I use Declude so that I can send an explanatory e-mail to the sender who can
then zip legitimate attachments and resend them
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Sent: Tuesday, August 19, 2003 10:51 AM
To: [EMAIL
Hi Scott:
I used McAfee and it started blocking it since 8:31 EDT (I pull in their
daily updates hourly).
08/19/2003 08:31:18 Q1893028b01baf614 Scanner 1: Virus= the W32/[EMAIL PROTECTED]
virus !!! Attachment=details.pif [11] I
08/19/2003 08:31:18 Q1893028b01baf614 Found a bogus .pif file
I have the following in my vulnerability.eml file:
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
SKIPIFRECIP [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
To: %ALLRECIPS%,[EMAIL PROTECTED]
Subject: We blocked an e-mail sent to you!
The notice is still being sent to [EMAIL
FYI: Mcafee's Extra Dat is not catching all instances of this virus...
However, it is still being dropped by the banned pif extension.
Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
I have the following in my vulnerability.eml file:
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
ONLYSENDIFREMOTESENDER
SKIPIFRECIP [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
To: %ALLRECIPS%,[EMAIL PROTECTED]
Subject: We blocked an e-mail sent to you!
The notice is still being sent to [EMAIL
Are you seeing this as a pif inside an attached .eml? Although not caught
by anything, I had a very strange undeliverable mail message in my box
today that fit this criteria. The Sender and rDNS were both blank in the
message.
Received: from is3.auto-trol.com [143.198.15.20] by staffingtech.com
Hello Andy,
I used McAfee and it started blocking it since 8:31 EDT (I pull in
their
daily updates hourly).
How do you pull the updates hourly? I use the Instant Updater but it
looks that it does the updates just once per day.
Adolfo Justiniano
Santa Cruz BBS
e-mail: [EMAIL PROTECTED]
Hm - I've seen a few messages go through that were generated by the virus -
but that did NOT include any attachment. They were scanned and cleaned by
an outbound virus scanner on the other side.
I have yet to actually see any infected virus making it to my inbox - yet
I've seen a hundreds being
I created a batch file that runs hourly - it usually finds updated files
several times a day. (The curl.exe is a shareware utility to automate HTTP
downloads).
kill curl -f
curl http://download.nai.com/products/mcafee-avert/daily_dats/SDATDAILY.EXE
-o SDATDAILYrun.EXE -s -S -R -z SDATDAILY.EXE
FYI: Mcafee's Extra Dat is not catching all instances of this virus...
However, it is still being dropped by the banned pif extension.
Wow! I've noted over 200 hits of this virus today so far. sheesh.
Paul - Glad I have Fprot checking for updates every 2 hours to be safe.
---
[This
I have BANEXT active, and as a courtesy I have a notification through
Delcude going out in case someone is legitimately trying to send an .exe
file. Is there anyway to turn this off for the .pif extension? The SOBIG.F
Virus is sending this to all my users with fake e-mail addresses and then
the
Is there just one space or tab in there? Have you double-checked to make
sure that the E-mail address is correct (no typos)?
Hanging Head in Shame
2 Tabs.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by
F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks
like a reversal of last weeks problem with F-Prot not catching the virus and
McAfee catching it. I'm glad I'm running dual scanners.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
I have BANEXT active, and as a courtesy I have a notification through
Delcude going out in case someone is legitimately trying to send an .exe
file. Is there anyway to turn this off for the .pif extension? The SOBIG.F
Virus is sending this to all my users with fake e-mail addresses and then
the
No computer on any network I support will be without its own AV software.
The reason is, just because you can scan another workstation's c drive from
across the network does not mean that it is clean. Plus, RTFP does not work
well that way.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices
McAfee is catching it fine here. Make sure your virus definitions are at
least at 4.0.4287.
Bill
- Original Message -
From: Bill Newberg [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 10:29 AM
Subject: [Declude.Virus] Sobig.F
F-Prot is catching Sobig.F, but
We're getting poiunded todat also with pif's and scr's from SoBig...
How much of a risk would it be to temporarily rem this setting in the
BanExt area, allow Declude to filter and quarantine the message and then
use the SKIP option to not send out a message to sender ???
Sincerely,
Randy
Mc Afee was blocking Sobig.f as of 8:31 AM Eastern Time on my server
according to my Declude Log files before I read the first reports on this
list. Are your virus signatures up to date/hour.
Best Regards
Andy Schmidt
HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle
Big Hugh risk.
If it is being caught by banned extension, the AV scanner is not catching
it.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.Virus-
[EMAIL PROTECTED] On Behalf Of
By the looks of things, this virus is going to be worse then the Klez. It's
amazing the number of e-mail received.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail
I have to concur on this, we are seeing our traffic levels increased by a
factor of 7 due to this virus..
Darrell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster
Sent: Tuesday, August 19, 2003 3:25 PM
To: [EMAIL PROTECTED]
Subject:
But if the AV scanner is catching it (FPROT updates every 2 hours) , how
much of an increase in system resources will be utilized in actually
performing scanningthis is the question I was was weighing...
Sincerely,
Randy Armbrecht
Global Web SolutionsR, Inc.
804-346-5300 ext. 1
And now I've noticed that there are more and more coming from DSL lines and
the private sector instead of universities (as a majority of the first
infections on my end were coming from)..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock
Will the admin for this domain contact me off list ASAP.
Your notification configuration needs adjusting.
You are sending notices to forged addresses.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude
For those of you evaluating Message Sniffer, we highly recommend that
you download the latest rulebase file from the web site. We have added a
collection of rules to capture viable and non-viable forms of the
sobig.f worm.
You can get this file (sniffer2.snf) from the Try-It page on our site:
Can anyone share the McAfee definition files for this? Our's is currently
at 4286 and I can't get in manually or automatically to download the current
definition files.
Thanks,
Dan
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19,
Go to www.nai.com and select the Downloads link. Grab the latest engine
update (SuperDat File (Engine + DAT)) which will upgrade your engine to
4.2.60 and the virus definitions to 4.0.4287.
Bill
- Original Message -
From: Dan Geiser [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday,
Forget it. I finally got through to McAfee's web site.
Sorry for bothering y'all!!!
- Original Message -
From: Dan Geiser [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 5:12 PM
Subject: Re: [Declude.Virus] Sobig.F
Can anyone share the McAfee definition files
Hi,
Is it just me, or is Sobig.F always adding the fake header:
X-MailScanner: Found to be clean
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This
As far as I can tell yes.
Best regards,
Eje Gustafsson mailto:[EMAIL PROTECTED]
The Family Entertainment Network http://www.fament.com
Phone : 620-231- Fax : 620-231-4066
- Your Full Time Professionals -
Mikrotik OEM dealer - Online
I just checked - we caught 4,700 occurrences of this virus so far since
this morning at 8:31 AM EDT. This is by a huge margin the most aggressive
virus that I've ever observed.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
---
[This E-mail was
31 matches
Mail list logo
