[Declude.Virus] New, fast-spreading virus
FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus
Yep - just gone one. The readme.zip contains a readme.scr screen saver. No doubt a virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus
Hm - just got this mail with an attached README.ZIP (which I didn't open): From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 04:32 PM Subject: The message contains Unicode characters and has been sent as a binary attachment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus
This is going to be a bad one. The file I got was fssgf.zip with a fssgf.scr inside of it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, January 26, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus Yep - just gone one. The readme.zip contains a readme.scr screen saver. No doubt a virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus
FYI, I just received a suspicious email with a zipped SCR in it. Sent to virus trap for verification. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 1:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus
I've trapped three of these in the last half hour (we always ban SCR and PIF files). I've seen three different subjects (it must be a Bagel variant): Hi Hello MAIL DELIVERY SYSTEM The bodies all have that one line in them that you quoted. The only other notable sign that I can see is a Message ID that uses MMDDhhmm and then three numbers, i.e.: Message-Id: [EMAIL PROTECTED] ID is also uses the wrong capitalization, but I don't think we can filter for that. Matt Andy Schmidt wrote: Hm - just got this mail with an attached README.ZIP (which I didn't open): From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 04:32 PM Subject: The message contains Unicode characters and has been sent as a binary attachment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus: MyDoom
F-prot just had an update too, waiting to see if we catch any. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 2:06 PM Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom Hi, I just got my hourly update - it's now detected by McAfee as: w32/[EMAIL PROTECTED] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, January 26, 2004 05:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus This is going to be a bad one. The file I got was fssgf.zip with a fssgf.scr inside of it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, January 26, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus Yep - just gone one. The readme.zip contains a readme.scr screen saver. No doubt a virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus
Well, that's a good sign then that JunkMail will at least add a few points to it. If I'm correct, that error also causes BADHEADERS to trip as well, and if you have LOSSENSPAMHEADERS ON, it will skip this test. These messages will also fail CMDSPACE. Matt R. Scott Perry wrote: The bodies all have that one line in them that you quoted. The only other notable sign that I can see is a Message ID that uses MMDDhhmm and then three numbers, i.e.: Message-Id: [EMAIL PROTECTED] Actually, that's an IMail Message-ID: header -- it's coming in with no Message-ID: header (triggering SPAMHEADERS in Declude JunkMail), and IMail is then adding the header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus: MyDoom
So much for the latest update from F-Prot, it does not pick up the new virus, I just received one a few seconds ago, failed spam headers but made it right through virus. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus: MyDoom
F-Prot just released new Definitions that pick up W32/[EMAIL PROTECTED] as well. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 2:06 PM Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom Hi, I just got my hourly update - it's now detected by McAfee as: w32/[EMAIL PROTECTED] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, January 26, 2004 05:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus This is going to be a bad one. The file I got was fssgf.zip with a fssgf.scr inside of it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, January 26, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus Yep - just gone one. The readme.zip contains a readme.scr screen saver. No doubt a virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus: MyDoom
This brings up one additional thought for blocking this sort of virus in the future, would there be anyway to have declude be able to detect that a zip file includes a .scr file inside and block it when you use the :banext scr option in the virus.cfg file? Is this possible, perhaps in a future release? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Jim Matuska [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 2:33 PM Subject: Re: [Declude.Virus] New, fast-spreading virus: MyDoom F-Prot just released new Definitions that pick up W32/[EMAIL PROTECTED] as well. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 2:06 PM Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom Hi, I just got my hourly update - it's now detected by McAfee as: w32/[EMAIL PROTECTED] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, January 26, 2004 05:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus This is going to be a bad one. The file I got was fssgf.zip with a fssgf.scr inside of it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, January 26, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus Yep - just gone one. The readme.zip contains a readme.scr screen saver. No doubt a virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus: MyDoom
