Re: [Declude.Virus] VBE attachments
Wasn't, but I am now. Thanks Greg John Tolmachoff (Lists) wrote: Everyone is banning vbe attachments, correct? --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Many New Bagle Variants, Spammed today
McAfee just did a 2nd DAT for today. With this note. Notice Due to the number of Bagle variants that have been spammed out today, AVERT will be releasing the 4585 DAT Files early. Though we consider all of the variants to be Low risk we are releasing the dat files solely due to the amount of spam seen around the seeding of these threats. So whatever your favorite AV . . . Keep It CURRENT. Looks like McAfee was blocking many (all?) of this batch as an unknown virus (New Poly Win32). Greg Little Colbeck, Andrew wrote: Bagle usually comes in several waves of slight variations, so this is likely to be happening again. Banning the zip names is prudent. Andrew 8) --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Zip Vulnerability?
For a work around, What about changing the extension? If if it is not *.ZIP, will it still fail the test? Greg Grant Griffith wrote: Have a customer trying to send an message and it is being caught saying Invalid ZIP Vulnerability. Anyone know what this is? Nothing in the Declude manual on this one. --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] OT: Online file check?
Good work killing it.
I'll be adding this program to my "tool kit". The site also looks like
a winner.
Look2me, I remember it well.
That's the one I had here. KillBox is hard to run, but it worked. You
have to feed it a list of the DLLs to delete on the next boot.
Although it may have morphed again, when I fought it a month ago (June
22) there were no tools or how tos for the new version (lots for about
a year old version) the AV companies were doing a so so job a finding
it and a worse job killing it.
The version I was fighting appeared to hook into the windows login so
it was active in Safe Mode with Explorer off. It recreated itself as
fast as I could kill it.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"DllName"="C:\\WINDOWS\\system32\\mtiseq.dll"
On DNS
I've got a list a about 100 web addresses that I've entered into the
Corp DNS over the last couple of years. We refer all the sites to a
simple in house error page.
(What you were trying to reach, your IP, who to call if you want me to
restore access to a page.)
I collect most of them from the IE history pages on infected PCs and
from adware and virus write-ups. I look for phrases like, "then the
adware will go to EvilSite.NET and download ads or updates". Part of
the hassle is its an always moving target, they just keep using new
site names. But if you can save a few PCs (or a whole building) from
getting infected, it's well worth the effort. I also use it to block
XXX pages.
Greg Little
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoSlowLink"=dword:0001
"NoGPOListChanges"=dword:0001
"NotifyLinkTransition"=dword:0001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:0001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:0001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="Security"
"NoUserPolicy"=dword:0001
"NoGPOListChanges"=dword:0001
"EnableAsynchronousProcessing"=dword:0001
"MaxNoGPOListChangesInterval"=dword:0001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:0001
"NoBackgroundPolicy"=dword:
"NoGPOListChanges"=dword:0001
"NoMachinePolicy"=dword:0001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="EFS recovery"
"NoUserPolicy"=dword:0001
"NoGPOListChanges"=dword:0001
"RequiresSuccessfulRegistry"=dword:0001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:
"RequiresSucessfulRegistry"=dword:
"NoSlowLink"=dword:0001
"PerUserLocalSettings"=dword:0001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,6
Re: [Declude.Virus] OT: Online file check?
Keep it off the network as much as possible. Also a software firewall (like Zone Alarm) will help control the phone home for updates. Another tool I used for those really hard to remove stains, is KillBox. You can give it a list of files to be deleted at the start of the next boot. I've had one that was still locked in memory (and recreating itself to new file names and restoring reg keys) in safe mode with explorer exited. (You have to start a Dos Window before killing the Explorer process. Then explorer to start it again.) It hooked into login, but KillBox got it on bootup before it could install its memory resident program. SysInternals has some great tools for Watching processes, Controlling startups, etc. http://www.sysinternals.com/SystemInformationUtilities.html Greg Little PS Does this pest have a name? --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Move from Vscan 4.5 to Enterprise 8
Although McAfee 4.5 has been trying hard to kill off 4.5 for a while, I have not seen it yet. It is the only version to use if you have Win 98/ME. We still have a few desktops using 98. (They were updating fine last time I checked) But for a mail server I'd expect that you are on a more current O/S and would suggest you move to at least Enterprise 7.x Greg Timothy Bohen wrote: From what I can tell Mcafee has quit allowing updates to Vscan 4.5. First question, am I wrong on this? Second question. Any issues upgrading to Viruscan Enterprise 8 with declude? Thanks --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] EXE in a Zip File
It's a game of "catch me if you can". Mytob has been change frequently (often several times per day) and then sent (seeded) to 000's of addresses, before the AV companies have a chance to react. (I've been getting a few reports each week on these.) It makes for about a 1 day window on many of these. For details see http://vil.nai.com/vil/content/v_134084.htm Your AV program should be catching this one soon. (McAfee calls it W32/[EMAIL PROTECTED] . DAT 4506, due out in the next couple of hours, should stop it.) While I expect some good Declude blocking suggestion based on Subject line, File name, Sender, etc. the next version of this pest is as much a target and it's hard to guess what that will look like. Greg Little Kevin Shimwell wrote: Message Good morning Im getting alot of calls from yesterday on customers getting and attached zip. with and exe file X-Virus-Scan-Result: Repaired 5542 [EMAIL PROTECTED]. Subject: Your Email Account is Suspended For Security Reasons WHat do I need to do to stop this? I saw this once time before. Im running declude virus with Fprot as the scanner. Kevin Shimwell --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Windows Update!
