[Declude.Virus] RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing
If you upgraded to Declude 4.11.09 to avoid the AVG licence issue, you’ll find that it was a bandaid, and that build’s usefulness also expired contemporaneously with David and Linda’s employee status, on January 31, 2013. C:\IMailstrings decludeproc.exe| grep LicBeg LicBeg, Ver=1.1, Name=Declude, Exp=2013-01-31, +Av, Sign=blahblahblah You still received updates for a grace period (the files with zero bytes are normal for the Declude implementation of AVG): C:\IMaildir C:\IMail\declude\scanners\AVG\db Volume in drive C has no label. Volume Serial Number is 9471-8A74 Directory of C:\IMail\declude\scanners\AVG\db 03/22/2013 07:47 AMDIR . 03/22/2013 07:47 AMDIR .. 03/19/2013 02:44 PM 0 avi7.avg 03/19/2013 02:44 PM 0 microavi.avg 03/19/2013 02:44 PM 0 miniavi.avg 03/22/2013 07:47 AM71,002,023 incavi.avm 4 File(s) 71,002,023 bytes 2 Dir(s) 11,036,254,208 bytes free C:\IMail This might be addressed in the latest (last?) build which you can obtain through the interim downloads website (log into your client support site for the link). If I remember correctly, that build is on 2013-03-15 with v4.12.02 that specifically cites in the change log ReadMe.txt: 4.12.02 == Fix: update AVG Key 4.12.01 == Fix: AVG Bug 4.12.00 == Fix: update AVG Key Which (I think) also fixes the “ERROR: Failed Initialize AVG 183” being spammed all over your c:\imail\declude\diags.txt Andrew. From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 7:33 AM To: declude.junkm...@declude.com Subject: Re: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing Thanks Dave, will do. On Fri, Jan 11, 2013 at 10:25 AM, David Barker dbar...@declude.com wrote: Dean, There is currently an issue with the AVG that we are currently working on. As far as backup in the \proc directory and the 0 Kb log that seems like a different issue. Can you please contact supp...@declude.com for assistance. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com mailto:dbar...@declude.com From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 10:18 AM To: declude.junkm...@declude.com Subject: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing The subject says it all. This morning, declude stated to have high cpu usage, the log file is 0k and messages are backing up in the proc directory. I looked in the diags.txt and I see this message: ERROR: Failed Initialize AVG 183Daisy Chain smtp32.exe I was running 4.11 and upgraded to 4.11.09 and still have the same results. Any thoughts? -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 tel:888.438.4381%20ext.%20701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l’information confidentielle ou exclusive. L’accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité
RE: [Declude.Virus] Test
Too quiet? Problem solved, like a BOSS. -Original Message- From: johnl...@eservicesforyou.com [mailto:johnl...@eservicesforyou.com] Sent: Wednesday, January 04, 2012 8:33 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Test Sorry for the test folks, new email setup and it is a little to quite. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
David, this log excerpt seems to indicate that my AVG hasn't been working since May 1st 2009. Is this correct? C:\IMail\Spoolgrep -c smd Scanned: Error in virus scanner vir.log vir0401.log:0 vir0402.log:0 vir0403.log:0 vir0404.log:0 vir0405.log:0 vir0406.log:0 vir0407.log:0 vir0408.log:0 vir0409.log:0 vir0410.log:0 vir0411.log:0 vir0412.log:0 vir0413.log:0 vir0414.log:0 vir0415.log:0 vir0416.log:0 vir0417.log:0 vir0418.log:0 vir0419.log:0 vir0420.log:0 vir0421.log:0 vir0422.log:0 vir0423.log:0 vir0424.log:0 vir0425.log:0 vir0426.log:0 vir0427.log:0 vir0428.log:0 vir0429.log:0 vir0430.log:0 vir0501.log:2722 vir0502.log:640 vir0503.log:623 vir0504.log:3143 vir0505.log:2885 vir0506.log:2568 vir0507.log:2761 vir0508.log:2554 vir0509.log:386 vir0510.log:415 vir0511.log:3110 vir0512.log:2920 vir0513.log:2761 vir0514.log:2771 vir0515.log:2429 vir0516.log:300 vir0517.log:376 vir0518.log:857 vir0519.log:2605 vir0520.log:2793 vir0521.log:2574 vir0522.log:2598 vir0523.log:279 vir0524.log:430 vir0525.log:2630 vir0526.log:2751 vir0527.log:3217 vir0528.log:3026 vir0529.log:2532 vir0530.log:336 vir0531.log:608 vir0601.log:1894 Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 12:38 PM To: declude.junkm...@declude.com; declude.virus@declude.com Subject: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com mailto:dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX
Aha! That was a fishy circumstance. Those errors were red herrings raised by my other virus scanner, not the AVG scanner. If anybody is interested, this is what the log lines looked like at the last time that AVG triggered on a virus was April 3rd, 2009: 04/03/2009 08:54:05.047 Q003993048.smd Vulnerability flags = 2047 04/03/2009 08:54:05.047 Q003993048.smd MIME file: [text/html][8bit; Length=2371 Checksum=206516] 04/03/2009 08:54:05.062 Q003993048.smd MIME file: postcard.zip [base64; Length=449806 Checksum=56953283] 04/03/2009 08:54:05.062 Q003993048.smd Banning .ZIP file with SCR extension. 04/03/2009 08:54:07.501 Q003993048.smd AVG Reports VIRUS: Win32/Cryptor 04/03/2009 08:54:07.501 Q003993048.smd File(s) are INFECTED [Win32/Cryptor: 7] 04/03/2009 08:54:08.220 Q003993048.smd Virus scanner 1 reports exit code of 0 04/03/2009 08:54:08.345 Q003993048.smd Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 2 452321] 04/03/2009 08:54:08.345 Q003993048.smd From: postca...@hallmark.com mailto:postca...@hallmark.com To: snip mailto:mcpie...@bentall.com [outgoing from 69.156.243.37] 04/03/2009 08:54:08.345 Q003993048.smd Subject: You've received A Hallmark E-Card! There were three of those, and otherwise I had no detections, and no interesting messages from AVG or with error in the log line. After stopping the DecludeProc service, then replacing decludeproc.exe with the Imail version, decludeproc_IM4635.exe as decludeproc.exe, and then restarting the DecludeProc service, I can then send a test email with the EICAR test virus as an attachment, and AVG does pick it up. 06/01/2009 18:11:11.305 Q000595199.smd Vulnerability flags = 2047 06/01/2009 18:11:11.305 Q000595199.smd MIME file: eicar.com [base64; Length=68 Checksum=6829] 06/01/2009 18:11:13.711 Q000595199.smd AVG Reports VIRUS: EICAR_Test 06/01/2009 18:11:13.711 Q000595199.smd File(s) are INFECTED [EICAR_Test: 7] 06/01/2009 18:11:13.727 Q000595199.smd Found a bogus .com file 06/01/2009 18:11:13.727 Q000595199.smd Scanned: CONTAINS A VIRUS [MIME: 2 157] 06/01/2009 18:11:13.727 Q000595199.smd From: snip mailto:acolb...@bentall.com To: snip mailto:acolb...@bentall.com [outgoing from snip] 06/01/2009 18:11:13.727 Q000595199.smd Subject: test 03 Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 2:00 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX Not for everyone, but certainly for your server that would be true if that is what your logs indicate. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Monday, June 01, 2009 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX David, this log excerpt seems to indicate that my AVG hasn't been working since May 1st 2009. Is this correct? C:\IMail\Spoolgrep -c smd Scanned: Error in virus scanner vir.log vir0401.log:0 vir0402.log:0 vir0403.log:0 vir0404.log:0 vir0405.log:0 vir0406.log:0 vir0407.log:0 vir0408.log:0 vir0409.log:0 vir0410.log:0 vir0411.log:0 vir0412.log:0 vir0413.log:0 vir0414.log:0 vir0415.log:0 vir0416.log:0 vir0417.log:0 vir0418.log:0 vir0419.log:0 vir0420.log:0 vir0421.log:0 vir0422.log:0 vir0423.log:0 vir0424.log:0 vir0425.log:0 vir0426.log:0 vir0427.log:0 vir0428.log:0 vir0429.log:0 vir0430.log:0 vir0501.log:2722 vir0502.log:640 vir0503.log:623 vir0504.log:3143 vir0505.log:2885 vir0506.log:2568 vir0507.log:2761 vir0508.log:2554 vir0509.log:386 vir0510.log:415 vir0511.log:3110 vir0512.log:2920 vir0513.log:2761 vir0514.log:2771 vir0515.log:2429 vir0516.log:300 vir0517.log:376 vir0518.log:857 vir0519.log:2605 vir0520.log:2793 vir0521.log:2574 vir0522.log:2598 vir0523.log:279 vir0524.log:430 vir0525.log:2630 vir0526.log:2751 vir0527.log:3217 vir0528.log:3026 vir0529.log:2532 vir0530.log:336 vir0531.log:608 vir0601.log:1894 Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 12:38 PM To: declude.junkm...@declude.com; declude.virus@declude.com Subject: [Declude.Virus] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com mailto:dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send
RE: [Declude.Virus] AVG Update
That's very good news, David. I suggest an entry on the Declude.com website, either public or in the members' account area, that shows the current datestamp for when an update was made available on the Declude.com webserver, and if relevant, the update number that AVG gets it. In this way, those who are out of date can see directly how far out of date they are, and whether the problem is on their end, such as the maintenance agreement being out of date. The update number would only be of interest to users of other AVG software, and who are perhaps used to going to the AVG website. In that area of the website would also be a link to a support article which describes the update cycle (from the point of view of a person maintaining their Declude installation) and the entry in the declude.cfg file. Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, December 29, 2008 12:48 PM To: declude.virus@declude.com Subject: [Declude.Virus] AVG Update I have tracked the issue. The process used to be automated but from what I understand some server changes were made and we are currently running in manual mode, hence the reason for some delays over the holidays. I will have this resolved and on an automated procedure with failover checking asap. (I will have to plan this but for now I am thinking no later than end of January). Although we have many to do's on our list this is a high priority. If there are any suggestions around this procedure - post them to the list , I cannot promise on suggestions but there may be something we can do. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com mailto:dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Force AVG update
The updates are currently 4 days behind... I believe that fetching and approving the updates from AVG, then publishing them on the Declude server is a manual process that Declude support staff must perform, and that it's not a reliable process. I think it best that we consider the AVG scanner to be ok at best and if we want very good we need to invest the money and CPU time in at least one other scanner engine. Andrew. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, December 27, 2008 9:00 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Force AVG update Hi, The general experience has been (as reported by several individuals in two different lists over the past 3 months), that the Declude AVG updates are frequently 48 hours behind - which means they are only effective for old viruses. I even posted the stats for several days where it showed that every few days new viruses were being caught by my secondary scanner (McAfee), which truly does have hourly updates - and would have been passed through to my desktops if I had relied on Decludes AVG scanner. I have the feeling that changing your poll time from 4 hours to 2 will only mean that you'll be finding out twice as often that they have a 2-day old update. I'm curious what the answer is - but somewhere in the back of my head I think I had previously read that Declude will occasionally get updates from AVG which in turn you get from them. If my recollection/understanding is accurate, then the real frequency is controlled by Declude's server, not yours. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Saturday, December 27, 2008 10:00 AM To: declude.virus@declude.com Subject: [Declude.Virus] Force AVG update Anyway to force declude to update the AVG files ... my dates run from 12/17 to 12/23 ... are these really current dates? David (I have my update frequency set at every 2 hrs) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
For what it's worth, I never move messages from HOLD to SPOOL. When I do move false positives out, I fix the problem in my configuration, so that the same circumstance doesn't happen again, and then I move the files from the HOLD to the PROC folder. By re-scanning them, they get virus scanned and I am sure that I have saved time by getting spam scanned as well; it would cost me more time to repeat the procedure next time than it takes me to override my text filters and re-queue the messages now. Very few messages get pulled out of the HOLD folder, so not scanning those messages for viruses saves me a lot of processing power. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 23, 2008 9:00 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Correct if you send held email directly to the spool there is a potential for a virus to bypass if running AVAFTERJM this is why it is important to correct the issue that caused the false positive then reprocess via Declude. OR alternately ensure you virus scan your HOLD folders. If you are asking to only to apply AVAFTERJM only to Deleted emails this would reduce it's effectiveness as not every Declude customer uses Delete. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 11:30 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi David, Could you explain this: We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders By NOT scanning held junkmail the virus WILL end up in a users mailbox if I have to reque the mail because it was a FP. Of course you don't have to scan deleted mail. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl/ - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, June 23, 2008 4:28 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Dear Bonno, It is not that we can't do this. We have chosen not to do this otherwise your users will end up with viruses in their junkmail folders. AVAFTERJM will skip messages on DELETE and HOLD actions only. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, June 23, 2008 4:20 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Hi, (Open mail request) Dear Declude people. I have asked this before and with the current spam levels kan we PLEASE have this feature now ASAP? We all want to use AVAFTERJM but could you PLEASE make it scan all mail which is not deleted? If that is a to big step at first becasue of all the possible copy, routeto, etc statements can we at least have it for the HOLD action asap? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl - Original Message - From: Kevin Bilbee mailto:[EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 13, 2008 5:25 PM Subject: RE: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG Be careful with this setting. If a message gets held as spam it will not be virus scanned. Make sure you scan any message moved back into the delivery queue for viruses before placing it in the delivery queue folder. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, June 13, 2008 6:10 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG AVAFTERJM has been around a long time. I don't remember what version, but it was a 1.x version. Are you familiar with the setting? It tells Declude to run Anti-Virus after Junkmail. It then only runs AV after checking to see if the message is spam.
