RE: [Declude.Virus] Blast of zips coming in
I forced a Fprot update when I saw them coming it and yes, it started picking them up as Mitglieder variants - at least those not held for spam reasons. (I run AVAFTERJM) John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, November 01, 2005 12:01 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Blast of zips coming in Current F-Prot definitions catch this as a Mitglieder variant, and Trend Micro reports that they are investigating Bagle.AB The zip files contain a non-password protected executable; I've noticed the following names: Loader.exe t_535475.exe Here is an F-Prot report on one catch: C:\Temp\Virus\Bagle.New>d:\f-prot\scanonly *.* Virus scanning report - 1 November 2005 @ 9:49 F-PROT ANTIVIRUS Program version: 3.16b Engine version: 3.16.6 VIRUS SIGNATURE FILES SIGN.DEF created 1 November 2005 SIGN2.DEF created 1 November 2005 MACRO.DEF created 25 October 2005 Search: *.* Action: Report only Files: "Dumb" scan of all files Switches: /ARCHIVE /PACKED /SERVER /REPORT=d:\f-prot\ScanReport.txt /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. C:\Temp\Virus\Bagle.New\D939EE224010AEFE9.SMD->Business_dealing.zip->Loa der.exe is a security risk named W32/Mitglieder.FY Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 3 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 ErrorLevel returned by fpcmd is: [8] errorlevel 8 = At least one suspicious object was found. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
Actually didn't get John T's post. As to the payload, think someone else has posted on that. Sorry, just not brave (?) enough to open them (the zips). I just hold, review, and delete. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Tuesday, November 01, 2005 11:48 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Blast of zips coming in on 11/1/05 11:38 AM, John T (Lists) wrote: > What is the payload inside? .exe files John's post about what we all should do with .exe files in zip attachments will follow in 3 ... 2 ... 1 ... :) Don't let me down John, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
We have also seend a hight rate of zip files today. Our NAV Gateway sees them as [EMAIL PROTECTED] Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew > Sent: Tuesday, November 01, 2005 10:01 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Blast of zips coming in > > > Current F-Prot definitions catch this as a Mitglieder variant, and Trend > Micro reports that they are investigating Bagle.AB > > The zip files contain a non-password protected executable; I've noticed > the following names: > > Loader.exe > t_535475.exe > > Here is an F-Prot report on one catch: > > C:\Temp\Virus\Bagle.New>d:\f-prot\scanonly *.* > Virus scanning report - 1 November 2005 @ 9:49 > > F-PROT ANTIVIRUS > Program version: 3.16b > Engine version: 3.16.6 > > VIRUS SIGNATURE FILES > SIGN.DEF created 1 November 2005 > SIGN2.DEF created 1 November 2005 > MACRO.DEF created 25 October 2005 > > Search: *.* > Action: Report only > Files: "Dumb" scan of all files > Switches: /ARCHIVE /PACKED /SERVER /REPORT=d:\f-prot\ScanReport.txt > /NOBOOT /NOMEM /AI > Memory was not scanned. > Hard disk boot sectors were not scanned. > > C:\Temp\Virus\Bagle.New\D939EE224010AEFE9.SMD->Business_dealing.zip->Loa > der.exe is a security risk named W32/Mitglieder.FY > > Results of virus scanning: > > Files: 1 > MBRs: 0 > Boot sectors: 0 > Objects scanned: 3 > Infected: 0 > Suspicious: 1 > Disinfected: 0 > Deleted: 0 > Renamed: 0 > > Time: 0:00 > > ErrorLevel returned by fpcmd is: [8] > errorlevel 8 = At least one suspicious object was found. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
Current F-Prot definitions catch this as a Mitglieder variant, and Trend Micro reports that they are investigating Bagle.AB The zip files contain a non-password protected executable; I've noticed the following names: Loader.exe t_535475.exe Here is an F-Prot report on one catch: C:\Temp\Virus\Bagle.New>d:\f-prot\scanonly *.* Virus scanning report - 1 November 2005 @ 9:49 F-PROT ANTIVIRUS Program version: 3.16b Engine version: 3.16.6 VIRUS SIGNATURE FILES SIGN.DEF created 1 November 2005 SIGN2.DEF created 1 November 2005 MACRO.DEF created 25 October 2005 Search: *.* Action: Report only Files: "Dumb" scan of all files Switches: /ARCHIVE /PACKED /SERVER /REPORT=d:\f-prot\ScanReport.txt /NOBOOT /NOMEM /AI Memory was not scanned. Hard disk boot sectors were not scanned. C:\Temp\Virus\Bagle.New\D939EE224010AEFE9.SMD->Business_dealing.zip->Loa der.exe is a security risk named W32/Mitglieder.FY Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 3 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 ErrorLevel returned by fpcmd is: [8] errorlevel 8 = At least one suspicious object was found. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
Well ... ;-)> John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of System Administrator > Sent: Tuesday, November 01, 2005 9:48 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Blast of zips coming in > > on 11/1/05 11:38 AM, John T (Lists) wrote: > > > What is the payload inside? > > .exe files > > John's post about what we all should do with .exe files in zip attachments > will follow in 3 ... 2 ... 1 ... :) > > Don't let me down John, > Greg > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blast of zips coming in
on 11/1/05 11:38 AM, John T (Lists) wrote: > What is the payload inside? .exe files John's post about what we all should do with .exe files in zip attachments will follow in 3 ... 2 ... 1 ... :) Don't let me down John, Greg --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Blast of zips coming in
What is the payload inside? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of John Carter > Sent: Tuesday, November 01, 2005 7:51 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] Blast of zips coming in > > We are currently getting hit with a blast of emails with ZIP attachments. > They are showing clean, at least with F-Prot and ClamAV under Declude, plus > a manual scan by Trend Micro. They fake our user as sender. > > Attachments are among others: info_price.zip, text_sms.zip, max.zip, > Health_and_knowledge.zip, and others. > > John C > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blast of zips coming in
Confirmed on my end. 31 of these hit us in the last hour starting at 10:03 a.m. EST. 80% of these would have passed spam blocking without the extra filtering that we have in place for this sort of thing. It appears to not be seeding, but a real virus spreading in the wild based on the fact that these are mostly clean IP's and they come from all over the place. Matt John Carter wrote: We are currently getting hit with a blast of emails with ZIP attachments. They are showing clean, at least with F-Prot and ClamAV under Declude, plus a manual scan by Trend Micro. They fake our user as sender. Attachments are among others: info_price.zip, text_sms.zip, max.zip, Health_and_knowledge.zip, and others. John C --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Blast of zips coming in
We are currently getting hit with a blast of emails with ZIP attachments. They are showing clean, at least with F-Prot and ClamAV under Declude, plus a manual scan by Trend Micro. They fake our user as sender. Attachments are among others: info_price.zip, text_sms.zip, max.zip, Health_and_knowledge.zip, and others. John C --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.