Here's some background info on this pest (from another list). Greg Little Original Message Subject: [AVS] (Fwd) 'Update your windows machine' fraudulent email Date: Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming [EMAIL PROTECTED] Reply-To: Network Security Managers List [EMAIL PROTECTED] Organization: GeoApps To: [EMAIL PROTECTED] --- Forwarded message follows --- From: [EMAIL PROTECTED] Date sent: Fri, 8 Apr 2005 02:28:14 UT To: [EMAIL PROTECTED] Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows machine' fraudulent email Send reply to: [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === A U S C E R T A L E R T AL-2005.007 -- AUSCERT ALERT 'Update your windows machine' fraudulent email 8 April 2005 === OVERVIEW AusCERT would like to advise that a fraudulent email with a subject line of 'Update your windows machine' is currently circulating, with a claimed sender of [EMAIL PROTECTED]. This email links to a site which fraudulently presents itself as the Microsoft Windows Update web site. When clicking on links on the site claiming to apply an 'Express Install' or 'Custom Install', a malicious executable will attempt to run on the user's machine. This executable will attempt to connect to an IRC chat server, allowing a malicious user to take control of the user's machine and potentially involve it in other malicious activity. VULNERABILITY The web site involved in this instance does not exploit any software vulnerabilities. Instead, it uses a social engineering trick to entice a user to run malicious code. MITIGATION This exploit requires user interaction - deleting these emails as they arrive and not clicking on any links they contain is a safe mitigation strategy. Users should, as ever, remain aware of the danger of clicking on links in unsolicited emails. EXPLOIT DETAILS The current email used to entice people to visit the malicious site looks like: --- Subject: Update your windows machine From: Windows Update [EMAIL PROTECTED] To: Auscert [EMAIL PROTECTED] Welcome to Windows Update Get the latest updates available for your computer's operating system, software, and hardware. Windows Update scans your computer and provides you with a selection of updates tailored just for you. Express Install : High Priority Updates for Your Computer This includes links to go to one of the following IP addresses: 64.71.77.76 221.151.249.236 Other IP addresses or domain names may be used in future variants of this email. If the malicious code is downloaded and run, the malware will install itself on the user's system as MFC42.exe, and will configure itself to run on startup. It will then attempt to connect to an IRC chat server, which allows an attacker to execute commands on infected hosts. This may include involving infected hosts in Distributed Denial of Service (DDOS) attacks on other Internet hosts. This collection of attacker-controlled machines is also known as a 'botnet'. This is detected by the following anti-virus products as: Kapersky: Backdoor.Win32.DSNX.05.a Panda:Bck/DSNX.05 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 === Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: [EMAIL PROTECTED] Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours
Re: [Declude.Virus] Your mail server sent us a virus ;(
If their mail server had a better Admin, they would know to be very careful about sending ANY "you have a virus" messages. Greg Markus Gufler wrote: This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] hlp attachments
http://msmvps.com/trafton/ Just added HLP to my block list. (anyone what to vote, we just shut down the internet) Greg --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BanExt / Scan CC Ban Attachment
I think I understand the question. I only get banned extension notices when there is no known virus. I route these banned notices to a folder in my mail program for special attention (the virus name is in the subject). The banned e-mails get checked by hand. If it looks legit, I send a form letter to the source and destination. (... for your protection we are blocking . The others are assumed to be either a new virus (first few hours) or a broken scrap returned by another mail system. Greg PS I'll revive a long term request. When I try to guess if a banned e-mail is legit, the FULL file name and not just the extension would be a BIG help. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Server Virus Scanners
I use McAfee Enterprise 7.1 for Command line and on-access scanning. Remember to exclude most of your mail/spool folders from on access scanning. Greg --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Server Virus Scanners
I work through CDW. As I recall it is 5 or more copies for the Corporate version, so it may not be your best price (unless you have a use for the other 4 copies). Here's contact info from my salesman. == Once again, thank you for choosing CDW. We stand ready to serve you. If you find any discrepancies or I can be of further assistance, please feel free to contact me. MARK GRAY Direct line: 8773256654 Fax Number: 3127056512 E-Mail: [EMAIL PROTECTED] == Greg PS As I recall, several of McAfee's recent RETAIL (home user) versions (including the current?) won't let you exclude directories. But at least you can buy online and get only one copy. Dean Lawrence wrote: Thanks Greg, Do you know if you can buy that online? I was looking at McAfee's site and it that product was not listed for their online purchase. Do you have to go through a reseller or distributor? Thanks, Dean --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Findlay Internet] -- Greg Little Programmer/Analyst The Findlay Publishing Co. (or The Courier) 701 W. Sandusky St. Findlay, OH 45840 419-427-8448 voice 419-422-2937 fax [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus with unusual deployment
McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] . These messages do not contain an attachment. But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work". I not expect Declude's checking to catch this one. I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server. So far the volume is low (I have yet to get one here). http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AHVSect=SPeriod=1d But this one or another member of it's family is going to get very wide spread. Greg Little PS Anybody know how the other AV companies are doing on catching the virus generated e-mails? Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamWin
We are on exactly the same track. If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed. This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?) Greg Matt wrote: Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32/Bofra-A (aka MyDoom.AG and .AH)
According to this page, the link will vary, because it is pointing back to the infected PC. http://www.sophos.com/virusinfo/articles/howbofrawork.html PS This also means that the usual way to Fix one of these, send only the link (no attachment) is to shut down the few hosting web sites world wide and bang the pest is dead. But not this time. We can hope that at least some of the PC's are protected by Firewalls or Cable routers that will prevent this kind of connection. Also some ISPs stop home accounts from hosting websites (by blocking some protocols), this might help also. But I expect we will hear a lot more on these in the coming weeks. Greg Little John Tolmachoff (Lists) wrote: Any one know what the link in the body is so we can add filters for it? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Making or buying a MAIL SERVER proposal
While we are on wish list. Conversion to a next product is HUGE, for those of us with 000's of mail boxes, spread across 100+ organizations, transition effort to any new product can be a bigger expense than the purchase price. (Why do you think so many people who sound like they don't really like I-Mail are still running it?) Set up the Domains, Users, etc. Then coordinate the switch over, if you don't receive mail to the local PC just before you switch, you might lose un-recieved e-mail when the users are pointed to the new server. Greg PS The Idea of buying the old I-Mail source code sounds like something worth the chase. I-mail gets cash (which appears to be their short term goal) and we get ONE vendor who can integrate all the functions closely (and no huge conversion). --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New ZIP exploit confuses some AV products
Some (Most?) of the AV vendors have patches already. Looks like it was quietly announce to the AV vendors about 2 to 3 weeks ago. This mostly impacts e-mail scanning. It's worth the effort to check, if you have one of these vendors. (Some require upgraded software). This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. For McAfee you just need the week old 4398 DATs. It is not in the wild yet, but does not look hard to do. (So while we have some time, ...) The problem specifically exists in the parsing of .zip archive headers. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero. Scott, Since, this is a deliberately corrupt ZIP header can you add an exploit check? Greg Tito Macapinlac wrote: Hi, Here is a bulletin re: new vulnerability regarding zip files. Maybe another good reason to ban zip files if your AV is vulnerable. http://www.idefense.com/application/poi/display?id=153type=vulnerabilitiesflashstatus=true Tito --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JPEG Vulnerability
Doug, The fault is in the detection test not the JPG. And in the fact that this Vulnerability is so new that there has not been the usual time for careful testing before this test was released. (This is also why the test is found in an interim not a fully tested release.) Scott got us a quick fix based what was known at the time. He is also well aware of the "1% problem" and will keep us posted ASAP when a better test is available. For sites that need safety above all else, a broken test is better than nothing. For us (and you?) we just can't have 1% of good files called bad (unless there is a virus outbreak by e-mail that's not caught by normal AV programs). If you need to pass the files and can relay on AV to catch bugs switching back to 1.79-i?? will remove the over active test. I'm guessing (the detail doesn't make much difference) that it is based around a couple of simple string matches. If I find this sting of bytes here and another string of byte somewhere else than bingo a "bad" jpeg. But the