RE: [Declude.Virus] bloodhound exploit 163 - Slipping Through
Try this on for size: http://www.f-secure.com/weblog/archives/1303.html Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Friday, October 26, 2007 1:54 PM To: declude.virus@declude.com Subject: [Declude.Virus] bloodhound exploit 163 - Slipping Through A customer running Norton reports receiving several infected e-mails today. We are only running the built-in AVG scanner at this time, which isn't catching this new virus. The Symantec site is not too helpful about the characteristics, which would better enable writing a filter. http://www.symantec.com/security_response/writeup.jsp?docid=20 07-102318-0451-99 Our customer reports they show: From: Lorena Bernal, Subject: Statement of retained earnings However, no doubt there are other variants. They are caught upon receipt by his Norton anti-virus and quarantined, so he really can't (and I don't want him to) supply more info. Anyone else noticing this virus slipping through? Any suggestions appreciated. Thanks, Don Brown - Dallas, Texas USA Internet Concepts(r) [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus]
Brief, and to to the point. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Thursday, July 12, 2007 11:54 AM To: Declude Virus Subject: [Declude.Virus] Marc Catuogno MIS Director Prudential Rand Realty 845-825-8025 [EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] FYI Storm worm mutates to incorporate Independence Day text
If you care about the previous subject lines listed at the SANS ISC for this worm, you'll be interested in knowing that they've added six more this morning: http://isc.sans.org/diary.html?storyid=3090 Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 03, 2007 1:23 PM To: declude.virus@declude.com Subject: [Declude.Virus] FYI Storm worm mutates to incorporate Independence Day text It has been updated to broadcast text that incorporates 4th of July celebratory text. See: http://isc.sans.org/diary.html?storyid=3090 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures
Without offering up the exact how-to, I can point out that the SIZE test and a BODY CONTAINS combination would likely help in Declude JunkMail, and that you would have to stop banning RAR files in Declude EVA. Judicious use of the SIZE test would help Gary to HOLD only small RAR files, whether encrypted or not. Meanwhile, a strategy of chasing BODY and SUBJECT lines in Declude JunkMail text filters would help to target this worm, as this family heavily recycles their own text. Using BODY CONTAINS Subject: yadda Fragments also helps to catch annoying blowback as your users get automatic responses from 3rd party email servers that naively believed the MAILFROM was not a fake. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, May 02, 2007 1:07 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Yes I apologize I only realized the next day (Saturday) that this would not work because the message will be scanned if it is under a HOLD or DELETE threshold. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, May 02, 2007 4:03 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures I am confused as to how this would work, as BANEXT RAR in EVA will hold those files regardless of the weight. Has anyone worked out a way to ban small RAR files that would contain the virus, and pass large RAR files that most likely would not? I'm trying to find a work around until Declude figures out how to detect encrypted RAR files. Right now I'm banning all RAR files, then have to go in and manually re-submit the legitimate RAR files that my customers are sending. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, April 27, 2007 5:52 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures You may be able to do something with the MSGSIZE test in conjunction with AVAFTERJM ON eg. SIZE-10MB msgsize 10240 x -50 0 David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, April 27, 2007 4:25 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures It's not that difficult. The legitimate messages with rar attachments are big (usually 10MB and up) so it's not hard to separate them from the image spam and common viruses being held in the virus directory. As mentioned by Craig in an earlier post, it would be nice if Declude added the capability to skip banning on files of large size. Original Message From: John T \(lists\) [EMAIL PROTECTED] Sent: Friday, April 27, 2007 3:56 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] More info about encrypted RAR virus and Declude failures Until Declude resolves the issue with BANEXT EZIP, I've had to ban all rar files. Unfortunately some of my customers regularly send rar attachments, so I've had to check the virus hold directory on a regular basis and manually resubmit any false positives there. Gary Instead of manually checking for legit files, use the BANEXT.eml file to send a postmaster message that you get and/or the recipient and/or sender get and that notice can be reviewed a lot easier than manually checking the hold directory. John T --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing
[Declude.Virus] Interesting notes on recent virus activity from Kaspersky
http://www.viruslist.com/en/weblog?calendar=2007-04 For example, here is point 8 of 10: * Most Common Malicious Program in Email Traffic - Email-Worm.Win32.NetSky.q http://www.viruslist.com/en/viruses/encyclopedia?virusid=22760 , which has been around for years, but still managed to account for 14% of all malicious email traffic in March, which just goes to show that the older malware is still going strong. Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Interesting notes on recent virus activity from Kaspersky
I think the prevalence of an old email virus is two things: 1) It shows that people who were infected, stayed infected. That's a non-trivial point; there have been several wars by the backdoor gangs as they clean rival infections out to take sole p0wnership of a box. 2) Since those infections send out email, it shows that a sucker is born every minute. There are new infectees, but the message is the same from the old worm, new recipients are falling for an old line. Andrew 8) p.s. Check out the link for the NetSky variant, this particular worm packs a lot of features, all it needs is a rootkit to complement the other defense mechanisms. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, May 01, 2007 10:49 AM To: declude.virus@declude.com Subject: re: [Declude.Virus] Interesting notes on recent virus activity from Kaspersky Or does this show that there are too many people out there who don't have anti-virus software on their computers? Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, May 01, 2007 1:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] Interesting notes on recent virus activity from Kaspersky http://www.viruslist.com/en/weblog?calendar=2007-04 For example, here is point 8 of 10: * Most Common Malicious Program in Email Traffic - Email-Worm.Win32.NetSky.q http://www.viruslist.com/en/viruses/encyclopedia?virusid=22760 , which has been around for years, but still managed to account for 14% of all malicious email traffic in March, which just goes to show that the older malware is still going strong. Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as W32/[EMAIL PROTECTED]. http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] virus via e-mail getting rare
Virus via email is dwindling, but not dying. I regularly see scams reported where people are asked to open the attachment, which purports to be some purpose but is of course a virus. For example: http://www.f-secure.com/weblog/#1149 From my own content, I see that old viruses are not dying out; people who are infected tend to stay infected. I suspect this is for multiple reasons, e.g. malware reports to their ISP are ignored, and many families of malware deliberately break the installed antivirus application, so subsequent pattern updates will never catch the malware that is already installed. I also use AVAFTERMJM in my Declude.Virus config file, because I find that my content is generally spam or ham, and not viral. Most of my inbound viruses are caught as spam. To get more accurate stats, I nightly virus scan my spam HOLD folder for today's spam, then record the counts. I'm attaching a graph in PNG format of the last 6 months of traffic. No fancy tools here, just manually pasting the daily values into Excel and making a chart. You can see that almost all of virus catching is either custom Declude filters to catch outbreaks of certain viruses, e.g. a specific SUBJECT or BODY text, or general spamminess, such as lighting up DYNA blacklists and having BADHEADERS with enough weight to HOLD the message. I don't use a greylisting or tarpitting front-end MTA like Alligate but if I did, I suspect that my inbound virus counts would be much lower, as I expect that all of these old virus SMTP libraries will not survive the greylisting or tarpitting, so the actual virus payload will not make it inbound to my Declude software for spam and virus scanning. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, March 26, 2007 5:38 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] virus via e-mail getting rare Hi, Is virus via e-mail a dying breed? There are days where I barely get any virusses via e-mail. Most of what get's caught is malfomed mail, 99% spam. I just did a test to see if my virusscanners are still working correctly, eicar is still being caught by both F-prot and Sophos so all seems to be woking. Both scanners are also correctly updating their database. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. VirusVolumes.png Description: VirusVolumes.png
RE: [Declude.Virus] F-Prot Version 6
F-prot is $50 for 10 licenses per year. $5 per machine per year. Version 6 Why is that not still reasonable? Because that is not the correct price. Following the product link on their home page: http://www.f-prot.com/products/corporate_users/win/ At the bottom it says: To use the F-PROT Antivirus scanner on a Windows Mail Server a F-PROT Antivirus for Windows on Mail Servers license is required. This license category differs from the general F-Prot Antivirus for Windows for corporate users license in that it covers use that the general license does not: F-Prot Antivirus for Windows on Mail Servers applies to mail servers, mail relays and mail gateways, i.e. computers that provide mail services to a network, either for incoming or for outgoing e-mail. High-quality, efficient virus scanning is essential for any mail server. E-mail is the most common way for viruses and other malware to spread. The most effective way of stopping the spread of malware onto a network and beyond is at the server. F-PROT Antivirus for Windows on Mail Servers includes a Command Line Scanner (fpcmd.exe) that can be used with third party mail server software such as Declude and MailEnable. Information on how to use the software with such programs can be found on www.declude.com and www.mailenable.com If you are interested in purchasing F-Prot Antivirus for Windows on Mail Servers, please visit our order form and take a look at our price lists. Following the price list link to: http://www.f-prot.com/products/prices/price_win_ms.html Which has this table: F-PROT Antivirus for Windows Mail Servers Number of Users Annual license fee 1-24 US$ 269 25-49 US$ 359 50-99 US$ 449 100-199 US$ 719 200-299 US$ 989 300-399 US$ 1259 400-499 US$ 1529 500-749 US$ 1799 750-999 US$ 2069 1000-1999 US$ 2519 2000-2999 US$ 2969 3000-3999 US$ 3419 4000-4999 US$ 3869 5000-5999 US$ 4499 How many mailboxes do you have? $50 won't cover it. Andrew. p.s. The recently released v6 went to v6.0.6.1 on March 7th 2007. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Cohn Sent: Tuesday, March 13, 2007 8:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-Prot Version 6 F-prot is $50 for 10 licenses per year. $5 per machine per year. Version 6 Why is that not still reasonable? Please explain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, February 01, 2007 8:33 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] F-Prot Version 6 Changed when they released the new version. About 3 months back. Check the archives of this list. We were complaining about it. We dumped using their product and just use the AVG built into Declude. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 01, 2007 3:33 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] F-Prot Version 6 When did their licensing change? F-Prot used to be extremely reasonable. Don - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, January 31, 2007 11:14 PM Subject: RE: [Declude.Virus] F-Prot Version 6 Read the license. It may be compatible but the licensing is expensive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Wednesday, January 31, 2007 7:26 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Version 6 Been using F-Prot version 3 for years ... and now getting notices to upgrade to version 6. Anyone done this yet, and is it still compatible with Declude/Imail, etc? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came
RE: [Declude.Virus] Current Version of Clam AV
My two cents (I don't run ClamAV)... Observations: - .vir directories are orphaned - .vir directories are locked by something and can not be deleted without stopping some service(s) - .vir directories are only created on Scott's system when ClamAV is run as a service and Sandy's runclamscan.exe is invoked by Declude My guess is that ClavAV is not finishing the processing of these messages, that Declude would then kill after 10 minutes* the only part it knows about, runclamscan.exe, leaving the ClamAV service still processing/locking the directory or files in that directory. The ClamAV service may be trying to contact the dead runclamscan.exe instance, and can't, and thus does not let go of whatever it's locking. Can anyone affected confirm the killing the external app behaviour by examining the name of a .vir directory, and look up the loglines in the appropriate decMMDD.log or virMMDD.log file with find or grep? That won't necessarily help resolve it, but it may help clarify the symptoms. If the client is being killed, there are at least two causes: 1) the ClamAV service or runclamscan.exe client are not getting enough CPU time because your mailserver is very busy and are unable to finish within 10 minutes*. 2) the ClamAV service is stalling as it tries to scan or decode a certain email or file and is a bug in ClamAV (there have been several, as with other antivirus software). This could be verified by stopping the service, and then trying to scan the same .vir folder again manually, invoking the ClamAV directly, as well as the service via runclamscan.exe and seeing if either method hangs reproducibly, and then report the samples as bad to the ClamAV development team. Andrew. * I think that 10 minutes is the correct timeout for an external app, after which Declude will kill the external app. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, March 01, 2007 12:05 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV I definitely still getting them with Clam .90 They only happen here when I run clamav as a service. When I run it as a non-service (which is CPU foolish), I don't get these. I also use the clamscan wrapper (runclamscan.exe), so that might be in the mix. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Thursday, March 01, 2007 11:57 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone want to comment on what might be causing the error? Is this a ClamAV problem or a Declude problem? It seems that the normal mechanism for deleting those files is somehow interrupted. Is there a way in Declude to increase the time allocated to each antivirus process? Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any leftover .vir directories. Original Message From: Brian T. [EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:53 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV Does anyone know of a way to fix this problem with the leftover .vir directories? I was thinking about switching to ClamAV from F-Prot but don't want to constantly be cleaning up leftover files. Thanks, Brian - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:44 AM Subject: Re: [Declude.Virus] Current Version of Clam AV In my normal maintenance window (once a week) all services are stopped and I clean out the work, error, proc, spool, and review folders. Since I stop CLAMAV as well I am able to delete those directories. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Stephan To: declude.virus@declude.com Sent: Tuesday, February 27, 2007 11:22 AM Subject: Re: [Declude.Virus] Current Version of Clam AV Thanks for responding. I can't delete them until I restart the ClamAV service. Do you have a way of automatically deleting them, or do you schedule a task to restart ClamAV and then delete them? I tried using a schedule task but for some reason they still don't get deleted (but it's possible to do it manually.) -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent 2/27/2007 10:17:46 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Current Version of Clam AV ? FWIW - I have always had left over directories from .84 on up. Darrell
RE: [Declude.Virus] Any one heard about or seen this one yet?
