RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the check prices macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the dropper file that the macro drops. If it's there, the macro was executed, and the dropper has probably also download further malware. Modern versions of Office will, by default, not execute the macro so you might be safe. I don't know if Symantec has signatures for this document, the dropper or the payload it downloads. Trend Micro does, so you could use their web based HouseCall antivirus scanner from here: http://housecall.trendmicro.com/ Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Wednesday, June 28, 2006 6:03 AM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the check prices macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Hi John: I have received 3 of these that are not in zip files. My_new_comp.doc About_me.doc Hp_laptops.doc All are similar in concept: With the following in the body and different subjects. Name after hello is also different. --- Hello Cristian Asanachescu Regards, Cristian Asanachescu Or - Hello Patricia Myrose Regards, Patricia Myrose - All files are 52 KB attachments. I am trying to see why it was not caught as virus.. It does not look right. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 5:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt - Thanks for keeping track of all of this for the rest of us. Rob -Original Message- David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
All of these issues are why I am still on version 2.x.x as well. I have been waiting for their resolution for some time while patiently paying my support fee's. At 01:48 PM 6/28/2006 -0400, you wrote: David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, From my point of view, the problem with that response is that if Imail handle all the issues presented by abnormal mail messages, we would not need Declude. Imail handles normal messages just fine. If it were not for viruses and spammers, we would not see these problems. We got Declude to handle viruses and spammers. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 28, 2006 3:08 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, Mail servers have absolutely no requirement to inspect the contents of the data. This is Declude's job to do. Additionally, most mail clients do support both the CR flaw as well as the long base64 encoding flaw, so anything making it past Declude due to the holes created by these bugs is a critical flaw. There are so many things out there that violate the RFC's, it's almost not even worth arguing about who's responsibility it is since these things definitely exist and need to be dealt with appropriately. The issue with the CR's and Declude is not technically a vulnerability for any application out there besides Declude itself. Vulnerabilities in Declude have historically been formatting supported by mail clients which could be used to sneak past encoded attachments or scripting which could cause auto-execution or bypassing of virus scanners. The vulnerability only exists because Declude's SUBJECT action and header appending does not work appropriately, and some people chose to filter on such things instead of relying on other actions. I do in fact receive legitimate E-mail that have only CR's. Any PHP programmer out there can make this mistake just like multiple vendors are violating RFC's by including a space in the SMTP commands where they don't belong, or adding headers that don't properly bracket IP's, etc. If this is introduced as a vulnerability, I want to turn it off. The reason is because I don't want to scan a directory full of Q and D files searching for false positives, and I know that they will exist. Others may be less anal about this, or have different traffic patterns that isolates them from such issues, or might simply not care. Ultimately however, if you just simply placed the Declude inserted headers in the best possible place (before the first CRCR) then this wouldn't be an issue. I find it hard to believe that no one there can figure out how to do that. Regardless of who is right or wrong, right now every Declude user is vulnerable to viruses that may exploit the holes created by the base64 encoding error and the invalid character in the Mail From error. There is a virus that has been spreading for over a year that bypasses Declude's Virus' calling of virus scanners due to the long encoding lines, and the only reason why this hasn't become an issue is because he only sends EXE's which most of us block by default and only causes backscatter. If someone were to write a virus that was in a zip or a DOC though, which most of us don't block, it would bypass our virus scanners 100% of the time. If they wanted to exploit some scripting holes in mail clients, all they would have to do is send with a non ASCII character in the Mail From and they're good to go right past Declude. This is why these things are critical in nature. I don't want to continually bring this stuff up, I just want you guys to get it. Pretend for a second that I am right, and then look back at what you are doing. Please. Matt David Barker wrote: Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
as every instance we have seen of this has been invalid email. I certainly regularly receive incorrectly formatted email. I'm pretty small volumne, but looking over my logs (I have an external test for this condition), it is 111 non-spam messages this month. My email volume is pretty low. But I'm not looking forward to hand correcting 120 of these a month. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com Sent: Wednesday, June 28, 2006 2:07 PM Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I haven't seen any yet; I don't know if F-Prot is catching them. From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I don't know where that character in front of my From sentence came from. The first character on that line should have been an F. It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 28, 2006 2:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus I haven't seen any yet; I don't know if F-Prot is catching them. From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, June 28, 2006 1:06 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Sure it is not some form or the Pebcak virus Andrew? Sorry, couldn't resist. I needed the laugh. ;-) John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 28, 2006 2:26 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Importance: Low I don't know where that character in front of my From sentence came from. The first character on that line should have been an F. It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
http://www.f-secure.com/weblog/archives/archive-062006.html#0909 The writeup is interesting in the follow-on details but the information that Markus posted earlier is more helpful to us in keeping the darn thing out of users' mailboxes. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 27, 2006 12:08 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
JT Declude, this is a feature who's time has come. Hear, hear! The ability to ban filenames that are contained in archives would be a good feature, and most of the code must be in place, because Declude Virus already pulls apart at least the zip file format for selective file scanning. It is also well placed in the market. I checked my up-to-the-minute ScanMail for Exchange from Trend Micro, and they don't have that feature. I also tested it to see whether filename blocking would work anyway, and no, it didn't. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 3:38 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Importance: High I know. :( Declude, this is a feature who's time has come. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named my_notebook.doc Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found WM97/Kukudro-A UNA has found a Macro Virus No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