test is too simple and is catching files that are not broken. Greg Doug Anderson wrote: Ok, maybe it's just me but something seems funky. Given that 99% of the jpg's will go through no problem and the other 1% will be caught, that means the 1% are unique in some way, shape or form. They are detectable which declude virus does and other virus packages do if you scan all files. In being unique, it was created or saved differently then other jpg's. What seems funky is that an update to the creation software/process should put it within the 99% group. The GDI+ tools, virus detection tools are trying to catch at the reciever/viewer which is good, but it's the creation tools that need updating. What I'm trying to figure here is how to tell users to fix the problems and minimize false positives since we use so many different graphics formats in our business. If they upgrade their software to the highest sp/rev, they have the needed patches from MS, can they open the graphic without being hit and re-save it in a jpg format that will be safe? Did that make any sense? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Lines in the virus.cfg file
I should eliminate (comment out) at least the JPG line right away. The new test (when it's fully ready) provides a great safty net to backup the AV programs. The new test will ignore these lines and bad JPEGs will be caught. The test is available by install a new interim version of Declude. (The test in the current intermin 1.80 has some problems so wait until they are resolved or check the other messages for details.) The best advice I've seen is to eliminate at least the JPG line, because these lines will prevent the AV programs from being called. Until last week, you could safely save some CPU time on your e-mail server by not scanning JPEGs. Greg Sharyn Schmidt wrote: Lines in the virus.cfg file I was looking through my virus.cfg and I noticed the following: # The SKIPEXT option will let you skip scanning of certain file extensions. For # example, a GIF file can't contain a virus, so there is no need to scan it. # SKIPEXT GIF SKIPEXT TXT SKIPEXT JPG SKIPEXT MPG Should I now allow declude to scan jpg and gif files or is this totally different than the new jpeg vulnerability? Thanks, Sharyn --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New release
To keep it brief. Scott has a new JPEG test in Ver. 1.80, but it appears to still have a flaw. (Stopping a FEW normal JPEGs, mostly from MACs.) So, for the next few hours (days?), you can error on the side of caution or risk. But when it's fully ready, it's a must have update. Greg R. Scott Perry wrote: The problem is that Microsoft decided not to give out any information on how to detect the exploit. The person that discovered the exploit, however, provided details on how the exploit could be detected. There was, unfortunately, a flaw in the detection method, causing occasional false positives (in our tests, about 1 in 1,000 legitimate JPEG files was getting caught as a result). We are planning to change the detection code to use our own (more complex) method. -Scott Sharyn Schmidt wrote: New release Can someone please tell me when the newest release was available for download? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines.
As I recall, IF a virus scanner calls it bad, there is no further checking. (So, if your AV vender is doing their job right, you would have to disable the AV scanner(s) to test.) Greg Keith Johnson wrote: I too am seeing this same behavior. I am running HIGH logging and 1.80 version. All I see is my scanners detecting it, no extra lines from Declude that it stopped it, same behavior under 1.79. I also wanted to see if there would be any additional aid with F-prot not being able to report the virus correctly do to it yielding an Error #8. Seems there was discussion that the Report line changed in the latest 3.15b, where it also reports: REPORTInfection: REPORTContains the exploit named As I understand it, we can only have 1 report line per scanner, is this true? Thanks for the aid, --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Fprot GDI Scanner lines. - slight change of topic multiple scanners
Good catch. ALL AV scanners will run. If one or serveral scanners finds a virus, then I belive the new JPEG tests in 1.80 will be ignored. (This would complicate confirmation testing for the new JPEG test) Greg Nick wrote: On 28 Sep 2004 at 10:43, Greg Little wrote: Greg, As I recall, IF a virus scanner calls it bad, there is no further checking. Is this for an individual scanner or multiple scanners? All the scanners run (sic) even if the one before discovers a virus on my system. -Nick --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot/GDI+ FYI
The most positive step for now is to patch, patch, patch. (At least get the big holes) Windows, IE, Office, lots of other current MS products. Lots of 3rd party products (some of the manufactures will be out of business) Who knows about old MS products. I have not seen a good tool yet for finding ALL the places to patch. Part of the reason everyone is so agitated on this hole (that's not quiet a full virus/worm YET) is that there are LOTS of ways for it to sneak in. It can use many (any?) extension. It can come as just a link to a web site in an e-mail, in the e-mail, maybe a pop-up ad or across the LAN. Basicly any way that you can move files. Greg Dave Marchette wrote: Odd. My experience with the BANEXT command is that it caused the entire email be deleted, not just the banned extension. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Another GDI detection tool