Yes, and it should be old news by now. http://isc.sans.org/diary.html?storyid=2071 The end of the page lists the four executables to ban, if you don't trust your antivirus software, i.e. #Jan-18-2007 AC New fake news clips virus called Small.Dam by F-Secure and W32/Downloader.AYDY by F-Prot BANNAME Full Clip.exe BANNAME Read More.exe BANNAME Full Story.exe BANNAME Video.exe Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Friday, January 19, 2007 12:02 PM To: declude.virus@declude.com Subject: [Declude.Virus] Any one heard about or seen this one yet? Storm Worm Hits Computers Around the World By Reuters January 19, 2007 HELSINKI (Reuters)-Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real-time assault, head of research at Finnish data security firm F-Secure told Reuters. The virus, which the company named Storm Worm, is sent to hundreds of thousands of e-mail addresses globally, with the e-mail's subject line saying 230 dead as storm batters Europe. The attached file contains the so-called malware that can infiltrate computer systems. What makes this exceptional is the timely nature of the attack, Mikko Hypponen, head of research at F-Secure said. Hypponen said thousands of computers around the world, most in private use, had been affected. He said most users would not notice the malware, or trojan, which creates a back door to the computer that can be exploited later to steal data or to use the computer to post spam Regards, Dennis Curry System Administrator SNC-Lavalin GDS --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Any one heard about or seen this one yet?
And an alternative writeup from Symantec, with more details on the results of an infection, and with executables nobody else has mentioned. http://www.symantec.com/enterprise/security_response/weblog/2007/01/troj anpeacomm_building_a_peert.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, January 19, 2007 1:01 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Any one heard about or seen this one yet? Yes, and it should be old news by now. http://isc.sans.org/diary.html?storyid=2071 The end of the page lists the four executables to ban, if you don't trust your antivirus software, i.e. #Jan-18-2007 AC New fake news clips virus called Small.Dam by F-Secure and W32/Downloader.AYDY by F-Prot BANNAME Full Clip.exe BANNAME Read More.exe BANNAME Full Story.exe BANNAME Video.exe Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Friday, January 19, 2007 12:02 PM To: declude.virus@declude.com Subject: [Declude.Virus] Any one heard about or seen this one yet? Storm Worm Hits Computers Around the World By Reuters January 19, 2007 HELSINKI (Reuters)-Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real-time assault, head of research at Finnish data security firm F-Secure told Reuters. The virus, which the company named Storm Worm, is sent to hundreds of thousands of e-mail addresses globally, with the e-mail's subject line saying 230 dead as storm batters Europe. The attached file contains the so-called malware that can infiltrate computer systems. What makes this exceptional is the timely nature of the attack, Mikko Hypponen, head of research at F-Secure said. Hypponen said thousands of computers around the world, most in private use, had been affected. He said most users would not notice the malware, or trojan, which creates a back door to the computer that can be exploited later to steal data or to use the computer to post spam Regards, Dennis Curry System Administrator SNC-Lavalin GDS --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Any one heard about or seen this one yet?
New variations have arisen... No surprise there, either. http://isc.sans.org/diary.html?storyid=2071 No word on new explicit filenames, yet. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, January 19, 2007 1:15 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Any one heard about or seen this one yet? And an alternative writeup from Symantec, with more details on the results of an infection, and with executables nobody else has mentioned. http://www.symantec.com/enterprise/security_response/weblog/20 07/01/troj anpeacomm_building_a_peert.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, January 19, 2007 1:01 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Any one heard about or seen this one yet? Yes, and it should be old news by now. http://isc.sans.org/diary.html?storyid=2071 The end of the page lists the four executables to ban, if you don't trust your antivirus software, i.e. #Jan-18-2007 AC New fake news clips virus called Small.Dam by F-Secure and W32/Downloader.AYDY by F-Prot BANNAME Full Clip.exe BANNAME Read More.exe BANNAME Full Story.exe BANNAME Video.exe Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Friday, January 19, 2007 12:02 PM To: declude.virus@declude.com Subject: [Declude.Virus] Any one heard about or seen this one yet? Storm Worm Hits Computers Around the World By Reuters January 19, 2007 HELSINKI (Reuters)-Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real-time assault, head of research at Finnish data security firm F-Secure told Reuters. The virus, which the company named Storm Worm, is sent to hundreds of thousands of e-mail addresses globally, with the e-mail's subject line saying 230 dead as storm batters Europe. The attached file contains the so-called malware that can infiltrate computer systems. What makes this exceptional is the timely nature of the attack, Mikko Hypponen, head of research at F-Secure said. Hypponen said thousands of computers around the world, most in private use, had been affected. He said most users would not notice the malware, or trojan, which creates a back door to the computer that can be exploited later to steal data or to use the computer to post spam Regards, Dennis Curry System Administrator SNC-Lavalin GDS --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Large spam run of malware in Germany?
If you allow .exe in Declude Virus product, you may want to add: BANNAME RechnungGEZ.pdf.exe to your virus.cfg file. See this antivirus company's blog entry: http://www.f-secure.com/weblog/#1080 There's a fairly large malware spam run going on in Germany. The emails claim to be from GEZ, the local TV permit authority. The mail contains a bill for 445,99e for unpaid TV watching licenses. The attachment, of course, is an executable: RechnungGEZ.pdf.exe. We now detect this as Trojan-Downloader.Win32.Small.efe. When run, the attachment shows a fake error message to explain why you don't see the real bill after opening the attachment: [fake error message reporting Acrobat 6 - Error Warning 20225] Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t
I think I received 36 of them. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, January 04, 2007 12:55 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t Importance: High Is it me or did everyone get this autoresponder about 300 times? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roconnor Sent: Thursday, January 04, 2007 9:45 PM To: declude.virus@declude.com Subject: [Declude.Virus] I'm currently on a business trip down south and will be returning January 5th, 2007. If t I'm currently on a business trip down south and will be returning January 5th, 2007. If this is an emergency please call our office at 360.527.9111 Thanks, Rick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New virus to add to your banned names in virus.cfg
http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the CPR version to obtain the beta of the next pattern update. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, December 26, 2006 6:05 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to block an IP Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: J Porter [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
p.s. No, the conversation thread at the end of my posting was not relevant to the antivirus tip, that was simply poor copy and paste on my part. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
Why not block any .exe attachments? I don't block .EXE attachments, but that policy may work for others. In my company, we find it very common to receive executables in email, as well as viruses that are plain executables, therefore we neither silently discard them, nor do we reply to likely spoofed mailfrom, nor do we annoy the recipient. I use Declude on a gateway server, and I use Trend Micro ScanMail for Exchange on my internal servers. On those internal servers, I scan for viruses and I ban executable attachments (not the whole message) and notify the recipient and our Help Centre. From the message body, the recipient can determine whether the attachment is valid; the Help Centre could re-send the executable but it would be blocked by Outlook anyway, so the usual case is then for the recipient to ask the sender to re-send the executable in a zip file. In our system AVG is detecting it. Shortly before I sent that first message, F-Prot received a pattern update and was detecting the greeting cards as W32/Tibs.gen4 and the postcard as W32/Tibs.RA ... And submitting the greeting card to the Sunbelt malware sandbox showed a huge amount of activity. I suspect that this will be a real nuisance for those infected. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, December 30, 2006 9:30 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New virus to add to your banned names in virus.cfg Andrew.. Why not block any .exe attachments? In our system AVG is detecting it. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Saturday, December 30, 2006 12:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] New virus to add to your banned names in virus.cfg http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the CPR version to obtain the beta of the next pattern update. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, December 26, 2006 6:05 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] How to block an IP Joe, Just add the IP or CIDR block into the SMTP access control in Imail. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: J Porter [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Monday, December 25, 2006 11:06 PM Subject: [Declude.Virus] How to block an IP Is there a way to block an IP address before analysis by Declude's AV (Ver 1.82 - Imail 8.x)? I thought I should be able to do this with rules.ima by looking for a line in the header. So I have a line that says H~xxx\.yyy\.zz\. but it doesn't work. (In case you can't see it, the lines read \. = slash dot per Ipswitch docs) I don't think the H~ (header contains) command reads everything in the header. ~Joe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] AUTOFORGE
I suggested adding STRATION a week or more ago. Likewise, the string WAREZOV should be added to the AUTOFORGE database (or your own virus.cfg e.g. FORGINGVIRUS WAREZOV). There have been many interations of this virus, and according to F-Secure, the creators are still pumping out new versions. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Friday, October 27, 2006 6:03 AMTo: 'Declude Virus List'Subject: [Declude.Virus] AUTOFORGE Hi, is this still being actively maintained? If so, W32/Stration.dldr should be added as forging. Based on bounces that I'm seeing (from inbound-only mailboxes on our domain)it is forging the sender. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith Sent: Tuesday, October 10, 2006 10:21 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus? Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another forging malware, Scano
Another mass-mailing worm, this time a variant of an .HTA attached worm that was first seen in April 2006. F-Prot users who don't want to be bothered by their alerts for this sender-forging-malware can add this to their virus.cfg ... FORGINGVIRUS VBS/Scano@ Here are there results of my submission of the attachment to http://www.virustotal.com/if you see your antivirus scanner and wish to adapt the same line, e.g. for ClamAV: FORGINGVIRUS Worm.Scano. Complete scanning result of "Fotos.hta", received in VirusTotal at 10.05.2006, 21:59:18 (CET). Antivirus Version Update Result AntiVir 7.2.0.22 10.05.2006 no virus found Authentium 4.93.8 10.05.2006 VBS/[EMAIL PROTECTED] Avast 4.7.892.0 10.05.2006 no virus found AVG 386 10.05.2006 I-Worm/Scano BitDefender 7.2 10.05.2006 [EMAIL PROTECTED] CAT-QuickHeal 8.00 10.05.2006 VBS/Scano.E ClamAV devel-20060426 10.05.2006 Worm.Scano.AH-1 DrWeb 4.33 10.05.2006 Win32.HLLM.Perf eTrust-InoculateIT 23.73.14 10.05.2006 VBS/Areses!Worm eTrust-Vet 30.3.3115 10.05.2006 VBS/Areses!generic Ewido 4.0 10.05.2006 no virus found Fortinet 2.82.0.0 10.05.2006 no virus found F-Prot 3.16f 10.04.2006 VBS/[EMAIL PROTECTED] F-Prot4 4.2.1.29 10.05.2006 VBS/[EMAIL PROTECTED] Ikarus 0.2.65.0 10.05.2006 no virus found Kaspersky 4.0.2.24 10.05.2006 Email-Worm.Win32.Scano.gen McAfee 4867 10.05.2006 W32/Areses.dr Microsoft 1.1603 10.05.2006 TrojanDropper:VBS/Scano.gen NOD32v2 1.1791 10.05.2006 Win32/Scano.NBH Norman 5.80.02 10.05.2006 no virus found Sophos 4.10.0 10.05.2006 W32/Bagle-GY Symantec 8.0 10.04.2006 no virus found TheHacker 6.0.1.092 10.05.2006 no virus found UNA 1.83 10.05.2006 no virus found VBA32 3.11.1 10.05.2006 Email-Worm.Win32.Scano.e#6 VirusBuster 4.3.7:9 10.05.2006 VBS.Scano.AZ Aditional Information File size: 67370 bytes MD5: cbbae8aa1a224333a17c3051f9afc9b3 SHA1: 18e50e8fe39e20ee0e567e5dfd8f63609ce49d80 Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, October 02, 2006 5:56 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] stration work Exactly, John. I should have stated that better; I supplied both variations because Iassume that some people would prefer the specific line (the first in each sample) and some people would prefer the generic line to catch future variations. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Monday, October 02, 2006 5:25 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] stration work Andrew, wouldnt the second line include the first meaning only the second line is needed? John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, October 02, 2006 3:49 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] stration work Those of us still running F-Prot* as a primary virus scanner will want to add one or both of these to their virus.cfg in order to block notifications for detection of the Stration malware: FORGINGVIRUS W32/Tricky-Malware-based!Maximus FORGINGVIRUS Tricky-Malware-based! The first is the most explicit, and the second is a fragment that will catch future detections that are based on heuristics. And in the unlikely event that someone is using Trend Micro OfficeScan or SysClean: FORGINGVIRUS Possible_Strat-2 FORGINGVIRUS Possible_ Andrew 8) * The "new" price is unjustifiably high for using fpcmd on a mailserver. Plan to switch to a different vendor before you renew this licence. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, October 02, 2006 7:27 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] stration work It looks like the Stration worm is causing backscatter today: The W32/Stration.drvirus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the
RE: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam
.. I hope that Declude will agree with Matt's point that backscatter must be avoided. There is ample precedent,for examplein that the BOUNCE action was renamed to BOUNCEONLYIFYOUMUST to prevent backscatter. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED])Sent: Monday, October 02, 2006 5:44 AMTo: declude.virus@declude.comSubject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Matt, I agree with everyone of your points - My intent was to bring it up that I had reported this issue up a long time ago as I also thought that what was happening was undesirable. However, at the time Scott did not feel this was a bug. However, times change and back scatter is a huge issue. Maybe thats enough now to convince for an alteration of behavior. As my preference would be to handle mismatched exe's as its own class of which I would not send bannotify messages for. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 8:24 PM Subject: Re: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam Darrell,I'm sure that it is desirable to block (when the detection isn't erroring), however having this handled as if it was an EXE when it comes to the bannotify.eml is problematic. Backscatter can get you blacklisted, not to mention it is annoying to get such things for forged E-mail.I have Virus running after JunkMail and still I have bounced a dozen of these today alone (which excludes messages that reached my DELETE weight). For those that run JunkMail before Virus (the default), that number could be in the hundreds or thousands depending on volume since this comes from a major zombie spammer. I'm guessing that most are bouncing EXE's that aren't detected as viruses.To check this, just search your Virus log for "mismatched.exe".The behavior needs to be changed so that this doesn't trigger bannotify.eml bounces. I am testing using "SKIPIFEXT mismatched.exe" in my bannotify.eml to see if that helps, but this should not bounce such messages by default as if they were EXE's. It makes sense to give it a unique extension for these conditions and let us determine what to do with them instead of lumping it together with actions for EXE's.MattDarrell ([EMAIL PROTECTED]) wrote: I brought this up to Scott several years ago - and he said this is not a bug but a by design issue.He explained a scenario why this was important and I understood based on the explantion but for the life of me I can't remember the scenario. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt To: declude.virus@declude.com Sent: Sunday, October 01, 2006 3:33 PM Subject: [Declude.Virus] Bug in mismatched extensions causes backscatter on spam I just found this bug. Essentially, if the MIME headers for an attachment are mismatched, Declude "assumes" that it is an EXE for virus scanning purposes, and this causes EXE triggers such as bannotify.eml to be triggered. This is especially bad since it is happening fairly commonly on zombie spam.For example, here are the MIME headers from the spam sample: Content-Type: image/jpeg;name="smoky.1.jpg"Content-Transfer-Encoding: base64Content-ID: [EMAIL PROTECTED]Content-Disposition: inline;filename="smoky.1.gi"You will note the Content-Type being image/jpeg and the file extension being "gi". Here is what Declude Virus finds: 10/01/2006 14:03:44.656 q02f8014a9ecc.smd Vulnerability flags = 86310/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: [text/html][7bit; Length=590 Checksum=51800]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Found file with mismatched extensions [smoky.1.jpg-smoky.1.gi]; assuming .exe10/01/2006 14:03:44.671 q02f8014a9ecc.smd MIME file: mismatched.exe [base64; Length=25644 Checksum=3233585]10/01/2006 14:03:44.671 q02f8014a9ecc.smd Banning file with
