I am seeing it also. I already submitted it to Mcafee...
My desktop AV (Trend) is detecting it as a Bagle variant...
Don
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 9:59 AM
Subject: [Declude.Virus]
I have seen the following attachments...
1.zip
5.zip
6.zip
7.zip
8.zip
price_new.zip
be_not_jealous.zip
price_new_16_04_05.zip
So far...
Don
- Original Message -
From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 10:22 AM
I just received an EXTRA.DAT file from Mcafee...to detect this..
I also submitted it to F-Prot
I will try attaching the EXTRA.DAT file to this email
Don
- Original Message -
From: Marc Catuogno [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005
I am having the same problems here. It all started around 12:30 Central
time...
Don
- Original Message -
From:
Matt
To: Declude.Virus@declude.com
Sent: Monday, May 02, 2005 12:56 PM
Subject: Re: [Declude.Virus] F-Prot and
HTML object exploit
John,Thanks a bunch
I have not updated to 3.16b and have this problem...
Don
- Original Message -
From: Markus Gufler [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, May 02, 2005 3:09 PM
Subject: RE: [Declude.Virus] F-Prot and HTML object exploit
Question: Have you all running the latest
We are many of these since about 5pm central time. Mcafee has definition
updates to catch this. We were catching it by the blocked extensions before
the Mcafee update was installed.
http://vil.nai.com/vil/content/v_131856.htm
At this time F-prot is not catching these..
Don
--
No virus found
FYI - Mcafee is detecting it as a generic Mydoom variant. So far F-prot is
not...
Don
- Original Message -
From:
Don Hickey
To: [EMAIL PROTECTED]
Sent: Tuesday, November 09, 2004 8:13
AM
Subject: [Declude.Virus] New MyDoom
Variants
Since these emails
Symantec has 3 new Bagle variants listed at www.sarc.com this morning...
Thanks for the Heads Up
Don
- Original Message -
From: Markus Gufler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 29, 2004 4:30 AM
Subject: [Declude.Virus] HEADS UP there is something strange
Looks like a new MyDoom Virus going around.
We are seeing a lot of them incoming and the latest Mcafee beta definition
files detect is as MyDoom.O
http://vil.nai.com/vil/content/v_127033.htm
Don
- Original Message -
From: Markus Gufler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
I submitted one of these to Mcafee. I am seeing a lot more of these than the
new Bagle.
Don
- Original Message -
From: Scott Fisher [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 26, 2004 12:52 PM
Subject: [Declude.Virus] .CPL file blocked
Could be something new going on:
Here is Mcafee's response to the .CPL I have been receiving - Don
A.V.E.R.T. Sample Analysis
Issue Number: 677272
Virus Research Analyst - Hong Kong: V. Nguyen
Identified: W32/[EMAIL PROTECTED]
AVERT(tm) Labs, Hong Kong
Thank you for submitting your suspicious file.
Synopsis -
- Original
Look at the added extension that this variant uses
Also, the attachment has any of the following extensions:
. EXE
. PIF
. RAR
. ZIP
I have seen a couple of these so far as .ZIP files, I guess I will have to
see what happens when I add .rar to the BANEXT temporarily...
Don
---
[This
Actually, I think this might be a new variant. I submitted it to Mcafee last
night and they sent back an extra.dat file to me. The filename is different
than the one in their write-up. Also the ones we were seeing were caught by
the banned extension until I copied over the extra.dat file.
Ahh
Ok I took up the Guinea Pig slack, and installed the latest version of
F-prot..
I have not seen the winmail.dat error since I installed it about 10 minutes
ago. I have caught many viruses during that time.
So far so good.
Don
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
To:
Scott,
Using the test virus sender on your website, the eicar plain file gets
caught as a virus, where the eicar in a .zip file gets caught as a banned
extension.
I am running Declude 1.78i14 - I just tried 1.78.i20 also, same results..
Here is a section of the log file..
03/10/2004 08:42:40
that was released the other day.
Don
- Original Message -
From: Don Hickey [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 10, 2004 8:41 AM
Subject: Re: [Declude.Virus] F-Prot version
Ok I took up the Guinea Pig slack, and installed the latest version of
F-prot..
I have not seen
I have moved back to F-Prot 3.14b as more of these errors started showing
up.
Don
- Original Message -
From: Don Hickey [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 10, 2004 8:58 AM
Subject: Re: [Declude.Virus] F-Prot version
Spoke too Soon!!
03/10/2004 08:46:35
I am not sure about F-prot, but Mcafee updated their definition files last
night to catch this.
Mcafee calls it Proxy-Cidra
http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=100939
Don
- Original Message -
From: Bennie [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
Scott, posted this last week:
With the latest interim release, you can use:
BANEXT EZIP - This line will ban all .ZIP files with an
encrypted file in them
BANZIPEXTS ON - This line (Pro version only) will ban all file extensions
listed in BANEXT lines, if they appear in
I tried this with 1,2,3 spaces and tabs between the BANZIPEXTS, BANZIPEXTS
and the ON.
Then I send myself a compress .pif file both pw protected and not pw
proteced and every single one was caught (eight total) (as banned extensions
ZIP-PIF).
All my BANEXT lines have one space between it and the
I will second this once again, I submitted this to Mcafee and the extra.dat
file I got mentioned W32/[EMAIL PROTECTED]
I haven't received anything back from them since about 1/2 hour ago. So for
the .exe name has changed on the ones we have seen.
Here is an example from one of the messages we
Mcafee's write up on it...
http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=101030
Don
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 17, 2004 9:01 AM
Subject: [Declude.Virus] New virus Tanx
FYI, there is a
) and your message to the list shortly after that. That
gave me time to add the .zip extension and contain this quickly. Iknow
some made it through, but it would have been much worse without the features you
keep adding and making things more easier on us.
Thanks,
Don Hickey
Knox College
We have seen about 35 so far this morning.
Mcafee says it is a Forging virus...
Don
- Original Message -
From: Fritz Squib [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, January 19, 2004 7:38 AM
Subject: RE: [Declude.Virus] new forging worm: Bagle
F-Prot reports it as [EMAIL
: photos.zip
I added
BANNAME PHOTOS.zip
to my virus.cfg fileuntil the av software updates
Don Hickey
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus
I wonder what the heck has happend to F-prot...I have lost all my confidence
in them..
Four days is way to long to take to solve this problem. Their website hasn't
been updated for a while now...
Don
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
This is an awesome feature to add. This will also help with future virus
outbreaks that have us waiting for definition files to be updated
from our antivirus vendors...
Thanks
Don Hickey
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday
Take a look the the log file and you can see what scanner detected the
virus...
Scanner 2: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=message.zip [2]
This is from this morning and F-Prot is still not catching it...
Don Hickey
- Original Message -
From: Hirthe, Alexander
Title: Message
Another variant is making it's rounds. This time it comes in a .zip file
named your_details.zip.
We have received 5 of these in the last twenty minutes. F-Prot catches it
with today's signatures.
Don
(that was
from one of our lists) to another user saying lets go to this.
Pretty unevenfull message, but Declude caught this and stopped it
Thanks
Don Hickey
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com
I have the BANEXT and the notify working fine. My question is there a way to
send the notify email to the postmaster (me) also to let me know that
someone tried to send a banned extension?
Thanks
Don Hickey
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com
don't know if it will work with InoculateIT 6.0, though
one of these days I intend to find out.
Stan Buck
- Original Message -
From:
Don Hickey
To: [EMAIL PROTECTED]
Sent: Wednesday, June 12, 2002 2:29
PM
Subject: [Declude.Virus] Declude and
Inocu
32 matches
Mail list logo