in addition to the one from MS updates. http://isc.sans.org/gdiscan.php The notes say to Ignore files in directories like Windows\$NtUniinstallKBx\ and Windows\WinSxS. These are old versions left behind for uninstal purposes. I included the results from my PC. It looks like most (all?) of the Vulnerable version messages are from things that don't normally run. I think the I386 is used for installs (like the old Win 98 *.CABs). So it looks like I'm clear for now. Even though it may try to sneak back in from an uninstall or install. Greg Scanning Drive C:... C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL Version: 5.1.3097.0 -- Vulnerable version C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL Version: 10.0.6714.0 C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Version: 11.0.6360.0 C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL Version: 6.0.3264.0 C:\WINNT\$NtServicePackUninstall$\sxs.dll Version: 5.1.2600.0 -- Vulnerable version C:\WINNT\$NtUninstallKB833998$\sxs.dll Version: 5.1.2600.1106 -- Vulnerable version C:\WINNT\$NtUninstallKB839645$\sxs.dll Version: 5.1.2600.1336 -- Vulnerable version C:\WINNT\LastGood\System32\sxs.dll Version: 5.1.2600.1106 -- Vulnerable version C:\WINNT\ServicePackFiles\i386\sxs.dll Version: 5.1.2600.1106 -- Vulnerable version C:\WINNT\system32\sxs.dll Version: 5.1.2600.1515 C:\WINNT\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll Version: 5.1.3097.0 -- Vulnerable version C:\WINNT\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.1_x-ww_8d353f14\GdiPlus.dll Version: 5.1.3100.0 -- Vulnerable version C:\WINNT\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll Version: 5.1.3101.0 -- Vulnerable version C:\WINNT\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll Version: 5.1.3102.1360 Scan Complete. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot/GDI+ FYI
We've got too many threads tracking this. (And way too many nightmare ideas.) As simple as, a Word or WordPad Document with an infected JPG (or link) that infects PCs with all their Windows updates (but not their Office updates). I'm with you. I've got that gut feeling this one is going to get very messy. Too much to patch and too little time. Greg PS Everybody, keep (get) your desktop AV up to date. R. Scott Perry wrote: The Microsoft GDIPlus.DLL JPEG Vulnerability detection will occur whether or not SKIPEXT is enabled. So no config file changes would be necessary after upgrading the Declude.exe file, once it is ready. -Scott --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JS/Zerolin
Brand NEW version of a year old virus. McAfee just release BRIEF info on it, dated today. http://vil.nai.com/vil/content/v_127464.htm 3 here also. All three different IPs. The VBS version is a year old trojan, it would have been very unusual for that to waking up. An odd file name. All my "froms" are random names also, so forging is likely. Greg Little Declude Virus Ver. 1.79 caught the the JS/Zerolin trojan !!! virus in [Unknown: Err] from [EMAIL PROTECTED] to: [EMAIL PROTECTED], [EMAIL PROTECTED]. from [EMAIL PROTECTED] to: from [EMAIL PROTECTED] to: Markus Gufler wrote: In the last hour I've seen some JS/Zerolin Virus warnings are comming back as NDR's Mailfrom looks random or at least forged. Markus --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Watch for New virus JS/Zerolin
Brand NEW version of a year old virus. McAfee just release BRIEF info on it, dated today. http://vil.nai.com/vil/content/v_127464.htm Covered by the just released 4385 DATs. Only 3 here so far. All three different IPs. The VBS version is a year old trojan, it would have been very unusual for that to waking up. An odd file name. All my "froms" are random names also, so forging is likely. Greg Little Declude Virus Ver. 1.79 caught the the JS/Zerolin trojan !!! virus in [Unknown: Err] from [EMAIL PROTECTED] to: [EMAIL PROTECTED], [EMAIL PROTECTED]. from [EMAIL PROTECTED] to: from [EMAIL PROTECTED] to: PS Reported on another list also. Markus Gufler wrote: In the last hour I've seen some JS/Zerolin Virus warnings are comming back as NDR's Mailfrom looks random or at least forged. Markus --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Blocking the files in mydoom
I know this is a busy day to bug about this but . . . Will we be getting separate extension lists for normal files and inside zips soon? For Example: Block EXE but allow EXE inside Zips (I'd like to block them but I'd get hung) Block COM and SRC in both places. Currently I block extensions outside of Zips but let all the Zips (except password protected) through. Greg Little R. Scott Perry wrote: BANZIPEXTS ON is in v1.79. For any file extension that you ban with the BANEXT option, it will then be blocked if it is in a .ZIP file as well. -Scott --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Has McAfee fixed Virus Definition Corruptions Yet?