RE: [Declude.Virus] stration work
Those of us still running F-Prot* as a primary virus scanner will want to add one or both of these to their virus.cfg in order to block notifications for detection of the Stration malware: FORGINGVIRUS W32/Tricky-Malware-based!Maximus FORGINGVIRUS Tricky-Malware-based! The first is the most explicit, and the second is a fragment that will catch future detections that are based on heuristics. And in the unlikely event that someone is using Trend Micro OfficeScan or SysClean: FORGINGVIRUS Possible_Strat-2 FORGINGVIRUS Possible_ Andrew 8) * The "new" price is unjustifiably high for using fpcmd on a mailserver. Plan to switch to a different vendor before you renew this licence. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, October 02, 2006 7:27 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] stration work It looks like the Stration worm is causing backscatter today: The W32/Stration.drvirus drops the mass mailing worm W32/[EMAIL PROTECTED]. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file. I've added it as a forging virus FORGINGVIRUSStration -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV
Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing here... It sounds like the max-ratio solution is a red herring. It sounds like ClamAV returned an error because it couldn't scan the overlarge file (compressed or not). It sounds like Gary's configuration is quarantining emails based on any non-zero return code from ClamAV and that this is not the behaviour he really wants. Comments? Flames? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, September 07, 2006 7:02 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV I used (and probably posted the --max-ratio 0 ). The max-ratio defines the maximum compression ratio for scanned files. I kept getting legit text files that were zipped that were over ratio, so that's why I why I went to the max-ration 0. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, September 06, 2006 9:31 PM Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV I have an email that was held as a virus after ClamAV was triggered with the result Oversized.RAR FOUND. I looked for an explanation but couldn't find anything detailed. Apparently this is due to some type of bug in ClamAV that shows up with certain RAR or ZIP files. I found one posting that suggested that the problem could be fixed by adjusting the max-ratio value. The default max-ratio value for ClamAV is 250. The suggested value for running it with Declude is 0. What would be the safest value to run with and why? Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
My logs tell me that we received more than the usual number of viruses yesterday. These were split into two groups, a version of Bagle that was released back in June, and a new worm which Trend Micro calls WORM_STRATION.BD In the samples I looked at, the messages were fake bounces with an executable attachment which had a.dat.pif extension. Here's the writeupon that: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSTRATION%2EBHVSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Wednesday, August 30, 2006 2:01 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
The Internet Storm Center also notes two items... That a new-ish botnet has been found: http://isc.sans.org/diary.php?storyid=1657 Previously, that there is elevated port scanning for 139/TCP: http://isc.sans.org/diary.php?storyid=1654 In that second link,they note two malwares that are attacking the "Server" service that Microsoft patched most recently in August with MS06-040: https://www.microsoft.com/technet/security/bulletin/ms06-040.mspx Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, August 31, 2006 8:59 AMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] new virus? My logs tell me that we received more than the usual number of viruses yesterday. These were split into two groups, a version of Bagle that was released back in June, and a new worm which Trend Micro calls WORM_STRATION.BD In the samples I looked at, the messages were fake bounces with an executable attachment which had a.dat.pif extension. Here's the writeupon that: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSTRATION%2EBHVSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Wednesday, August 30, 2006 2:01 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the dropper file that the macro drops. If it's there, the macro was executed, and the dropper has probably also download further malware. Modern versions of Office will, by default, not execute the macro so you might be safe. I don't know if Symantec has signatures for this document, the dropper or the payload it downloads. Trend Micro does, so you could use their web based HouseCall antivirus scanner from here: http://housecall.trendmicro.com/ Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Wednesday, June 28, 2006 6:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the check prices macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I haven't seen any yet; I don't know if F-Prot is catching them. From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I don't know where that character in front of my From sentence came from. The first character on that line should have been an F. It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 28, 2006 2:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus I haven't seen any yet; I don't know if F-Prot is catching them. From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
http://www.f-secure.com/weblog/archives/archive-062006.html#0909 The writeup is interesting in the follow-on details but the information that Markus posted earlier is more helpful to us in keeping the darn thing out of users' mailboxes. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 27, 2006 12:08 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
JT Declude, this is a feature who's time has come. Hear, hear! The ability to ban filenames that are contained in archives would be a good feature, and most of the code must be in place, because Declude Virus already pulls apart at least the zip file format for selective file scanning. It is also well placed in the market. I checked my up-to-the-minute ScanMail for Exchange from Trend Micro, and they don't have that feature. I also tested it to see whether filename blocking would work anyway, and no, it didn't. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 3:38 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Importance: High I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Entry in Event Log
This came up just last Friday, Mark. Here's the end of that thread on the mail archive website: http://www.mail-archive.com/declude.virus@declude.com/msg13314.html Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ReimerSent: Thursday, June 22, 2006 2:51 PMTo: Declude. [EMAIL PROTECTED] comSubject: [Declude.Virus] Entry in Event Log For the past week I have only seen my virus log show could not find parse string infection: in report.txt for f-prot. I have not made any changes to anything in weeks. Does f-prot show this when it does not show the name of the virus? Mark Reimer IT Project Manager American CareSource 214-596-2464 ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] another new virus
Ditto. F-Prot notices that the zip file is password protected and I can see that there is a very-Bagle-ish gif fileof the password. David Barker's earlier response of using: BANEXT EZIP in your virus.cfg will work to catch these. I received a single copy, and it was from a likely zombie due to the reverse DNS I noted. I submitted my sample to Trend and to ClamAV. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary SteinerSent: Tuesday, June 20, 2006 12:42 PMTo: declude.virus@declude.comSubject: [Declude.Virus] another new virus I just started receiving copies of a new virus that F-Prot flags, but with the descriptive label of "Unknown" (at least out of Declude). The messages are all around 86k in size, and contain a gif and an encrypted zip file. It pretends to be sending you a password for some unnamed account.Following is what VirusTotoal says: Antivirus Version Update Result AntiVir 6.35.0.13 06.20.2006 no virus found Authentium 4.93.8 06.20.2006 Not scanned (encrypted) Avast 4.7.844.0 06.20.2006 no virus found AVG 386 06.20.2006 no virus found BitDefender 7.2 06.20.2006 no virus found CAT-QuickHeal 8.00 06.20.2006 no virus found ClamAV devel-20060426 06.20.2006 no virus found DrWeb 4.33 06.20.2006 no virus found eTrust-InoculateIT 23.72.43 06.20.2006 no virus found eTrust-Vet 12.6.2265 06.20.2006 no virus found Ewido 3.5 06.20.2006 no virus found Fortinet 2.77.0.0 06.20.2006 no virus found F-Prot 3.16f 06.20.2006 suspicious Ikarus 0.2.65.0 06.20.2006 no virus found Kaspersky 4.0.2.24 06.20.2006 no virus found McAfee 4788 06.20.2006 no virus found Microsoft 1.1441 06.20.2006 password protected NOD32v2 1.1611 06.20.2006 error - password-protected file Norman 5.90.21 06.20.2006 Mitglied.gen Panda 9.0.0.4 06.20.2006 no virus found Sophos 4.06.0 06.20.2006 no virus found Symantec 8.0 06.20.2006 no virus found TheHacker 5.9.8.162 06.20.2006 no virus found UNA 1.83 06.20.2006 no virus found VBA32 3.11.0 06.20.2006 no virus found VirusBuster 4.3.7:9 06.20.2006 I-Worm.Bagle.ZIP.Gen---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] another new virus
... and here'sone writeup on that new Bagle: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EFNVSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, June 20, 2006 1:17 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] another new virus Ditto. F-Prot notices that the zip file is password protected and I can see that there is a very-Bagle-ish gif fileof the password. David Barker's earlier response of using: BANEXT EZIP in your virus.cfg will work to catch these. I received a single copy, and it was from a likely zombie due to the reverse DNS I noted. I submitted my sample to Trend and to ClamAV. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary SteinerSent: Tuesday, June 20, 2006 12:42 PMTo: declude.virus@declude.comSubject: [Declude.Virus] another new virus I just started receiving copies of a new virus that F-Prot flags, but with the descriptive label of "Unknown" (at least out of Declude). The messages are all around 86k in size, and contain a gif and an encrypted zip file. It pretends to be sending you a password for some unnamed account.Following is what VirusTotoal says: Antivirus Version Update Result AntiVir 6.35.0.13 06.20.2006 no virus found Authentium 4.93.8 06.20.2006 Not scanned (encrypted) Avast 4.7.844.0 06.20.2006 no virus found AVG 386 06.20.2006 no virus found BitDefender 7.2 06.20.2006 no virus found CAT-QuickHeal 8.00 06.20.2006 no virus found ClamAV devel-20060426 06.20.2006 no virus found DrWeb 4.33 06.20.2006 no virus found eTrust-InoculateIT 23.72.43 06.20.2006 no virus found eTrust-Vet 12.6.2265 06.20.2006 no virus found Ewido 3.5 06.20.2006 no virus found Fortinet 2.77.0.0 06.20.2006 no virus found F-Prot 3.16f 06.20.2006 suspicious Ikarus 0.2.65.0 06.20.2006 no virus found Kaspersky 4.0.2.24 06.20.2006 no virus found McAfee 4788 06.20.2006 no virus found Microsoft 1.1441 06.20.2006 password protected NOD32v2 1.1611 06.20.2006 error - password-protected file Norman 5.90.21 06.20.2006 Mitglied.gen Panda 9.0.0.4 06.20.2006 no virus found Sophos 4.06.0 06.20.2006 no virus found Symantec 8.0 06.20.2006 no virus found TheHacker 5.9.8.162 06.20.2006 no virus found UNA 1.83 06.20.2006 no virus found VBA32 3.11.0 06.20.2006 no virus found VirusBuster 4.3.7:9 06.20.2006 I-Worm.Bagle.ZIP.Gen---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus
It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.0006.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.3306.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.4006.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet2.77.0.006.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.006.16.2006 photo3.exe Kaspersky 4.0.2.2406.16.2006 Backdoor.Win32.Breplibot.ai McAfee 478606.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Friday, June 16, 2006 2:03 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file Correct, that is what the Declude line means. Other codes like 8 don't include the Infection: text, so an f-prot result line like: .exe is a security risk named W32/Mitglieder.gen Won't pick up the name because Infection: simply wasn't in the line. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 16, 2006 4:18 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus Yup I got it. I think that the message Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt VIRUSCODE13 VIRUSCODE16 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 REPORT1 Infection: Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, June 16, 2006 6:59 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] new virus Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 5:31 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=BKDR%5FB REPBOT%2EAVSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 06.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.40 06.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.0 06.16.2006 photo3.exe Kaspersky 4.0.2.24 06.16.2006 Backdoor.Win32.Breplibot.ai McAfee 4786 06.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec 8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, June 16, 2006 2:21 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus
RE: [Declude.Virus] the ebay spoof spam stuff
Bob, drop an email to the handler on duty at http://isc.sans.org/ for some general advice. They may also have some specific reference to point you to regarding a vulnerability or they may recognize the modus operandi of what you saw. I don't recognize it, myself. Generally speaking, your best bet is to take that machine offline and rebuild it from known good sources. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McGregor Sent: Wednesday, June 14, 2006 11:37 AM To: Declude-List Subject: [Declude.Virus] the ebay spoof spam stuff this is a bit off-topic but we had one of our servers last night have the ebay spoof page loaded on it. Anyone have info as to how this gets loaded and, more imporantly how to keep it from happening? The only things I found was the htm page that was referenced in the spam e-mail and a folder on the desktop named sign in_files with the images associated with the page. I want to keep it from happening again. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Built in virus detector
(Another country heard from) Release announcements? Why, that's why I subscribed to Declude.Releases on May-11-2005 ... The only message I've kept (the only one received!?) was from Barry on Sep-26-2005 and had the subject: Declude 3.0 Availability Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Wednesday, May 03, 2006 1:43 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Built in virus detector Besides your question why can't declude notify the list when there is a new release??? New releases seem to magically appear. From 4.1 to 4.2.3 with only two release notes??? Seems a wast of everyones time to release a version with two ADD release notes, no fixes and no documentation the last manual place online is for 4.0.8. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Carter Sent: Wednesday, May 03, 2006 1:17 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Built in virus detector Just noticed yesterday's 4.2.3 release notes: EVA ADD BUILTINSCANNEROFF Located in Virus.cfg. Will disable the internal AVG scanner. EVA ADD Integrated AVG Scanner into Decludeproc no configuration required. Can someone supply info on this? I must have missed the discussion, if there was one. Thanks, John --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Possible virus?
