[xmail] Re: W32/Bagle.K@mm
I have put virus W32/[EMAIL PROTECTED] in password-protected-zip and unzipped versions here: http://download.iclub.cz/bagle.zip http://download.iclub.cz/bagle.exe Try to run f-prot over these two files manually - F-prot for dos recognizes virus only in unzipped version (that is useless on mailserver). ClamAV detects it in password-proetcted zip version, too - that is what we need. Anyway, I have problem with win32 version ( http://www.sosdg.org/clamav-win32/ ) of ClamAV's freshclam.exe (signature files updater) - I'm getting MD5 verification error every time. Has anyone any hint? Roman At 18:36 5.3.2004 -0600, you wrote: Original Message From: Scott [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 05, 2004 12:46 PM Subject: [xmail] Re: W32/[EMAIL PROTECTED] Thought I would pass this on for those who don't use Clam AV or anyone not aware of this tool. I only started using it yesterday - due to the bagle virus not being detected by f-prot. Why do you say its not detected by f-prot I use f-prot and it catches them everytime.. I can send you logs with hundreds of entries where it has caught Bagle.k, Bagel.j Did I miss something? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
I created an XMail antivirus filter for my network in C (based on XAV). It uses NavCE to scan for viruses. Detects every virus so long as you keep the definitions up to date. I hope to have it online at my website in the next couple of days. If your interested, let me know and I'll get it up early. Regards, Rodney Beck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roman Dusek Sent: Thursday, 4 March 2004 6:13 PM To: [EMAIL PROTECTED] Subject: [xmail] W32/[EMAIL PROTECTED] Hi all, has anyone any XMail antivirus filter that is able to catch W32/[EMAIL PROTECTED] virus (spreading since yesterday)? As virus .exe file is inside password-protected zip, my f-prot for dos isn't able to detect it. Roman - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
I'm not sure if this is the same virus, but it said bagle in it... this is clamav scanner with AV filter Virus : Worm.Bagle.Gen-1 - - - Report from virus scanner - -- Scan started: Sat Mar 6 11:10:57 2004 /tmp/346377723a105a43.scan//Attach.pif: Worm.Bagle.Gen-1 FOUND -- summary -- Known viruses: 20388 Scanned directories: 1 Scanned files: 2 Infected files: 1 Data scanned: 0.01 MB I/O buffer size: 131072 bytes Time: 1.826 sec (0 m 1 s) - End report from virus scanner - - --- AV Filter 1.8 for XMail (http://www.lindeman.org/filters.html) - Original Message - From: RaveRod [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 07, 2004 7:52 AM Subject: [xmail] Re: W32/[EMAIL PROTECTED] I created an XMail antivirus filter for my network in C (based on XAV). It uses NavCE to scan for viruses. Detects every virus so long as you keep the definitions up to date. I hope to have it online at my website in the next couple of days. If your interested, let me know and I'll get it up early. Regards, Rodney Beck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roman Dusek Sent: Thursday, 4 March 2004 6:13 PM To: [EMAIL PROTECTED] Subject: [xmail] W32/[EMAIL PROTECTED] Hi all, has anyone any XMail antivirus filter that is able to catch W32/[EMAIL PROTECTED] virus (spreading since yesterday)? As virus .exe file is inside password-protected zip, my f-prot for dos isn't able to detect it. Roman - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
Eric Murphy wrote: - --- AV Filter 1.8 for XMail (http://www.lindeman.org/filters.html) You are supposingly using an old version of the AV filter. This version (and older ones) contains a bug which can slow down your server dramatically, therefore I advice you (and anyone who are using older then 1.9) to upgrade the filter asap. You can it get it here : http://www.lindeman.org/filters.html -- Groeten, Peter Error: Keyboard not attached. Press F1 to continue. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 11 days, 20 hours and 43 minutes, 1 user logged in. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
Good news ! Even though I don't know why, my combination of MailFilter ( http://members.chello.at/goesta.smekal/code/ ) and Sophos ( http://www.sophos.com ) got one yesterday. Following the long thread on securityfocus's list I can hardly imagine how, but it seems to work. finally found the clue: Sophos detects all encrypted versions of Bagle as 'Win32/Bagle.zip' ... don't ask me how they do it, but your favourite AV vendor will certainly do the same soon. Goesta On Thu, Mar 04, 2004 at 09:13:00AM +0100, Roman Dusek wrote: Hi all, has anyone any XMail antivirus filter that is able to catch W32/[EMAIL PROTECTED] virus (spreading since yesterday)? As virus .exe file is inside password-protected zip, my f-prot for dos isn't able to detect it. Roman - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] -- Wiener Hilfswerk - EDV 1072 Wien, Schottenfeldgasse 29 Tel: 512 36 61 DW 407 / Fax 512 36 61 33 - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
