Our black ice display has been showing:
[Suspicious Activity] This signature detects PE/COFF executable files that
have been packed using the UPX tool. While the presence of a UPX packed
executable does not in itself represent an attack, it can be considered an
anomaly. The UPX tool is commonly used to pack trojans and malware, while
it is somewhat uncommon for the tool to be used to distribute legitimate
We started seeing hundreds of these being caught by blackice server,
starting about a week ago.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard
Smith (N.O.R.A.D.)
Sent: Wednesday, February 07, 2007 6:14 PM
To: declude.junkmail@declude.com
Cc: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Need help - mail server sending out stock
reports email - process found ssm
Hello All
Justin Moose , hit it on the nail it was an worm process ssm , for info
it bypass imail completely thus it was nor in any logs , so declude could
not help . We do not know how it got there, but it show up on 1/28/7 then
when dormant until 2/5/7 .
Please explain how blackice will help and has anyone ever used winshark by
advances inc .
Howard Smith
N.O.R.A.D. Inc.
P.O. Box 680116
Miami, Florida 33168
www.norad.com http://www.norad.com/
[EMAIL PROTECTED]
Office - (305) NETWORK (638-9675)
Sales - (786) 206-0045
Fax 1 - (305) 359-5144
Confidentiality Notice: This email message, including any Attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact [EMAIL PROTECTED] by email and destroy all copies of the original
message.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin
Moose
Sent: Wednesday, February 07, 2007 6:11 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock
reports email
I called Howard on this, but for everyone else's info, if you are seeing
this, look for ssm.exe to be a running process. I found this on an Imail
server that I administer for another company this morning. The file was
showing processing time in the task manager and showed up on the Services
list at Security Systems Manager, but the file had a modified date of 2/5/07
and no updated had been done on that server for over a week. Stopping this
service stopped the junk messages from going out.
Neither F-prot or Symantec showed this file as a virus; however I did submit
it to Symantec for analysis.
Justin Moose
Information Technology Manager
Sioux Valley Energy
DID: (605) 256-1644
Fax: (605) 256-1690
Toll Free: (800) 234 1960
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard
Smith (N.O.R.A.D.)
Sent: Wednesday, February 07, 2007 4:24 PM
To: declude.junkmail@declude.com
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Need hep - mail server sending out stock reports
email
Running imail 8.15,sniffer and declude - starting on 2/6/7 my mail
server start sending out the stock reports email , even when I stop the
imail smtp process , nothing is in the Imail logs indicating problems . I
have ran full scans with frprot and Symantec .
Need help please , I have already made the spamcop blacklist
Howard Smith
N.O.R.A.D. Inc.
P.O. Box 680116
Miami, Florida 33168
www.norad.com http://www.norad.com/
[EMAIL PROTECTED]
Office - (305) NETWORK (638-9675)
Sales - (786) 206-0045
Fax 1 - (305) 359-5144
Confidentiality Notice: This email message, including any Attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact [EMAIL PROTECTED] by email and destroy all copies of the original
message.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
image001.gif
Description: GIF