Title: Possible virus? It's been years, but I do remember that there were several viruses that would take random MS Office documents off the infected user's computer as "cover" when it sent itself out. Their names, though, I don't remember. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn SchmidtSent: Tuesday, April 04, 2006 9:01 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Possible virus? Anyone seen or heard of a virus that is sending out random power point attachments? One of the attachments is called House_of_Golf.pps Thanks, Sharyn
RE: [Declude.Virus] F-Prot Switches
#Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV sanesecurity definitions
Scott, Are you running ClamAV with the SaneSecurity antiphishing signatures as an external spam test in Declude Pro, or as an antivirus engine in Declude Virus Pro? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:06 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] ClamAV sanesecurity definitions As a followupon last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
RE: [Declude.Virus] language specific messages
Tu peut l'escrite en Francais et Espanol dans la meme recip.eml; je vu beaucoup de cette technique en Canada, mais c'est en Anglais et Francais. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 11:12 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] language specific messages
Goran, I actually avoid any bounce and alerts to recipients and senders. I only use alerting to send virus alerts inbound to our postmaster account. I do this because I know firsthand how hard it is to keep junk alerts from the Internet from coming in to my users' mailboxes. Likewise, I recommend NOT sending user notifications regarding viruses. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 11:43 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Andrew, Do you do anything to decrease the change of the alert message going out to real spammers or forged addresses? This would get sent out to e-mail that failed REVDNS and were not deleted as SPAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, February 23, 2006 2:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Example attached (sorry, German/English in this case). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] language specific messages
H, this would still not work out well in the real world. I've no problem with the construction of this test, but with the concept. For example, Microsoft often fails REVDNS with their Hotmail/MSN service and you would be informing Aunt Minnie about something technical over which she has no control and no interest. And you'd be effectively spamming her every time she sends a message to one of your users. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 1:13 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Andrew, I do not send any outbound alerts/bounces etc. The only ones I send are for banned files and that goes to the recipient(s). Having said that I kind of like the ideal of sending a REVDNS alert to legitimate senders in the hope that they will act to cleanup their system. Question is how do you tell if they are a legitimate mail rather than spam? Perhaps with a filter like this run as the last one in global.cfg SKIPIFWEIGHT 10 TESTFAILED 0 CONTAINS REVDNS Then do an alert in the $default$.junkmail file for this test I tag at 10 and delete at 30 so this would only trigger on legit messages Just a thought Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 23, 2006 3:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Goran, I actually avoid any bounce and alerts to recipients and senders. I only use alerting to send virus alerts inbound to our postmaster account. I do this because I know firsthand how hard it is to keep junk alerts from the Internet from coming in to my users' mailboxes. Likewise, I recommend NOT sending user notifications regarding viruses. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 11:43 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Andrew, Do you do anything to decrease the change of the alert message going out to real spammers or forged addresses? This would get sent out to e-mail that failed REVDNS and were not deleted as SPAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, February 23, 2006 2:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages Example attached (sorry, German/English in this case). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 02:12 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] language specific messages You could always put the English and Spanish messages into the same recip.eml file. I see a lot of that type of thing up here in Canada except it is English and French. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, February 23, 2006 2:04 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] language specific messages Can the following be done in Declude EVA? I have customers who are english speakers, and customers who are spanish speakers. When a customer is sent a virus, they receive a messsage telling them about the virus (recip.eml). I want to be able to have a different message sent to each of my domains depending on the language of the customer (recip-en.eml and recip-es.eml). I believe this can be done in Junkmail, but can it be done in EVA? Thanks, Gary Steiner --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives
RE: [Declude.Virus] [IMail Forum] Realistic virus threat?
My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
RE: [Declude.Virus] [IMail Forum] Realistic virus threat?
3) On a very busy server, Declude may be aborting the scan because it is taking too long. The default is 60 seconds. ANSWER: Use SCANNERTIMEOUT90 in the virus.cfg or some other time value of your choosing. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, February 02, 2006 2:10 PMTo: Declude.Virus@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.Virus] [IMail Forum] Realistic virus threat? My raw speculation: 1) It is missed because the virus.cfg is using the "PRESCANON" switch (the default, I believe) and the declude.exe application does not decode the MIME or other coding as flexibly as a mail client would, or makes an uninformed decision about what is an object worth scanning. ANSWER: use PRESCAN OFF instead. This will incur more CPU time as the selected antivirus scanner(s) will be scanning all objects. 2) For F-Prot specifically, the /server switch is not being used and therefore F-Prot is not doing the message format decoding. If Declude did a perfect job, this setting would be irrelevant. ANSWER: use the /server switch in your SCANFILE definition. This would cause more CPU time on the few messages that appear as nested message encoding; it is intended for scanning servers with multiple mailbox formats and nested messages. I follow my own advice on these two points and do not have a problem with F-Prot under Declude EVA missing known viruses. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, February 02, 2006 1:47 PMTo: Imail_Forum@list.ipswitch.com; Declude.Virus@declude.comSubject: Re: [Declude.Virus] [IMail Forum] Realistic virus threat? I reported this issue quite some time ago, when Scott was still running the show, and never got a satisfactory answer. You can scan the raw d*.smd file with f-prot and it will detect the virus, but run it through Declude Virus, and the virus goes though undetected. After pestering and prodding for several days, I finally gave up on getting a response that made sense. But it must have something to do with the way Declude Virus is stripping off the mime encapsulation before calling f-prot to scan the message. I have copied this to the Declude Virus list, as well, since it really belongs there rather than on the IMail list. Bill - Original Message - From: Michael Graveen To: Imail_Forum@list.ipswitch.com Sent: Thursday, February 02, 2006 1:15 PM Subject: RE: [IMail Forum] Realistic virus threat? I've had F-Prot miss this virus on the mail server (being called from Declude). But it's caught coming to my desktop, with the same virus scanner. Is anyone else seeing this?MikeAt 02:25 PM 2/2/2006, you wrote: I believe F-Prot calls it W32/[EMAIL PROTECTED] From: Stephen Guluk [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 02, 2006 2:19 PM To: Imail_Forum@list.ipswitch.com Subject: [IMail Forum] Realistic virus threat? Off topic but still related to email... Had a couple clients that called concerned about this virus that is said to open and do it's damage tomorrow: [EMAIL PROTECTED] Win32.Nyxem.e I run F-prot on my mail server and their list of virus definitions shows nothing pertaining to this virus name. I wrote them but expect that they are sleeping since they are in Iceland. Anyone else running F-prot and know any more info on it this is a real threat? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
RE: [Declude.Virus] Encoded viruses...worried
Don: I don't know about the best but the de facto standard works great. Get a bunch of *nix tools that have been ported to W32 here: http://unxutils.sourceforge.net/ And get the up-to-date version of wget here: http://xoomer.virgilio.it/hherold/#Files With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using less.exe instead of piping to more. Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 7:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing Kapser and Mywife MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the MIME MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the .uue MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you want to see what
RE: [Declude.Virus] Encoded viruses...worried
John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:44 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:37 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 31, 2006 4:50 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htmThis started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside. For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023]01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was. The same attachment name with the same length was repeatedly detected as a virus later on that day. This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus. I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection.Here's the conundrum. This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings. I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already. I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common. This particular virus is so destructive that a single copy could cause severe damage to one's enterprise. I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe.Matt
RE: [Declude.Virus] Encoded viruses...worried
On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:04 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:44 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:37 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 31, 2006 4:50 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htmThis started hitting my system on the 17th, possibly seeded through Yahoo! Groups. The problem is that it often sent encoded attachments in
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
We've all made good points [except Matt, he's apparently high on life... ;) ] and that is precisely the value of the debating club we've formed here. Excellent features have been put into Declude precisely because of the debating club. When Scott was the sole developer, this debate and feedback was a great way for him to gauge the relative importance of new and enhanced feature requests. Although I don't need it, I thought it was worth offering up a possible automagic feature that would be a good addition to Declude. I certainly wasn't going to take offense if anybody shot at the flag I just ran up the flagpole! As it turns out, there were a few salutes. I'm still on Declude v2.x and am comfortable there, as Don points out, many of us are waiting for the v3.x to be utterly stable and to have desired new features before going to it. As the software is maturing, so is much of the userbase; there used to be a lot of early adopters when the releases were coming out fast and furious. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, January 28, 2006 1:13 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME Ok you're right exactly as you was when HOP was introduced. Such a little feature request was not worth neither the half of all messages in this topic. Additionaly the entire Declude staff seems to be in holidays. So I have to write another time my own post-solution. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Saturday, January 28, 2006 5:32 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME A single piece of software can't possibly be all things to all people. I think the best that can be expected is that it reasonably addresses all, or most, of those objectives which the user community shares. It is easy to say that it only costs $xx when it's not your money, the same as it is to say that it will only take 30 lines of code when you don't have to write it, test it, maintain it and fix it when it breaks. I was the culprit who introduced the HOP feature in Declude a long time ago. It was effective back then in combating dynamic servers in the delivery chain. As intimate as Scott was with his code and with the challenges we all faced, we debated it on and off the list for a long time, before he was convinced it would be a good thing for the entire user community. IOW, he had to see the beef - the evidence, that there was an issue and that it was one which Declude could address effectively. Scott is gone and Imail has changed requiring a major overhaul in Declude. Many of the old timers on this list are still NOT running the most current release, due to certain challenges and anomalies. I'm not trying to be a horses tail or beat you up and there is nothing personal involved. I just think that unless a feature request can be justified with facts, which you admit that yours cannot, that we refrain from distracting the community and particularly the people at Declude. I'd rather see Declude keep pumping the water out of the bilge to the point they can fix the hull, rather than taking the time to hang a new pennant from the mast. Wouldn't you? Thanks, Friday, January 27, 2006, 6:05:46 PM, Markus Gufler [EMAIL PROTECTED] wrote: MG I hav no stat's or numbers. MG Only the fact that AV-Engines has introduced a suspicious category MG that is catching more and more new outbreaks. Additionaly it seems MG that the scanning process is becoming more and more complex. Each MG variant (we have up to two-letter versions!) seems to need complete MG new definitions. Another more MG alarming: certain virus-signatures seems catching only a part of one MG single but polymorphic and encrypted virus variant. MG Try to send a vb-script containing one single call of the MG filesystem-object even if zipped or with renamed file extension trough some av-engines. MG DELETEVIRUS ON will delete the entire message and you will have to MG tell some fairy story to the customer who call you because he misses some messages. MG Don't deleting messages immediately as many of us do is one way. MG Adding 5 DELETEVIRUSNAME-lines in the global.cfg would be a very MG simple possibility to keep clean and small the virus folder. And I MG repeat: It should be something very very simple to implement. Anyone MG who doesn't want or need it could simply not turn it on. MG Regarding the allready existing FORGINGVIRUS DNS lookup feature and MG a possible enhancement like AUTODELETEKNOWNWORMS. MG I wouldn't say that I don't trust declude's FORGINGVIRUS list. But MG first of