We have been stopping them since about 2:30 CST. F-Prot updates 4 times daily. Jim Nitterauer President Creative Data Concepts Limited, Inc. 3 W. Garden Street Suite 326 Pensacola, FL 32502 http://www.creativedata.net 850-434-7645 800-607-6168 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska Sent: Monday, January 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New, fast-spreading virus: MyDoom F-Prot just released new Definitions that pick up W32/[EMAIL PROTECTED] as well. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 2:06 PM Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom Hi, I just got my hourly update - it's now detected by McAfee as: w32/[EMAIL PROTECTED] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, January 26, 2004 05:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus This is going to be a bad one. The file I got was fssgf.zip with a fssgf.scr inside of it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, January 26, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus Yep - just gone one. The readme.zip contains a readme.scr screen saver. No doubt a virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, January 26, 2004 04:34 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] New, fast-spreading virus FYI, there is a new fast-spreading virus out there, that is too new to be caught by AV programs yet. So far we have seen filenames of body, data, document, file, glszfj, message, readme, test, text, vgsu042a, and vncexdl, with extensions of .pif, .scr, .zip. It may be a wise idea to temporarily ban .pif and .scr files (and possibly .zip as well), if you do not already. You can use BANEXT PIF and BANEXT SCR in the virus.cfg file to do this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] - [This E-mail scanned for viruses courtesy of Creative Data Concepts http://www.creativedata.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus
Well, that's a good sign then that JunkMail will at least add a few points to it. If I'm correct, that error also causes BADHEADERS to trip as well... No (this is important). If an E-mail has headers that are [1] common in spam, and [2] rare in legitimate E-mail, it will fail either the SPAMHEADERS *or* BADHEADERS test. If the headers are legal, it fails the SPAMHEADERS test; otherwise, it fails the BADHEADERS test. An E-mail will only fail both if there are 2 or more problems (one legal, one not). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus
I forgot that this was due to a combination of issues that can occurr when IMail inserts a header if it receives a message with an IP for the HELO and replied as if that was always the case. You've been through this before with me, and I do understand. Thanks, Matt R. Scott Perry wrote: Well, that's a good sign then that JunkMail will at least add a few points to it. If I'm correct, that error also causes BADHEADERS to trip as well... No (this is important). If an E-mail has headers that are [1] common in spam, and [2] rare in legitimate E-mail, it will fail either the SPAMHEADERS *or* BADHEADERS test. If the headers are legal, it fails the SPAMHEADERS test; otherwise, it fails the BADHEADERS test. An E-mail will only fail both if there are 2 or more problems (one legal, one not). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus: MyDoom
Just MyDoom. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Monday, January 26, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom John, Did you add: Mydoom or Mydoom.A or the full W32/[EMAIL PROTECTED] to your SKIP... Keith -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Mon 1/26/2004 6:32 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom I have now added this to the list of forging viruses in the virus.cfg and added SKIPIFVIRUSNAMEHAS in the recip.eml file. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, January 26, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom Confirmed here that F-Prot is now catching. 01/26/2004 15:16:56 Q9fe7039901d8f7c9 MIME file: readme.scr [base64; Length=22528 Checksum=2535504] 01/26/2004 15:16:56 Q9fe7039901d8f7c9 Banning file with scr extension [application/octet-stream]. 01/26/2004 15:16:56 Q9fe7039901d8f7c9 Scanner 1: Virus=: W32/[EMAIL PROTECTED] Attachment=readme.scr [11] O 01/26/2004 15:16:56 Q9fe7039901d8f7c9 File(s) are INFECTED [: W32/[EMAIL PROTECTED]: 3] 01/26/2004 15:16:57 Q9fe7039901d8f7c9 Scanned: CONTAINS A VIRUS [MIME: 2 22775] 01/26/2004 15:16:57 Q9fe7039901d8f7c9 From: x To: yy[outgoing from 12.124.150.50] 01/26/2004 15:16:57 Q9fe7039901d8f7c9 Subject: TEST John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, January 26, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] New, fast-spreading virus: MyDoom Hi, would there be anyway to have declude be able to detect that a zip file includes a .scr file inside and block it when you use the :banext scr option in the virus.cfg file? Well - this warrants further disucssions. So far, we have been instructing/educating users that they SHOULD zip their SCR EXE and other banned file extensions into ZIP files. If we now ban ZIP files because they contain the very files that we told customers to ZIP, then we have customers in a catch-22. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. attachment: winmail.dat
RE: [Declude.Virus] New, fast-spreading virus: MyDoom
You know, for how fast spreading this appears to be, I am wondering if it is not being propagated by all those zombies out there. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New, fast-spreading virus: MyDoom
My F-Prot caught one already. Make sure you have the 1/26 application defs and not just the macro defs. When I updated earlier I only got 1/26 macro virus defs. Then I got the application defs when I tried a little later -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] - Original Message - From: Jim Matuska [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 5:18 PM Subject: Re: [Declude.Virus] New, fast-spreading virus: MyDoom So much for the latest update from F-Prot, it does not pick up the new virus, I just received one a few seconds ago, failed spam headers but made it right through virus. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New, fast-spreading virus: MyDoom
ROFLOL!! Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, January 26, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] New, fast-spreading virus: MyDoom You mean as opposed to being propagated by lonely housewives? :) John Tolmachoff (Lists) wrote: You know, for how fast spreading this appears to be, I am wondering if it is not being propagated by all those zombies out there. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
