Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Matteo Italia 
Yay, it worked! Thank you!


Il 11/12/2017 15:08, Joel Esler (jesler) ha scritto:
> I’ve adjusted some settings. Please try again.
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> On Dec 11, 2017, at 9:02 AM, Matteo Italia 
> > wrote:
>
> Hello Joel,
>
> I receive a page containing this information:
>
>Sorry, you have been blocked
>
>You are unable to access clamav.net
>
>Why have I been blocked?
>
>This website is using a security service to protect itself from
>online attacks. The action you just performed triggered the security
>solution. There are several actions that could trigger this block
>including submitting a certain word or phrase, a SQL command or
>malformed data.
>
>Cloudflare Ray ID: 3cb8f72fcc300e5a • Your IP: 79.1.45.152
>
> Il 11/12/2017 14:58, Joel Esler (jesler) ha scritto:
>
> What is the error you are receiving from Cloudflare?  I need some details.
>
> --
> Joel Esler | Talos: Manager | 
> jes...@cisco.com
>
>
>
>
>
>
> On Dec 11, 2017, at 3:48 AM, Matteo Italia 
> > 
> wrote:
>
> Hello,
>
> I'm trying to submit a virus sample through the web interface
> (https://www.clamav.net/reports/malware), but it keeps getting refused
> by CloudFlare. I tried several variations of the message text, putting
> the virus sample in various archives (not archived, .tar.gz, .7z with
> password), but CloudFlare keeps telling me I'm blocked. What should I do?
>
> Matteo
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ​
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Joel Esler (jesler) 
I’ve adjusted some settings. Please try again.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Dec 11, 2017, at 9:02 AM, Matteo Italia 
> wrote:

Hello Joel,

I receive a page containing this information:

   Sorry, you have been blocked

   You are unable to access clamav.net

   Why have I been blocked?

   This website is using a security service to protect itself from
   online attacks. The action you just performed triggered the security
   solution. There are several actions that could trigger this block
   including submitting a certain word or phrase, a SQL command or
   malformed data.

   Cloudflare Ray ID: 3cb8f72fcc300e5a • Your IP: 79.1.45.152

Il 11/12/2017 14:58, Joel Esler (jesler) ha scritto:

What is the error you are receiving from Cloudflare?  I need some details.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Dec 11, 2017, at 3:48 AM, Matteo Italia 
> 
wrote:

Hello,

I'm trying to submit a virus sample through the web interface
(https://www.clamav.net/reports/malware), but it keeps getting refused
by CloudFlare. I tried several variations of the message text, putting
the virus sample in various archives (not archived, .tar.gz, .7z with
password), but CloudFlare keeps telling me I'm blocked. What should I do?

Matteo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

​
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Matteo Italia 
Ah, the attachment in this case was an encrypted .7z containing the
virus sample; as said above, I tried with a .tar.gz, a .tar.bz2 and the
plain .dll and it didn't change a thing. The text is essentially the
same of my second email (the one containing the virustotal links).


Il 11/12/2017 15:02, Matteo Italia ha scritto:
> Hello Joel,
>
> I receive a page containing this information:
>
> Sorry, you have been blocked
>
> You are unable to access clamav.net
>
> Why have I been blocked?
>
> This website is using a security service to protect itself from
> online attacks. The action you just performed triggered the security
> solution. There are several actions that could trigger this block
> including submitting a certain word or phrase, a SQL command or
> malformed data.
>
> Cloudflare Ray ID: 3cb8f72fcc300e5a • Your IP: 79.1.45.152
>
> Il 11/12/2017 14:58, Joel Esler (jesler) ha scritto:
>
>> What is the error you are receiving from Cloudflare?  I need some details.
>>
>> --
>> Joel Esler | Talos: Manager | jes...@cisco.com
>>
>>
>>
>>
>>
>>
>> On Dec 11, 2017, at 3:48 AM, Matteo Italia 
>> > wrote:
>>
>> Hello,
>>
>> I'm trying to submit a virus sample through the web interface
>> (https://www.clamav.net/reports/malware), but it keeps getting refused
>> by CloudFlare. I tried several variations of the message text, putting
>> the virus sample in various archives (not archived, .tar.gz, .7z with
>> password), but CloudFlare keeps telling me I'm blocked. What should I do?
>>
>> Matteo
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> ​
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Matteo Italia 
Hello Joel,

I receive a page containing this information:

Sorry, you have been blocked

You are unable to access clamav.net

Why have I been blocked?

This website is using a security service to protect itself from
online attacks. The action you just performed triggered the security
solution. There are several actions that could trigger this block
including submitting a certain word or phrase, a SQL command or
malformed data.