Thought I would pass this on for those who don't use Clam AV or anyone not aware of this tool. I only started using it yesterday - due to the bagle virus not being detected by f-prot. As I was reading the manual, I came across this part in section 3.5 Signature Tool. Absolutely wicked! I've never seen this in any other antivirus software. It allows you to take a file suspected of containing a virus and create a new db that will be used to compare files against that file/attachement. A very proactive feature. Hats off to the Clam AV team! Don Drake wrote: I also noticed clamav wasn't detecting the password-protected .zip files yesterday. But it is today (after a freshclam): Readme.zip: Worm.Bagle.Gen-zippwd FOUND - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
Original Message From: Scott [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 05, 2004 12:46 PM Subject: [xmail] Re: W32/[EMAIL PROTECTED] Thought I would pass this on for those who don't use Clam AV or anyone not aware of this tool. I only started using it yesterday - due to the bagle virus not being detected by f-prot. Why do you say its not detected by f-prot I use f-prot and it catches them everytime.. I can send you logs with hundreds of entries where it has caught Bagle.k, Bagel.j Did I miss something? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
Nick Marino wrote: Original Message From: Scott [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 05, 2004 12:46 PM Subject: [xmail] Re: W32/[EMAIL PROTECTED] Thought I would pass this on for those who don't use Clam AV or anyone not aware of this tool. I only started using it yesterday - due to the bagle virus not being detected by f-prot. Why do you say its not detected by f-prot I use f-prot and it catches them everytime.. I can send you logs with hundreds of entries where it has caught Bagle.k, Bagel.j Did I miss something? when the virus started flooding in f-prot did not detect it. But yes a day or two? ( its been a long week ;/ ) later a def was available that does detect it. I just meant that with definition creation tool, I could have stop it when the first few users starting asking about these zip files arriving in the mailboxes. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
If you're using Linux I've got a filter that catches all bad attachments whether they're directly in the message or in a zip file. Let me know if you want it. Adrian Hicks -- MIS Facilities Manager Auston Int'l Group Ltd 45 Middle Rd, #01-00 Auston Unicentre Tel: (65) 6339 4800 ext. 229 Fax: (65) 6339 7600 E-mail: [EMAIL PROTECTED] On Thursday 04 Mar 2004 4:13 pm, you wrote: Hi all, has anyone any XMail antivirus filter that is able to catch W32/[EMAIL PROTECTED] virus (spreading since yesterday)? As virus .exe file is inside password-protected zip, my f-prot for dos isn't able to detect it. Roman - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] --- [This E-mail was scanned for viruses.] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
/tmp/01e1fa7d3bac8e14.scan//Message.zip Date: 3.03.2004 Time: 17:21:43 Size: 12422 ALERT: [Worm/Bagle.J worm] /tmp/01e1fa7d3bac8e14.scan//Message.zip Contains signature of the worm Worm/Bagle.J 1.17 + Peter's AV filter + AntiVir gets it fine. Run some updates on the definitions. -Jim - Original Message - From: Roman Dusek [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 04, 2004 2:13 AM Subject: [xmail] W32/[EMAIL PROTECTED] Hi all, has anyone any XMail antivirus filter that is able to catch W32/[EMAIL PROTECTED] virus (spreading since yesterday)? As virus .exe file is inside password-protected zip, my f-prot for dos isn't able to detect it. Roman - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
I am also running Peter's av filter with f-prot and clamav and none catched it but luckily on my windows workstation I have nod32 which catch it and delete it. I am just wondering: is there maybe an option in the Peter's av filter to delete message if it has a password protected zip attachment? --Sasa Jim Frank pravi: /tmp/01e1fa7d3bac8e14.scan//Message.zip Date: 3.03.2004 Time: 17:21:43 Size: 12422 ALERT: [Worm/Bagle.J worm] /tmp/01e1fa7d3bac8e14.scan//Message.zip Contains signature of the worm Worm/Bagle.J 1.17 + Peter's AV filter + AntiVir gets it fine. Run some updates on the definitions. -Jim - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
I just installed clamav 0.67 and the did freshclam to update. It now detects the virus. Sasa Stupar wrote: I am also running Peter's av filter with f-prot and clamav and none catched it but luckily on my windows workstation I have nod32 which catch it and delete it. I am just wondering: is there maybe an option in the Peter's av filter to delete message if it has a password protected zip attachment? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: W32/Bagle.K@mm
I also noticed clamav wasn't detecting the password-protected .zip files yesterday. But it is today (after a freshclam): Readme.zip: Worm.Bagle.Gen-zippwd FOUND --- SCAN SUMMARY --- Known viruses: 20381 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.04 MB I/O buffer size: 131072 bytes Time: 2.812 sec (0 m 2 s) -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Sent: Thursday, March 04, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: [xmail] Re: W32/[EMAIL PROTECTED] I just installed clamav 0.67 and the did freshclam to update. It now detects the virus. Sasa Stupar wrote: I am also running Peter's av filter with f-prot and clamav and none catched it but luckily on my windows workstation I have nod32 which catch it and delete it. I am just wondering: is there maybe an option in the Peter's av filter to delete message if it has a password protected zip attachment? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]