logged Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Friday, January 06, 2006 8:53 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.z I haven't checked today's results with fpcmd 3.16f, but here are yesterday's quick stats with fpcmd 3.16e 8 W32/[EMAIL PROTECTED] 3 W32/[EMAIL PROTECTED] 27 W32/[EMAIL PROTECTED] 1 W32/[EMAIL PROTECTED] 10 W32/[EMAIL PROTECTED] 9 W32/[EMAIL PROTECTED] 81 W32/[EMAIL PROTECTED] So, yes, Sober is detected by at least 3.16f ... and going the extra mile, I've just looked up a few samples from yesterday's log and scanned those manually with fpcmd, and sure enough, 3.16f also detects them and produces the same output. Perhaps you are not seeing Sober hits in Declude virus because you're using the AVAFTERJM setting and your Declude JunkMail is doing a fantastic job of catching them as spam before your Declude Virus would get called. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of J Porter Sent: Friday, January 06, 2006 7:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: "Bruce Loughlin" <[EMAIL PROTECTED]> To: Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z Has any one else noticed that sober.z just stopped today? I was getting hundreds a day and now I have 0. Wasn't this the day it was to morph? Bruce L. AFM --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sober.z
I've seen a graph of this on another mail server: Sober actually morphed around January 4-6 and changed patterns. It's still not clear exactly what all has been going on, but one consistent pattern is ceasing propagation (at least temporarily). http://www.f-secure.com/weblog/archives/archive-122005.html "This variant is programmed to activate on January 6th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever." - Original Message - From: "J Porter" <[EMAIL PROTECTED]> To: Sent: Friday, January 06, 2006 10:53 PM Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.