Cloudflare Ray ID: 3cb8f72fcc300e5a • Your IP: 79.1.45.152

Il 11/12/2017 14:58, Joel Esler (jesler) ha scritto:

> What is the error you are receiving from Cloudflare?  I need some details.
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> On Dec 11, 2017, at 3:48 AM, Matteo Italia 
> > wrote:
>
> Hello,
>
> I'm trying to submit a virus sample through the web interface
> (https://www.clamav.net/reports/malware), but it keeps getting refused
> by CloudFlare. I tried several variations of the message text, putting
> the virus sample in various archives (not archived, .tar.gz, .7z with
> password), but CloudFlare keeps telling me I'm blocked. What should I do?
>
> Matteo
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

​
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Joel Esler (jesler) 
What is the error you are receiving from Cloudflare?  I need some details.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Dec 11, 2017, at 3:48 AM, Matteo Italia 
> wrote:

Hello,

I'm trying to submit a virus sample through the web interface
(https://www.clamav.net/reports/malware), but it keeps getting refused
by CloudFlare. I tried several variations of the message text, putting
the virus sample in various archives (not archived, .tar.gz, .7z with
password), but CloudFlare keeps telling me I'm blocked. What should I do?

Matteo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Matteo Italia 
Hi Al,

thank you for your reply, there it is.

https://www.virustotal.com/#/file/5005acda657bc9b612ce4b7a2369856c737f39855d4923c03289915acdc17075/detection

and another sample (looking at it in IDA, it seems that it adds random
garbage at the end)

https://www.virustotal.com/#/file/2fbfb38768270ccaf041b2a6152f11f2696cd467642fed9f2c4a97f30906baf1/detection

It’s some variant of the usual stuff that infects USB keys, of the “move
everything under an invisible directory and add a link to it that starts
the virus” variety.

The .lnk points to

|c:\Windows\system32 cmd.exe /c start rundll32 (invisible directory
name)\ebdbaaedddeeadfbcccfdcacfddcccddbaecbda.ebdbaaedddeeadfbcccfdcacfddcccddbaecbda,NEdcBKdCBWDCwvWb!%SystemRoot%\system32\SHELL32.dll
|

(where
|ebdbaaedddeeadfbcccfdcacfddcccddbaecbda.ebdbaaedddeeadfbcccfdcacfddcccddbaecbda|
is the particular name the virus dll got renamed to in this instance,
and |NEdcBKdCBWDCwvWb| its rundll-conforming entrypoint; they both
change at each infection)

This starts the malware itself which infects the machine, and then
starts Windows Explorer on the invisible folder (so the user is shown
his files).

Didn’t really look in what else it does to the machine; surely it gets
infected to spread the virus, as putting another USB key into the
infected machine did infect it as well.

Matteo

Il 11/12/2017 10:12, Al Varnell ha scritto:

> While you are waiting for an answer, upload it to VirusTotal and return here 
> with a link to the analysis
> , they can pick it up from there if 
> necessary.
>
> -Al-
>
> On Mon, Dec 11, 2017 at 12:48 AM, Matteo Italia wrote:
>> Hello,
>>
>> I'm trying to submit a virus sample through the web interface
>> (https://www.clamav.net/reports/malware), but it keeps getting refused
>> by CloudFlare. I tried several variations of the message text, putting
>> the virus sample in various archives (not archived, .tar.gz, .7z with
>> password), but CloudFlare keeps telling me I'm blocked. What should I do?
>>
>> Matteo
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml

​
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Al Varnell 
While you are waiting for an answer, upload it to VirusTotal and return here 
with a link to the analysis
, they can pick it up from there if 
necessary.

-Al-

On Mon, Dec 11, 2017 at 12:48 AM, Matteo Italia wrote:
> Hello,
> 
> I'm trying to submit a virus sample through the web interface
> (https://www.clamav.net/reports/malware), but it keeps getting refused
> by CloudFlare. I tried several variations of the message text, putting
> the virus sample in various archives (not archived, .tar.gz, .7z with
> password), but CloudFlare keeps telling me I'm blocked. What should I do?
> 
> Matteo


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Matteo Italia 
Hello,

I'm trying to submit a virus sample through the web interface
(https://www.clamav.net/reports/malware), but it keeps getting refused
by CloudFlare. I tried several variations of the message text, putting
the virus sample in various archives (not archived, .tar.gz, .7z with
password), but CloudFlare keeps telling me I'm blocked. What should I do?

Matteo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml