RE: [Declude.Virus] .EML file syntax
Title: Message Hi Goran: The "cc:" information is part of the (spoofable) SMTP header - the "bcc:" is not ANYWHERE. The only entity that knows about the "bcc"s is the sending mail sever, it will simply distribute the message to anyone in the bcc and cc header. To each BCC or CC recipient's server it will look like a message that was addressed from one third party to another third party - they will not see the BCC information. While the "cc:" (but not bcc) information can be found in the SMTP header in the receiving server (and thus Declude) there is no way to say whether that header is "true" or spoofed (although there is little motivation to spoof that header, that I can think of). There simply is no way on earth for anything beyond the sending mail server to do anything with BCCs since the information simply is omitted and thus not available. Therefore, there is no reason to believe that it will (or could) ever be added to a future DEclude version. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Tuesday, May 31, 2005 09:27 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] .EML file syntax
Title: Message Darin, Not sure if you understood what I was looking for. I want to take an EML file say for a banned file notification and send it TO: %ALLRECIPS% And BCC: me (or a monitor account). This is the functionality that does not exist. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, May 31, 2005 10:43 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] .EML file syntax I asked about this about a month ago. >From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
Re: [Declude.Virus] .EML file syntax
Title: Message I asked about this about a month ago. From what I was told, Declude cannot determine who is on the CC or BCC list due to where they look for that info. Darin. - Original Message - From: Goran Jovanovic To: Declude.Virus@declude.com Sent: Tuesday, May 31, 2005 9:27 PM Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] .EML file syntax
Title: Message Urgh. I tried CC: but that did not work. I would be nice to be able to do this. Thanx Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 31, 2005 10:09 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] .EML file syntax Not unless it has been introduced as a feature in 2.x. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, May 31, 2005 6:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] .EML file syntax
Title: Message Not unless it has been introduced as a feature in 2.x. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, May 31, 2005 6:27 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] .EML file syntax Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
Re: [Declude.Virus] MS05-16 Exploit
a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure Plus the other question is does Declude look for the CSLID calls in files in zip's. Darrell -- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Try it today - http://www.invariantsystems.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] .EML file syntax
Title: Message Hi, I know that in an .EML file you can have a TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better yet a BCC? I have not found anything in the 2.0.6 manual. Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.Virus] MS05-16 Exploit
Title: Message Putting in 2 new drives was the easy part. Recreating 43 websites in IIS because the backup drive on the backup server departed for parts unknown the week before and proceeded with the tape drive (Onstream) finally giving out a month ago leaving my backup solution in shambles is what has been fun. Fortunately, both the actual website data drives and their separate backups on zip disks are fine. When it rains it pours. I must be in Southern California. Needless to say, I am revamping my backup and disaster recovery solutions. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 31, 2005 2:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] MS05-16 Exploit Ok, John, get back to fixing that mirrored drive set. Andrew 8)
RE: [Declude.Virus] MS05-16 Exploit
Title: Message Perhaps a new feature in Declude that can be implemented during an outbreak(before the slow AV guys create defs) which reverses the logic of the BAN module, making it an ALLOW module. For instance, ban all extensions except those specifically allowed- this creates its own problems such as forcing users to conform to renaming files in a specific way to get them through, but may solve part of the CLSID issue. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of NIck HayerSent: Tuesday, May 31, 2005 2:55 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] MS05-16 ExploitHi Andy,Colbeck, Andrew wrote: Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector. They are entirely different animals, which happen to have CLSID at their heart. You are sure up to date with this stuff! The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, This is good news. That can be easily accomplished - and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .docWell this won't be effective becase folks now rename extensions as a matter of course to get clean files through eg - .exe > .e_x_e :) Leave it up to your antivirus scanner. Perfect and thanks for the insight.-Nick
Re: [Declude.Virus] MS05-16 Exploit
Title: Message Hi Andy, Colbeck, Andrew wrote: Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector. They are entirely different animals, which happen to have CLSID at their heart. You are sure up to date with this stuff! The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, This is good news. That can be easily accomplished - and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .doc Well this won't be effective becase folks now rename extensions as a matter of course to get clean files through eg - .exe > .e_x_e :) Leave it up to your antivirus scanner. Perfect and thanks for the insight. -Nick
RE: [Declude.Virus] MS05-16 Exploit
Title: Message Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID vulnerability detector. They are entirely different animals, which happen to have CLSID at their heart. The only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus scanner up to date, and/or b) to watch for virus news and ban extensions that are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of .doc The only way to attack MS05-16 abuse with Declude JunkMail is to dream up ways to tell apart MIME filename lines that are valid from the ones that are bogus. Given that Macintoshes will send files to PC users without a file extenstion, and given the lack of regular expressions and fine control over substring matching, I think this is a fool's errand. Leave it up to your antivirus scanner. Ok, John, get back to fixing that mirrored drive set. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, May 31, 2005 2:21 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] MS05-16 ExploitThis is the one that Andy pointed out: Microsoft Windows Shell Remote Code Execution Vulnerabilityhttp://www.securityfocus.com/bid/13132/discussion/Microsoft Windows is prone to a vulnerability that may allow remote attackers to execute code through the Windows Shell. The cause of the vulnerability is related to how the operating system handles unregistered file types. The specific issue is that files with an unknown extension may be opened with the application specified in the embedded CLSID.The victim of the attack would be required to open a malicious file, possibly hosted on a Web site or sent through email. Social engineering would generally be required to entice the victim into opening the file. I can't say whether or not it is a broad enough threat to be exploited in a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure what Declude considers to be good to ban with this switch. Andrew previously indicated that he had never seen it triggered.Anyway, these things pop up about once a month and most are never exploited in E-mail viruses, so there is probably no reason to not treat all of them the same. I see no reason why virus scanners wouldn't detect the infected attachments once they were updated with definitions for known threats.MattJohn Tolmachoff (Lists) wrote: Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Schmidt Sent: Tuesday, May 31, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] MS05-16 Exploit Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of "vulnerability" of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than "isolate" them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary="[...]" [...] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regard
RE: [Declude.Virus] MS05-16 Exploit
Good point. What version of Declude introduced the 'BANCSLID ON' feature? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, May 31, 2005 2:21 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] MS05-16 Exploit This is the one that Andy pointed out: Microsoft Windows Shell Remote Code Execution Vulnerability http://www.securityfocus.com/bid/13132/discussion/ Microsoft Windows is prone to a vulnerability that may allow remote attackers to execute code through the Windows Shell. The cause of the vulnerability is related to how the operating system handles unregistered file types. The specific issue is that files with an unknown extension may be opened with the application specified in the embedded CLSID. The victim of the attack would be required to open a malicious file, possibly hosted on a Web site or sent through email. Social engineering would generally be required to entice the victim into opening the file. I can't say whether or not it is a broad enough threat to be exploited in a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure what Declude considers to be good to ban with this switch. Andrew previously indicated that he had never seen it triggered. Anyway, these things pop up about once a month and most are never exploited in E-mail viruses, so there is probably no reason to not treat all of them the same. I see no reason why virus scanners wouldn't detect the infected attachments once they were updated with definitions for known threats. Matt John Tolmachoff (Lists) wrote: Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, May 31, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] MS05-16 Exploit Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of "vulnerability" of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than "isolate" them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary="[...]" [...] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name="agreement.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="agreement.zip" <> There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the "agreement.zip" attachment held only one file, apparently called "agreement.txt", but on closer inspection it turned out the file was called "agreement.txt " where the apparent trailing space was actually a 0xFF character. This "pseudo-TXT" file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/app
Re: [Declude.Virus] MS05-16 Exploit