[Declude.Virus] Feature request: DELETEVIRUSNAME automagic
Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as suspicious or generic But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic
No Matt, it wouldn't be a complete solution for you orme. We don't trust DELETE actions at all. Markus however, is ok with a DELETE action, as with many others, so I'm pretty confident that they would be ok with an autodelete as well, while trusting that Declude.com isn't going to make a mistake with a bad keyword listing such as "suspicious" or "virus" (as opposed to desired behaviour like "nyxem", "netsky", "bagle", "mytob", "sober". For you and me, I think we'd want a"HOLD [Path[\]][%DATE%]" action in the DecludeEVA product that let us specify a different HOLD folder. Any add-on web scripts that those ISPs or Gatewaying companies have developed so that the end-user can self-service theirspam/virus folder would not include this secondary HOLD folder and the ISPcould take timed and scripted actions on these folders as they see fit. To make that work, we would then want a mechanism to distinguish the detected viruses and move the *.smd files to the correct HOLD folder accordingly. But that's a different thread, eh? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, January 27, 2006 10:09 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME automagic I thought that AV false positives can occur with definitions for known virus names. In other words, if a message gets tagged as Bagle, it might be legit 0.1% of the time. So would this really be a complete solution?MattColbeck, Andrew wrote: Markus would find this handy (as would other die-hards who are often see to post in this forum) and would be willing to maintain a small list of entries for which he would like this behaviour. However, in addition to the FORGINGVIRUS DNS lookup feature that Declude already implements*, perhaps they would be interested in also implementing a DNS lookup feature for known virus names that customers could just delete out of hand. This would of course require ongoing maintenance on their part, and trust from their customers. Declude would provide a new switch to govern this behaviour, which would default to OFF, e.g. AUTODELETEKNOWNWORMS ON Thus, Markus would be satisfied with being able to manually pick and choose which virus families to delete, and administrators who want less hands-on involvement could turn ON this feature to save disk space. *The existing feature exists to skip email notification when the scanner engine returns the name of a known virus/worm that Declude knows forges the MAILFROM. The FORGINGVIRUS x feature is a manual version of this feature that lets the Declude customer add in more viruses. As far as I know, Declude.com does not keep a public list of the virus names that they test for via DNS. Please correct me if I'm wrong on any of this. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 2:37 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Feature request: DELETEVIRUSNAME Maybe someone has already requested it: Why not allow commands like DELETEVIRUSNAME Netsky DELETEVIRUSNAME Bagle ... in the virus.cfg file? I won't and can't delete all viruses on our server because there is always the possibility that a scanner is catching something as "suspicious" or "generic" But commands to delete certain virusnames should be very easy to implement and allow us to eliminate 95% of all hold viruses on out servers. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] My quick and dirty virus stats
Just because it's easy to produce... This is from the viruses that get caught as spam from Dec 01 2005 through yesterday: 13 Suspicious program in Archive 1 Suspicious program 5 Unknown Virus 57 W32/Bagle 1 W32/Banker 13 W32/Brepibot 28 W32/Kapser 33 W32/Klez 108 W32/Mitglieder 13 W32/Mydoom 665 W32/Mytob 1,124 W32/Netsky 5,607 W32/Sober 1 W32/Torvil 5 W32/Zafi Andrew 8)
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
IIRC, the HOLD action was where the risk came in. Messages that are held by Declude using AVAFTERJM and then manually re-queued (via, say, the old SpamReview app) would NOT be scanned for viruses at all, since re-queued messages bypass Declude altogether. snip At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH Dan, this is all implementation dependent. Your observed behaviour is not universal to Declude deployments. Specifically, re-queued messages on IMail systems do indeed get scanned by Declude JunkMail and EVA when the Q*.SMD is moved to the overflow folder (as opposed to being moved to the spool folder with the D*.SMD file). Given this re-queuing method, I disagree with your conclusion. I do agree that there is a gap in the functionality and/or the manual on how re-queuing is accomplished and what the wrinkles are. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Friday, January 27, 2006 11:12 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD is the only 'semi-final' action. All other actions either deliver the email to an mbox (in which case it is scanned by EVA), or remove the message completely (which is where the saved cycles come in). IMO, AVAFTERJM should be changed so that only deleted emails, not held ones, by pass the AV scan. In other words, all messages should be first scanned for spam, then the ones that are not DELETED should all be scanned for viruses. This would close the security risk from re-queued messages. The AVAFTERJM option would then only be useful for those that use the DELETE action, but with the huge security risk involved in requeueing unscanned messages I think that it is ALREADY only useful for those that use the DELETE action. Unfortunately the manual isn't clear on this point. At the very least, Declude should add a warning to the manual around AVAFTERJM that says that AVAFTERJM and HOLD should not be used in the same configuration. --DH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, January 27, 2006 1:54 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Feature request: DELETEVIRUSNAME HOLD, DELETE, ETC - Does not get virus scanned with AVAFTERJM ROUTETO, SUBJECT, Etc - Does get virus scanned. Think of it this way anything that ends up being delivered somewhere (i.e. mailbox etc) gets scanned. Darrell Matt writes: This is the crux of the issue that I would like to figure out. I am however under the impression that if you DELETE a message, Declude Virus never gets it. I suspect that HOLD and MAILBOX are also that way. I am unsure about ROUTETO, and that is what really matters to me. As far as savings of resources, it is apparently huge, especially for those running multiple virus scanners. Virus scanning takes more CPU than all but the biggest JunkMail configs (things like custom filters with thousands of lines of BODY or ANYWHERE searches). I know that on my system I Delete about 70% of all messages, ROUTETO about 10%, and deliver about 20%. I would like to save on scanning what I would otherwise be deleting with JunkMail. Matt Keith Johnson wrote: Markus, However, Darrell mentioned that the AV scanner still runs once action is taking agains the SPAM message (i.e. routeto, subject, etc.). Is this not true? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 27, 2006 12:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME So, with or without AVAFTERJM, it looks like each message is scanned by the virus scanner (which makes sense to me). Wrong... if you block the messages on the servers: As we know usualy 50% of all incomming messages are spam. We know too that resource usage of one or two scan-engines is way above the entire spam filtering even if you use 5-6 external applications like sniffer, inv-uribl, spamchk, ... So if you're spam filters are set up properly they will filter out at least 50% of all incomming messages before they will reach the av-engines. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA
RE: [Declude.Virus] Feature request: DELETEVIRUSNAME
Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus, I found that a pretty fun bit of sarcasm. But I have a dry sense of humour. It sounds like you're not using AVAFTERJM so that you catch viruses as viruses and spam as spam. In this scenario I'm pretty confident that you could automate grepping your virMMDD.log file hourly, look for a pre-set list of virus names, cut up the Q* column to derive the filename, and delete the Q*.SMD and D*.SMD file, for example, this line: 01/24/2006 18:54:38 QE867AAFA0144EA71 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] Is quite easy to parse. Let me share something similar I've done. I've remarked on it vaguely before... I wanted to nail down some of my statistics, and as that evolved, I wanted to know how much of the inbound mail that is blocked as spam was actually viral. It turned out that I block a lot of viruses as spam because they have the same IP source characteristics, malformed headers, fake source domains and so forth as zombie spam (no surprise, they're much the same machines). Like you, I have a system that blocks a ton of mail, so I run AVAFTERJM to cut down on the work, and this definitely leaves a gap in my statistics. Similarly, it follows that I wouldn't want to scan my whole SPAM folder. Even reading the directory of the filenames is a disk workout. During our slow period (nightly) I do a scheduled run of a .cmd script that uses the GNU utilities to check my Declude logs for the held spam for that day only, I weed out ones that triggered SNIFFERMALWARE or my own Declude filter tests for viruses, then from that subset I have a list of Q* names. From that Q* column, I can form the filename. I then grep each one of those files for strings that would indicate that there is a possibly viral attachment (it's not perfect), and then on the remainder of the filenames, I invoke my F-Prot scanner and check the result code for each file. This isn't ideal, but I found that invoking it every time with specific filenames was far, far faster than scanning a folder. Windows certainly caches the fpcmd and pattern files, so that definitely helps. How much am I saving? Well, I am scanning all the files in some fashion, but I'm doing grep for some spam and grep plus antivirus for the minority of it, and I'm doing it outside of our busy hours. It takes *two hours*, and produces results like this in a day: Viruses caught by Declude Virus after using AVAFTERJM: 1 Messages caught by filters or Sniffer: 349 Messages scanned after hours: 25,000 Viruses found after hours: 378 So, I time-shifted away from normal hours the CPU and disk hit of doing the scanning, and I still get my virus statistics without causing a performance problem at night. The resulting logs are easily grepped for virus names and counts if I want. I use another set of scripts to compile the stats at the end of the month, with little to no maintenance. It's awful code, but if a non-programmer like me can do this, your virMMDD.log can be used to delete the messages for viruses you don't want to keep on disk. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, January 25, 2006 10:13 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Feature request: DELETEVIRUSNAME As a work around until and if Declude adds the requested feature, you could write a script to search the files on a timed based for a phrase (virus name) and have it delete them. Do you mean this script on my disk who creates one hour each day with 100% CPU usage? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service?
Title: Mail.zip from AOL Encrypted Messaging Service? You've caught an instance of the "Feebs" worm. HTA in email should automatically be suspect. I won't go as far as to say it should be banned, but it's not a bad idea. Myself, I've never seen an "HTML help file" sent in email. There is an old vulnerability in Internet Explorer (dating back to 2003) for which HTA is the vector; it's mostly abused by malicious websites to install software (toolbars, spyware, adware). Despite it's age, it's a very popular exploit. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, AlexanderSent: Thursday, January 19, 2006 11:51 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Mail.zip from AOL Encrypted Messaging Service? Hello, I got a mail.zip from "AOL Encrypted Messaging Service", including a .hta file with encrypted content. Does'nt look good to me :) Has anyone else seen this mail? Does anyone know DadaMail? --- Received: from thbafiqcm.com [217.198.112.101] by siller.de with ESMTP (SMTPD-8.22) id A9DB33088; Thu, 19 Jan 2006 19:26:35 +0100 Date: Thu, 19 Jan 2006 19:28:38 +0100 From: [EMAIL PROTECTED] X-Mailer: DadaMail 2.1 Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Suspect Mail]Encrypted Message Service MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ABCD6E90" X-Antivirus: avast! (VPS 0603-3, 18.01.2006), Outbound message X-Antivirus-Status: Clean X-OriginalArrivalTime: 19 Jan 2006 18:36:26.0852 (UTC) FILETIME=[419F3240:01C61D27] --ABCD6E90 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --ABCD6E90 Content-Type: application/x-zip-compressed; name="mail.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="mail.zip" --ABCD6E90-- --- Alex
RE: [Declude.Virus] New Virus?
No, you shouldn't block .mim attachments. The .mim attachment means that there was a MIME formatted, which is encoding that converts binary attachments and non-ASCII text to nice and safe 7 bit ASCII encoding to make SMTP servers happy. You are mostly likely to see this when an entire message is inserted as an attachment, for example, to preserve the headers. Your antivirus solution will decode that attachment and find a virus inside. F-Prot and Trend Micro offerings certainly do. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ReimerSent: Wednesday, January 18, 2006 1:43 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? Should we be blocking .mim file types? One of the new viruses that was blocked was a .mim file type. What is it used for? Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Markus GuflerSent: Wednesday, January 18, 2006 1:39 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To:
RE: [Declude.Virus] New Virus?
A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. kapser.gif Description: kapser.gif
RE: [Declude.Virus] New Virus?