This is the one that Andy pointed out: Microsoft Windows Shell Remote Code Execution Vulnerability http://www.securityfocus.com/bid/13132/discussion/ Microsoft Windows is prone to a vulnerability that may allow remote attackers to execute code through the Windows Shell. The cause of the vulnerability is related to how the operating system handles unregistered file types. The specific issue is that files with an unknown extension may be opened with the application specified in the embedded CLSID. The victim of the attack would be required to open a malicious file, possibly hosted on a Web site or sent through email. Social engineering would generally be required to entice the victim into opening the file. I can't say whether or not it is a broad enough threat to be exploited in a mass-mailing virus. Declude defaults to BANCSLID ON which may or may not protect from such an attack. Some CSLID calls are entire valid and normal for Outlook/Office generated E-mails, and I'm not totally sure what Declude considers to be good to ban with this switch. Andrew previously indicated that he had never seen it triggered. Anyway, these things pop up about once a month and most are never exploited in E-mail viruses, so there is probably no reason to not treat all of them the same. I see no reason why virus scanners wouldn't detect the infected attachments once they were updated with definitions for known threats. Matt John Tolmachoff (Lists) wrote: Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Schmidt Sent: Tuesday, May 31, 2005 11:30 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] MS05-16 Exploit Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of "vulnerability" of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than "isolate" them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Nick FitzGerald [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 29, 2005 9:31 AM To: Bugtraq@securityfocus.com Subject: Spam exploiting MS05-016 Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary="[...]" [...] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name="agreement.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="agreement.zip" <> There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the "agreement.zip" attachment held only one file, apparently called "agreement.txt", but on closer inspection it turned out the file was called "agreement.txt " where the apparent trailing space was actually a 0xFF character. This "pseudo-TXT" file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/application/poi/display?id=231&type=vulns This "pseudo-TXT" file is an example of what is produced by the PoC generator posted to Bugtraq. Oddly, that message is not archived in SecurityFocu
RE: [Declude.Virus] MS05-16 Exploit
Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Andy Schmidt > Sent: Tuesday, May 31, 2005 11:30 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] MS05-16 Exploit > > Hi, > > Enclosed a notice for the MS05-16 Exploit. > > For the record: > I'm actually in favor of using STRICT interpretation of vulnerabilities - no > matter how seldom one might actually occur. Whether a violation of > standards is due to an actual virus - or just a poor mass-mailer > application, I gladly use the reason of "vulnerability" of a potential virus > to reject these messages early. > > As far as some features suggested here: > > - I do agree that it might be helpful for some people not to scan for > viruses, if a vulnerability is found (to conserve CPU). > > - I do agree that there is little reason (other than statistics) to run the > second scanner after the first scanner already found a virus. > > - I do agree that it is desirable for some people, if there was an option > that would delete vulnerabilities rather than "isolate" them in the Virus > folder. > > - I do NOT agree that Declude should NOT detect certain vulerabilities, just > because they only occur very rarely. > > > Best Regards > Andy Schmidt > > Phone: +1 201 934-3414 x20 (Business) > Fax:+1 201 934-9206 > > > > -Original Message- > > From: Nick FitzGerald [mailto:[EMAIL PROTECTED] > > Sent: Sunday, May 29, 2005 9:31 AM > > To: Bugtraq@securityfocus.com > > Subject: Spam exploiting MS05-016 > > > > Yesterday at least two of my spam-traps received the following message > (I've elided the MIME boundary values just in case...): > >Subject: We make a business offer to you >MIME-Version: 1.0 >Content-type: multipart/mixed; >boundary="[...]" > >[...] >Content-Type: text/plain; >charset="Windows-1252" >Content-Transfer-Encoding: 8bit > >Hello! It is not spam, so don't delete this message. >We have a business offer to you. >Read our offer. >You can increase the business in 1,5 times. >We hope you do not miss this information. > > >Best regards, Keith > >[...] >Content-type: application/octet-stream; >name="agreement.zip" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; >filename="agreement.zip" > ><> > > There are a few trivial differences between the messages to the > different addresses I checked, so don't anyone try to turn the above > into a totally literal filtering rule... > > Anyway, the "agreement.zip" attachment held only one file, apparently > called "agreement.txt", but on closer inspection it turned out the file > was called "agreement.txt " where the apparent trailing space was > actually a 0xFF character. This "pseudo-TXT" file was, in fact, an > OLE2 format file (originally a Word document file) with the OLE2 Root > Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). > This was all done as per the description in the iDEFENSE advisory > announcing this vulnerability: > >http://www.idefense.com/application/poi/display?id=231&type=vulns > > This "pseudo-TXT" file is an example of what is produced by the PoC > generator posted to Bugtraq. Oddly, that message is not archived in > SecurityFocus' own mailing list archives, but its PoC code is listed > with the vulnerability's BID entry: > >http://www.securityfocus.com/bid/13132/info/ > > That PoC may be identified from the comment at the top of its code: > >MS05-016 POC >Made By ZwelL >[EMAIL PROTECTED] >2005.4.13 > > Anyway, the "agreement.txt " file contained a script to write a text > file with commands and responses for use with the Windows ftp client > via its "-s" option and further commands to run ftp with those scripted > > commands and then to run the executable that ftp script would cause to > be downloaded from a Russian web site. At the time of writing, that > site is still up and the executable that is downloaded (a backdoor) is > the same one that was there when the spam was first seen. > > If you haven't installed the MS05-016 Windows Shell patch yet: > >http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx > > or at least taken reasonable precautions to defang possible > exploitation of this vulnerability (particularly through MSHTA), it > would be advisable to do so now. When initially discovered, only two > of more than 20 tested virus scanning engines detected the exploit in > "agreement.txt ". Since alerting the antivirus developer community of > the field discovery of this exploit, a couple more "big name" scanners > have added a degree of detection for this exploit,
[Declude.Virus] MS05-16 Exploit
Hi, Enclosed a notice for the MS05-16 Exploit. For the record: I'm actually in favor of using STRICT interpretation of vulnerabilities - no matter how seldom one might actually occur. Whether a violation of standards is due to an actual virus - or just a poor mass-mailer application, I gladly use the reason of "vulnerability" of a potential virus to reject these messages early. As far as some features suggested here: - I do agree that it might be helpful for some people not to scan for viruses, if a vulnerability is found (to conserve CPU). - I do agree that there is little reason (other than statistics) to run the second scanner after the first scanner already found a virus. - I do agree that it is desirable for some people, if there was an option that would delete vulnerabilities rather than "isolate" them in the Virus folder. - I do NOT agree that Declude should NOT detect certain vulerabilities, just because they only occur very rarely. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 > -Original Message- > From: Nick FitzGerald [mailto:[EMAIL PROTECTED] > Sent: Sunday, May 29, 2005 9:31 AM > To: Bugtraq@securityfocus.com > Subject: Spam exploiting MS05-016 > Yesterday at least two of my spam-traps received the following message (I've elided the MIME boundary values just in case...): Subject: We make a business offer to you MIME-Version: 1.0 Content-type: multipart/mixed; boundary="[...]" [...] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit Hello! It is not spam, so don't delete this message. We have a business offer to you. Read our offer. You can increase the business in 1,5 times. We hope you do not miss this information. Best regards, Keith [...] Content-type: application/octet-stream; name="agreement.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="agreement.zip" <> There are a few trivial differences between the messages to the different addresses I checked, so don't anyone try to turn the above into a totally literal filtering rule... Anyway, the "agreement.zip" attachment held only one file, apparently called "agreement.txt", but on closer inspection it turned out the file was called "agreement.txt " where the apparent trailing space was actually a 0xFF character. This "pseudo-TXT" file was, in fact, an OLE2 format file (originally a Word document file) with the OLE2 Root Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). This was all done as per the description in the iDEFENSE advisory announcing this vulnerability: http://www.idefense.com/application/poi/display?id=231&type=vulns This "pseudo-TXT" file is an example of what is produced by the PoC generator posted to Bugtraq. Oddly, that message is not archived in SecurityFocus' own mailing list archives, but its PoC code is listed with the vulnerability's BID entry: http://www.securityfocus.com/bid/13132/info/ That PoC may be identified from the comment at the top of its code: MS05-016 POC Made By ZwelL [EMAIL PROTECTED] 2005.4.13 Anyway, the "agreement.txt " file contained a script to write a text file with commands and responses for use with the Windows ftp client via its "-s" option and further commands to run ftp with those scripted commands and then to run the executable that ftp script would cause to be downloaded from a Russian web site. At the time of writing, that site is still up and the executable that is downloaded (a backdoor) is the same one that was there when the spam was first seen. If you haven't installed the MS05-016 Windows Shell patch yet: http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx or at least taken reasonable precautions to defang possible exploitation of this vulnerability (particularly through MSHTA), it would be advisable to do so now. When initially discovered, only two of more than 20 tested virus scanning engines detected the exploit in "agreement.txt ". Since alerting the antivirus developer community of the field discovery of this exploit, a couple more "big name" scanners have added a degree of detection for this exploit, and I expect that number to grow as the new week dawns and new updates are pushed to customers. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
On my "8.zip" sample, McAfee finds W32/[EMAIL PROTECTED] so VirusTotal probably has an older McAfee update. VirusTotal doesn't use Trend Micro, but they don't think it warrants a new signature. They already catch it as TROJ_BAGLE.GEN Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gianbattista Toffetti Carughi Sent: Tuesday, May 31, 2005 9:59 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) after scanning the file "8.zip" file. Antivirus Version Update Result AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR AVG 718 05.31.2005 no virus found Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR BitDefender 7.0 05.31.2005 [EMAIL PROTECTED] ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352 eTrust-Iris 7.1.194.0 05.31.2005 no virus found eTrust-Vet 11.9.1.0 05.31.2005 no virus found Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr Ikarus 2.32 05.31.2005 no virus found Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo McAfee 4502 05.30.2005 no virus found NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus Norman 5.70.10 05.30.2005 W32/Downloader Panda 8.02.00 05.31.2005 Suspect File Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo Symantec 8.0 05.30.2005 Trojan.Tooso.B VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3 - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 6:39 PM Subject: RE: [Declude.Virus] New virus out? Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as "W32/[EMAIL PROTECTED]". That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used "plug n play" code to mix and match one delivery agent with another payload in one viral executable. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) after scanning the file "8.zip" file. Antivirus Version Update Result AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR AVG 718 05.31.2005 no virus found Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR BitDefender 7.0 05.31.2005 [EMAIL PROTECTED] ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352 eTrust-Iris 7.1.194.0 05.31.2005 no virus found eTrust-Vet 11.9.1.0 05.31.2005 no virus found Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr Ikarus 2.32 05.31.2005 no virus found Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo McAfee 4502 05.30.2005 no virus found NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus Norman 5.70.10 05.30.2005 W32/Downloader Panda 8.02.00 05.31.2005 Suspect File Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo Symantec 8.0 05.30.2005 Trojan.Tooso.B VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3 - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 6:39 PM Subject: RE: [Declude.Virus] New virus out? Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as "W32/[EMAIL PROTECTED]". That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used "plug n play" code to mix and match one delivery agent with another payload in one viral executable. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as "W32/[EMAIL PROTECTED]". That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used "plug n play" code to mix and match one delivery agent with another payload in one viral executable. I haven't seen any of the new MyTob yet, but for more detailed info: WORM_MyTob.BI http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FM YTOB%2EBI&VSect=P Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 31, 2005 8:00 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New virus out? One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I just received an EXTRA.DAT file from Mcafee...to detect this.. I also submitted it to F-Prot I will try attaching the EXTRA.DAT file to this email Don - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 10:31 AM Subject: RE: [Declude.Virus] New virus out? I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] EXTRA.DAT Description: Binary data
Re: [Declude.Virus] EXITSCANONVIRUS
I personally would not go with 2 different brands of drives since the 2 different brands would be slightly different in design and could vary in performance and in my opinion could cause issues with array stability. On the other hand I have had drives in Raid1 Fail, but I have never had the whole array fail, 1 drive just goes down and I replace it. Perhaps for the best performance and to avoid a bad lot you would be better off buying 2 drives of the same model and brand but buy them from 2 different vendors so you get 2 different lots. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Marc Catuogno To: Declude.Virus@declude.com Sent: Monday, May 30, 2005 8:40 AM Subject: RE: [Declude.Virus] EXITSCANONVIRUS John, Sorry to hear about that it sucks. There was something I heard once about having identical drives mirrored. That if they were from the same vendor and the same model and lot number they can fail at the same time. The IBM Deskstar was apparently notorious for this. If Im building a server I try to use two different HDs on the mirror one IBM and one Maxtor or something. It is tough to get my host to do this for me. Good luck man~ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Monday, May 30, 2005 3:31 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] EXITSCANONVIRUS Off the topic, but it interrupted my work on my mail server. Any one ever loose both mirrored OS drives at the same time? FUN FUN FUN NOT! At least Ghost is able to read the master. John T eServices For You
RE: [Declude.Virus] New virus out?
I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: > One of the servers I manage is getting hit with lots of messages being > caught with banned exe within zip. > > They are coming from different IPs > > John T > eServices For You > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
Various named zip files. The D*.smd file is 26KB in length. No subject line. Varing IP addresses and apparent forged from address. Blank HTML body. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, May 31, 2005 8:22 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New virus out? > > John, > > What do the filenames appear to be - any pattern either filename, subject, > body content etc? > > Darrell > > John Tolmachoff (Lists) writes: > > > One of the servers I manage is getting hit with lots of messages being > > caught with banned exe within zip. > > > > They are coming from different IPs > > > > John T > > eServices For You > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG > Integration, and Log Parsers. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I have seen the following attachments... 1.zip 5.zip 6.zip 7.zip 8.zip price_new.zip be_not_jealous.zip price_new_16_04_05.zip So far... Don - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 10:22 AM Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I am seeing it also. I already submitted it to Mcafee... My desktop AV (Trend) is detecting it as a Bagle variant... Don - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 9:59 AM Subject: [Declude.Virus] New virus out? One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New virus out?
One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