I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember theincident before that. The notificationsalways turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
A virus by any other name would stink just as much: http://isc.sans.org/diary.php?rssstoryid=1051 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, January 17, 2006 2:54 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I've seen many of this Kapser.A today. I've added it to the forging virus list and (oops) forgot to write it on the Declude.Virus list. As we can see more and more that AV-Companies has forgotten how to call one Virus using one name we should maybe begin to enhance their naming convention by an initial name of the av-company. Something like: F-ProtW32/[EMAIL PROTECTED] Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 17, 2006 11:21 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
I haven't seen it. It's also not unusual for F-Prot to have a signature for a virus, but no write up on their website. If the virus was caught, you could submit the attachment to one of the free websites that will check an executable against multiple virus engines and give you a summary of which engines detect it, and what they they call it, e.g. http://www.virustotal.com/ http://virusscan.jotti.org/ Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot 3.16f
Another buffer overflow has been found in ClamAV and ClamWin, this time in decompressing UPX packed executables, which is fairly common for virus and spyware variants. See: http://blogs.washingtonpost.com/securityfix/2006/01/clam_antivirus_.html The current ClamWin version is 0.88 here: http://www.clamwin.com/download/ Andrew 8) --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.z
I haven't checked today's results with fpcmd 3.16f, but here are yesterday's quick stats with fpcmd 3.16e 8 W32/[EMAIL PROTECTED] 3 W32/[EMAIL PROTECTED] 27 W32/[EMAIL PROTECTED] 1 W32/[EMAIL PROTECTED] 10 W32/[EMAIL PROTECTED] 9 W32/[EMAIL PROTECTED] 81 W32/[EMAIL PROTECTED] So, yes, Sober is detected by at least 3.16f ... and going the extra mile, I've just looked up a few samples from yesterday's log and scanned those manually with fpcmd, and sure enough, 3.16f also detects them and produces the same output. Perhaps you are not seeing Sober hits in Declude virus because you're using the AVAFTERJM setting and your Declude JunkMail is doing a fantastic job of catching them as spam before your Declude Virus would get called. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Friday, January 06, 2006 7:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: Bruce Loughlin [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z Has any one else noticed that sober.z just stopped today? I was getting hundreds a day and now I have 0. Wasn't this the day it was to morph? Bruce L. AFM --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.z
Easy way to check if your Declude Junkamil is catching your viruses. Check for the subject lines and see if you held those messages (or whatever you do with your spam). I just sorted out the subject lines for the sober.z only messages, and here are the ones I received: Paris Hilton Nicole Richie You visit illegal websites You_visit_illegal_websites Your IP was logged Your_IP_was_logged Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, January 06, 2006 8:53 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.z I haven't checked today's results with fpcmd 3.16f, but here are yesterday's quick stats with fpcmd 3.16e 8 W32/[EMAIL PROTECTED] 3 W32/[EMAIL PROTECTED] 27 W32/[EMAIL PROTECTED] 1 W32/[EMAIL PROTECTED] 10 W32/[EMAIL PROTECTED] 9 W32/[EMAIL PROTECTED] 81 W32/[EMAIL PROTECTED] So, yes, Sober is detected by at least 3.16f ... and going the extra mile, I've just looked up a few samples from yesterday's log and scanned those manually with fpcmd, and sure enough, 3.16f also detects them and produces the same output. Perhaps you are not seeing Sober hits in Declude virus because you're using the AVAFTERJM setting and your Declude JunkMail is doing a fantastic job of catching them as spam before your Declude Virus would get called. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Friday, January 06, 2006 7:53 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sober.z Yep... I upgraded to FProt 3.16e and noticed the slowdown. I thought it was a problem with that version, so I upgraded to the 3.16f which was released today. Still no Sober viruses caught. I'm still wondering if I should go back to 3.16d. Anyone seeing Sober caught with these last 2 updates of F-Prot?? ~Joe - Original Message - From: Bruce Loughlin [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, January 06, 2006 10:03 AM Subject: [Declude.Virus] Sober.z Has any one else noticed that sober.z just stopped today? I was getting hundreds a day and now I have 0. Wasn't this the day it was to morph? Bruce L. AFM --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sober.X Variant
I just saw two today. This may not be what you're seeing, JT, but here goes: What I saw were two broken Sober.X messages that were bounced with the original message (the viral message) truncated. F-Prot didn't trigger on the broken attachment and the bounce didn't trigger my custom filters to weed out junk bounces. The messages made it into my internal mail system, where they were caught by Trend Micro ScanMail for Exchange. When I looked up the details on the virus that was named, the alias matched the Symantec name for the virus. Given that it was broken, I regard this as a spam issue, and not a case of F-Prot failing to detect the damaged Sober virus. If I can get the original, I'll submit to F-Prot anyway in the hope that they will come with a signature. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 10:39 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant John, Thanks for the help! Regards, JT On Thu, 2006-01-05 at 09:31 -0800, John T (Lists) wrote: Into the Virus.cfg file: BANEZIPEXTS ON BANZIPEXTS ON John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 9:20 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant John, What do I need to do to block banned extensions within zip files Thanks, JT On Thu, 2006-01-05 at 09:14 -0800, John T (Lists) wrote: That means you are not blocking banned extensions within zip files? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 8:45 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sober.X Variant What I am experiencing is that the server lets the virus go through the system. It scans and result is clean, the end user gets the email and their Symantec Enterprise snags it and tags it as [EMAIL PROTECTED] On Thu, 2006-01-05 at 08:25 -0800, John T (Lists) wrote: Is this what you are seeing? http://www.sophos.com/virusinfo/analyses/w32feebsa.html John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JT Sent: Thursday, January 05, 2006 6:44 AM To: declude.virus@declude.com Subject: [Declude.Virus] Sober.X Variant Has anyone seen an influx of this virus come through? I've upgraded to the latest F-Prot and it seems like it still sneaking through. Although the Z variant is being stopped by F-prot. Any light that could be shed on this would be greatly appreciated. Also I've tried setting up ClamAV for Windows on our imail server as a scanner. I've got it to scan but it randomly generated an exit code of 50. Does anyone know what exit code 50 from ClamAV means? Thanks, JT --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot and WMF
For what it's worth, I just tested the 3.16d and 3.16e versions of fpcmd.exe and they behaved identically on the single sample I had. They return errorlevel = 8 (suspicious file found) and here is the text when run manually (as opposed to within Declude): c:\virus-quarantine\wmf\bg.wmf Contains the exploit named CVE-2005-4560 Then I copied the bg.wmf to bg.tiff and compared them. For those who haven't been absorbed by the news of the WMF exploit, Windows uses the magic bytes in the header of the graphics files to determine their true file type so that it does not need to rely on a correct extension on the filename. The bad guys can then use this to fool users, antivirus software, and various filters that trust the name, e.g. by sending an email or linking to a virus.gif instead of virus.wmf ... Version 3.16d: c:\temp\virus\wmf\bg.tiff is a security risk or a backdoor program With errorlevel = 8 Version 3.16e: c:\temp\virus\WMF\bg.tiff Contains the exploit named CVE-2005-4560 Also with errorlevel = 8 I tried a few other extensions with the same results. In this very limited testing, the new version is more accurate, but the result is the same. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, January 05, 2006 11:48 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot 3.16e I found this blurb on their site saying what is new for version 3.16e http://www.f-prot.com/news/gen_news/060104_release_win316e_exc hange123.html FRISK Software has released versions 3.16e of F-Prot Antivirus for Windows and version 1.2.3 of F-Prot Antivirus for Exchange. These newest versions of F-Prot Antivirus for Windows and F-Prot Antivirus for Exchange include a number of important bugfixes as well as providing enhanced scanning of Windows Metafile images (WMF) for embedded malware. WMF files disguised, among other things, as JPG images have increasingly been taking advantage of a recently discovered yet serious vulnerability in Windows in order to run malicious code on susceptible machines. Successful exploitation of this vulnerability can allow an attacker to gain complete control over an affected computer who can then use it to send out spam e-mail or spread viruses and other malware further. A number of different exploits have a appeared over recent days and these newest versions of F-Prot Antivirus for Windows and F-Prot Antivirus for Exchange detect and delete all known exploits as well as detecting previously unknown malware attempting to take advantage of this WMF vulnerability. I have not found any other release notes except for one that comes up talking about 3.16c http://www.f-prot.com/version_release_dates.html 3.16d and e do not have release notes on the web page. Are there any other release notes? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: Microsoft will release the WMF patch today instead of next Tuesday
http://www.microsoft.com/technet/security/bulletin/advance.mspx http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx Andrew 8) --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another vulnerability in antivirus software exposed
Ouch. Not in the wild yet (most of these vulnerabilities don't get to be in the wild), but serious nonetheless due to it's potential. If you're not running keeping your Symantec up to date with a subscription, you should: http://blogs.washingtonpost.com/securityfix/2005/12/symantec_antivi.html Andrew.
RE: [Declude.Virus] Where to send exe's to check if they are a virus?
You can upload it to this website where it will be scanned by all the leading virus vendors that haven't sent them a cease-and-desist order: http://www.virustotal.com/flash/index_en.html And you can also upload it to here to have their 'bot run the application in a sandbox and report back to you what it does, which may be obviously viral: http://sandbox.norman.no/live.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 15, 2005 7:26 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Where to send exe's to check if they are a virus? Hi, I am getting a bunch of exe in zip files being banned right now. I have grabbed one of them it is called marie.zip and has a single exe in it called s3700020.exe and when you put it on your desktop is has the standard jpeg icon associated with it. My F-Prot, McAfee and Symantec scanners are not finding a virus. Where is the place that you can send it to and have it checked out by a ton of virus scanners? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Sober to be released, possible variation?
There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS OBER%2EADVSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 6:05 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Sober to be released, possible variation?
And another one: BANNAME Mail-Datei.zip http://vil.nai.com/vil/content/v_136970.htm I found this latest one after noticing that F-Secure identified 4 versions on Nov-14 and a new one today. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 10:16 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Another one to block... BANNAME Accept_e-Text.zip The list so far is # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME Accept_e-Text.zip BANNAME email_photo.zip BANNAME excel_table.zip BANNAME foto.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip BANNAME word-text.zip As mentioned before, we keep these in place even after the virus definitions are catching them. That way new variants that use the names are caught before definitions are available. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 11:57 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? There are very interesting details in Trend Micro's writeup. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam e=WORM%5FS OBER%2EADVSect=T i.e. it uses its own SMTP server plus a hardcoded list of accounts and IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious Software Removal Tool. It may be worth mentioning that the BANNAME list that Darin provided will be useful for those of us using F-Prot only, as they are still not detecting the variant I've been receiving since this thread started. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 6:05 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Most the new Sober variants are expected to be low volume, so I'm not surprised that Netsky.P continues to outstrip them. Security vendors are varying as to what they are detecting with 6 new Sober variants yesterday and today. Best bet is to ban the files at least until virus definition files have caught up. We keep the bans in place for the usual overlap in new variants. Darin. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:44 AM Subject: RE: [Declude.Virus] New Sober to be released, possible variation? Thank you Darin. just curious after watching our virus logfiles today Anyone else can confirm that there are only a few of the today new virus and far more netsky (most .p variant) showing up in the logfiles? Today I've had some reports that certain varaints of the new virus slipped trough while it was definitively catching some others. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, November 15, 2005 2:33 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Sober to be released, possible variation? I just went through all of the reports. Here's a list of new filenames to ban: # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants BANNAME email_photo.zip BANNAME excel_table.zip BANNAME liste.zip BANNAME reg_text.zip BANNAME registration.zip BANNAME tabelle.zip Darin. - Original Message - From: Doug Anderson [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 8:24 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Looks like varying attachment names. I got one thats excel_table.zip - Original Message - From: David Dodell [EMAIL PROTECTED] To: John T (Lists) Declude.Virus@declude.com Sent: Tuesday, November 15, 2005 6:50 AM Subject: Re: [Declude.Virus] New Sober to be released, possible variation? Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote: Sophos is now calling it Sober-R. Possible variation received this morning ... the text discussed receiving a problem email, and the attachment was email_photo.zip --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can
[Declude.Virus] New Sober to be released Nov-15-2005 ?
Hmmm, now that's interesting. http://www.f-secure.com/weblog/#0705 Andrew. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] OT: From Phisher to just a fish
A 20 year old man goes from abusing phish to being abused as a fish: http://www.wired.com/news/print/0,1294,69480,00.html Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] F-Prot zip vulnerability reported
Ouch. F-Prot is very popular on this group. This vulnerability may never turn into an exploit, but it's better that we keep abreast of issues like this. F-Prot Antivirus Lets Remote Users Bypass the Scanning Engine with Specially Crafted ZIP Files http://isc.sans.org/diary.php?storyid=820 The article mentions several other security products that have had recent issues. I just made a trip to the f-prot website and don't see any update. Not much of a surprise given that they were notified only a week ago. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
Current F-Prot definitions catch this as a Mitglieder variant, and Trend Micro reports that they are investigating Bagle.AB The zip files contain a non-password protected executable; I've noticed the following names: Loader.exe t_535475.exe Here is an F-Prot report on one catch: C:\Temp\Virus\Bagle.Newd:\f-prot\scanonly *.* Virus scanning report - 1 November 2005 @ 9:49 F-PROT ANTIVIRUS Program version: 3.16b Engine version: 3.16.6 VIRUS SIGNATURE FILES SIGN.DEF created 1 November 2005 SIGN2.DEF created 1 November 2005 MACRO.DEF created 25 October 2005 Search: *.* Action: Report only Files: Dumb scan of all files Switches: /ARCHIVE /PACKED /SERVER /REPORT=d:\f-prot\ScanReport.txt /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. C:\Temp\Virus\Bagle.New\D939EE224010AEFE9.SMD-Business_dealing.zip-Loa der.exe is a security risk named W32/Mitglieder.FY Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 3 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 ErrorLevel returned by fpcmd is: [8] errorlevel 8 = At least one suspicious object was found. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another virus seeding run
Forewarned is fore-armed. Blogged by F-Secure here: http://www.f-secure.com/weblog/#0682 With a writeup on the virus itself here: http://www.f-secure.com/v-descs/rbot.shtml The email seeding run doesn't contain virus, just a scam plus a URL. I haven't seen any yet, so I can't comment on the source IP addresses or host types. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content
How about cock of the walk jokes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, October 11, 2005 2:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content Please no talk about sharp objects - I just had a vasectomy a couple of hours ago - oh the pain... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 5:00 PM Subject: RE: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content What is wrong with sharp objects? They make nice clean cuts. Now, it's the blunt ones that I worry about. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, October 11, 2005 1:44 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content I block all encrypted zips based on the fact that I can't virus scan them. But then again I'm slightly paranoid and should not be trusted with sharp objects. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 3:08 PM Subject: Re: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content So it's this forum's consensus that if I have PRO I should not block all EZIPs - I should just block the other extensions even if they are found within ZIP files? I do send out notices when a file gets blocked, but I don't have a requeue script in place. I'll search for one and see what I can do. Thanks. Darin Cox wrote: If you have Declude Virus/EVA Pro you can switch to banning extensions within zips. With Standard, you may want to continue to ban encrypted zips. In either case, you will probably want to send out notices for banned files, notifying the intended recipient that a file sent to them was blocked. Include a link in the notification for them to requeue the message if it was legit and they want to receive it. Scripts to requeue messages have been posted to the list in the past, but they are very simple to create by just moving the Q and D files back to the spool directory... possibly going as far as launching the SMTP32 process to immediately send the message if you don't want your user to wait for the next queue run. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, October 11, 2005 1:26 AM Subject: [Declude.Virus] Slightly OT: Encrypting or Securing Email Content We're looking for a simple way to opportunistically allow our users to encrypt or password-protect certain emails and/or their attachments that contain sensitive data. We're running Declude Pro and have banned EZIP extensions (the highly recommended suggestion from several people on this forum), so that kinda rules out PKZIP and any kind of ZIP program (because as soon as you password-protect a ZIP file, it becomes an EZIP file). We looked at PGP, but it seems very complex and seems to require a hardware proxy in between our mail server and the Net. Is there a simple and effective way to encrypt or password protect documents for email transmission that doesn't cause problems with Imail or Declude and doesn't require software to be installed on the recipient's end? Thanks. Kevin --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives
RE: [Declude.Virus] New variant as of 15 minutes ago
#New Sober.R aka CME-151 per http://cme.mitre.org... expectGerman right-wingpropaganda in a few days Oct-05-2005 ACBANNAME pword_change.zipBANNAME screen_photo.zipBANNAME KlassenFoto.zipBANNAME Regis.info.zipBANNAME Privat-Foto.zipBANNAME Brief.zip banned extensions for both flavours as per: http://www.f-secure.com/v-descs/sober_s.shtml Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, October 06, 2005 10:55 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New variant as of 15 minutes ago John,It was an EXE file. Pretty much all zip viruses are these days. I only received 8 of these in a 15 minute period and then it was over with for at least that one variant. I am guessing that gmx.de is aware of the issue and taking steps to prevent it. Shame on them for being exploitable as a relay (plenty of others like Yahoo and HotMail also should share some blame for lax procedures).I have one thing to add however. This one came from gmx.net as well as gmx.de.MattJohn T (Lists) wrote: Matt, what is the payload inside the zip? John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, October 06, 2005 9:32 AMTo: Declude.Virus@declude.comSubject: [Declude.Virus] New variant as of 15 minutes ago Same servers, but this time it has a Regis.info.zip attachment and the subject is "Registration Confirmation".Basically I converted to blocking any zips below 200 KB that come from these providers with some filtering and it seems to be working.Matt
RE: [Declude.Virus] PING
PONG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 29, 2005 8:15 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] PING PING --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
RE: [Declude.Virus] Seemingly bad virus this morning
... and F-Secure notes that they've hit a record of publishing 12 pattern updates in one day. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, September 20, 2005 11:28 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Oops, McAfee just slipped. Since 1:09 p.m. EST on my system we received 52 undetected zips (just over an hour). We caught these all with a custom filter.MattColbeck, Andrew wrote: FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
RE: [Declude.Virus] McAfee DailyDAT download location change.
Mr. Obvious says: You would have to change the URL plus the name of the file you're unzipping! So that I didn't have to change my script much, I changed my wget line to: wget http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip -O dailyscan.zip The -O parameter tells wget to save the requested file with that particular filename. I think that NAI/McAfee changed the path as part of the web interface change to funnel people through their EULA. When I follow it through, the web interface takes you to a filenames that now have a dynamic instead of static name. If they change the URL again, we may need a smarter script that can scrape out the correct name from the webpage. Hopefully, they'll bring the static name back, perhaps parallel to the Stinger download. Andrew 8) p.s. I only use McAfee as a backup, standalone scanner. Not part of my Declude at all. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 12:58 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] McAfee DailyDAT download location change. I changed the subject so that people can be alerted to this. Announcements of things like this would be useful to the entire Declude customer base. I am afraid that we are a little over a month behind. Those with a single scanner would be screwed.I adjusted my scripts to use the link that you provided and it does in fact work just great...so far :)Thanks,MattScott Fisher wrote: Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
RE: [Declude.Virus] Seemingly bad virus this morning
Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
Scott, in various older versions of wget, the -N parameteras well as the --header=Accept-Encoding:gzip parameterplain old didn't work. Pick up the current version here: http://xoomer.virgilio.it/hherold/#Files andit should be fine. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, September 12, 2005 2:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices
RE: [Declude.Virus] Seemingly bad virus this morning
which is all well and good, but... It worked fine for the update.ini, but not for the .zip file.The currentstable versionofwgetdoes in download a full file every time. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 2:47 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Scott, in various older versions of wget, the -N parameteras well as the --header=Accept-Encoding:gzip parameterplain old didn't work. Pick up the current version here: http://xoomer.virgilio.it/hherold/#Files andit should be fine. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, September 12, 2005 2:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You
RE: [Declude.Virus] Seemingly bad virus this morning
A very basic: wget -N http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip was not working when Scott (and then I) tried it. But it does now, including with the -O parameter. I'd hazard a guess that they have some kind of front-end webcache or cluster, and things weren't perfectly synched. I'm using 1.10-something. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 3:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Scott and Andrew,It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths):C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zipMattScott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should
RE: [Declude.Virus] Sudden Internet Slowdown
According to this: http://loadrunner.uits.iu.edu/weathermaps/abilene/ Most of the major links on the Internet are very busy. Interestingly, the Houston-Atlanta link is back up, and was hard down due to Katrina for a week. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 8:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sudden Internet Slowdown
No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sudden Internet Slowdown
Them: When can we have it? Me: Tomorrow. Them: No, if we wanted it tomorrow, we'd ask for it tomorrow! Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, September 09, 2005 12:39 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Sudden Internet Slowdown NO NO NO NO Then all of our clients will be asking us how come we have not done the work yesterday that they asked us to do tomorrow. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 11:39 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown Hmmm... that gets me thinking... maybe all offices should be located straddling the international date line. Then if someone wants something done on a particular day, and you missed it, you could just walk over to the other side of the building, finish it, and tell them it's done. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 2:07 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown No problem, Darin. We'll have Newfoundland reboot it. They're half an hour off of everybody else. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown You mean 4AM ET... We do have some sickos over here that get up to go to work then perhaps we could just send them over to you to solve this whole problem. If not, perhaps we could just insert an hour between 1am PT/4am ET and 1:00:01am PT/4:00:01am ET. That would fix it. Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 1:42 PM Subject: RE: [Declude.Virus] Sudden Internet Slowdown Nope, we here on the West coast protested loudly. We clearly stated it could not be done before 1 AM. However, 1 AM here is 5 AM in the Atlantic time zone, and those people stated it must be done before 5 AM. Therefore the normal reboot of the Internet has been on hold for a long time until this dispute can be resolved. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, September 09, 2005 10:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Sudden Internet Slowdown I thought it was rebooted every night around 3 am ET... Darin. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 12:01 PM Subject: Re: [Declude.Virus] Sudden Internet Slowdown You can't do an internet reboot on a Friday. You need to wait until the weekend. - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, September 09, 2005 10:48 AM Subject: Re: [Declude.Virus] Sudden Internet Slowdown Maybe someone should reboot the Internet. Matt Keith Johnson wrote: I am seeing this as we attempting to get to certain websites and they can't be displayed. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Friday, September 09, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Sudden Internet Slowdown Hello all! This may be off topic, but has anyone else experienced a sudden Internet slowdown this morning starting about 11:00 EST? We have locations across the country and are experiencing problems in about half our locations, most using SBC DSL for Internet service. Our primary Telnet app is DOA in these locations and e-mail and web surfing is slow everywhere. Thanks, Rodney Bertsch --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus
RE: [Declude.Virus] IP list of reported virus infections
Hmmm. I don't specifically remember that, John. But this is a handy place to check: http://www.dshield.org/warning_explanation.php DShield is fed by volunteers who run whatever firewall or IDS they like and submit the logs to DShield. It's an offshoot of the SANS Internet Storm Center. A site of similar vintage is free for personal use, but I don't know if you have the ability to query for an arbitrary IP: http://www.mynetwatchman.com/ Meanwhile, Norton/Symantec have a similar site at but I'm pretty sure that you have to sign up to query their database. It's free to use but is subscription based for full support on alerts and fancy reports: http://analyzer.securityfocus.com/ McAfee runs a similar site but it's informational only: http://www.hackerwatch.org/ Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 16, 2005 6:20 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] IP list of reported virus infections About a year ago, Scott quietly introduced a web page were we could go to enter the IP of say our server to check to see if any viruses had been reported coming from that IP. Does any one know is that site still available and is so what is the URL for it? John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ???
David, with your version of Declude Virus, you'd have to turn off all 10 of the CR vulnerability checks at one go. I'm at the same or similar version, and that's what I've decided to do. This directive goes in your virus.cfg: BANCRVIRUSESOFF Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, August 11, 2005 10:11 PM To: Matt Subject: Re[2]: [Declude.Virus] Outlook 'CR' Vulnerability from Thunderbird ??? Thursday, August 11, 2005, 8:50:32 PM, Matt wrote: With 2.0.6.16, which is available from the Declude site, you can turn off the Outlook CR Vulnerability. I have turned off all but a couple of these because of numerous false positive issues. Unfortunately, I'm still at 1.82 due to budget limitations ... our new budget kicks in December, and I'm still debating if I should upgrade Imail and Declude or switch to Smartmail and Declude (definitely will be staying with Declude virus/spam) ... I thought there was a way to turn off the testing with 1.82 too, but couldn't find it in the control file ?? there was ever an exploit spreading actively in the wild, I would rethink my position. I believe that Microsoft has long since patched the flaw, though it can certainly cause parsing issues in virus scanners that could lead to missing the payloads due to a message that was improperly formatted. My experience is similar, but 99% of the stuff caught has been spam anyway, so I haven't worried about it ... when I realized today it had caught a legitimate email, I was worried. Anyone know if there is a way to turn this off in 1.82?? - Internet Dental Forum www.internetdentalforum.net Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Expect new Bagle variants
I hadn't until last night, Markus. But now I've got 35 copies from different sources, all flagged by F-Prot as suspicious files. F-Prot detects the executable inside a zip file as a Mitglieder variant, and submitting it to http://www.VirusTotal.com shows that all the big name vendors there are detecting it as either a Bagle variant or Mitglieder. Notably absent is Trend Micro, which I tested on my desktop. Nope, TrendMicro doesn't detect it at all. [pause] Actually I'm seeing multiple versions, at least two of which TrendMicro doesn't catch, but F-Prot caught all of them as 'suspicious'. Also, it's pretty clear that the text of the message is a template, and that template was used to send the nuisance message I reported in the Sniffer forum a week ago. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, August 11, 2005 11:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Expect new Bagle variants It looks as though the Bagle author is back from his vacation. Today we've detected several new variants (actually old variants which have been repacked) and they are still coming in. I can see some unknown virus detections in the last 24 hours. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.