Also the older Engines will NOT catch all the viruses. Current engine is almost as important as currnent DATs (virus definition files). At least one of the sites having trouble has been trying the current engine. (I would double check and do a re-boot to make sure the new engine is used.) Greg Little R. Lee Heath wrote: http://www.sss.ca/sensible/home.nsf/docbyid/16DB651DF6279C1F85256EB7004AEF5F?OpenDocument McAfee has announced that the 4160 scan engine and earlier versions contained in McAfee Anti-virus products will cease to work correctly after applying the 4367 DAT files or later. The 4.1.60 scan engine is no longer supported and due to internal architecture limitations will generate errors. Should you be experiencing any issues with the 4.1.60 engine and the 4367 DAT files, please upgrade your anti-virus engine to the currently supported 4320 version. For more information please see: --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] McAfee 4160 engine is toooo old
More info on problems with the old engine. Also sometimes (esp on Win 98) it may take some extra procedures to fully update the engine. http://forums.mcafeehelp.com/viewtopic.php?t=27957 PS For any McAfee question this forum is a GREAT resource. (Focused on Retail customers, but there is a small corner for Corp questions also.) http://forums.mcafeehelp.com Greg Little --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus notifications
I send to everybody on NON-forging viruses (very few) I assume that most vulnerables and exploits are just spam and skip them with the forging viruses. If someone with Kak or a word macro virus tries to send a real file, then if everyone knows something can get figured out. Otherwise, it just falls into a hole and neither sender or receiver knows. I get the Full load, viruses, blocks, vulnerable, etc. to sort through if anything else needs to be done. (and see trends) Like on blocked files. Some are real users and some are New viruses. Greg Little --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] .vbs 1 byte files
No one has found a way to write a program that fits in 1 byte yet, so I'm guess leftovers from a provious virus clean up. Greg Jim Matuska (by way of R. Scott Perry ) wrote: I have been seeing a few 1 byte .vbs files being delivered to user accounts, some of them are forged too. None are being picked up by declude w/Fprot. I have banned .vbs files now, has anyone seen these coming in and if so are they dangerous or just corrupted? Also what are the current recommended file extension to ban. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Correct me if I am wrong
You can use recip.eml to send a note that says "you were sent a virus", but none of the the current active viruses and only about half of the older ones have a valid sender. So, sending "an unknown person", who is claiming to be somebody else, is infected and knows your e-mail address is worse than useless. It generates questions and confusion. In our business (a newspaper) we have lots of different people sending us info, that we need. For example a school coach sending scores and stats from a game. While we try to have them sent "plain text", we still recieve a lot of info in Word, Excel, etc. IF (and it's getting rare) a Word Macro virus or signature virus like KAK is found, then sending both sender and reciever a notice, allows the users to know about the problem and work out a solution. I identify about 20 virus families as forging, then if check at the top of recip, sender and sender Postmaster for a forged sender. Also Scott recently added an automated way to block these and not have to update the configs with every new pest manually. (We can get you syntax and examples, if needed) Greg Goran Jovanovic wrote: If a virus in an attachment is detected then the whole message will be held and the recip.eml notification will be sent out. Is there a way to allow the e-mail to go through to the user with a notification that the attachment was stripped? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Recent unpatched Windows hole
Scott, If I read this right, a *.BMP can be used in an e-mail (or website) to run attack code. But MS has not yet released a patch. Also, it's not hitting English versions of Windows yet. Just calling attention to it so that it can be investigated for a invalid BMP test like the recently added SCR and Com tests. http://msmvps.com/trafton/archive/05182004.aspx http://www.kaspersky.com/news.html?id=148515536 http://xforce.iss.net/xforce/xfdb/15210 It looks like that the major AV vendors have added this to their DAT files, but an extra layer of protection would be helpful. http://vil.nai.com/vil/content/v_125302.htm http://vil.nai.com/vil/content/v_125303.htm http://vil.nai.com/vil/content/v_100992.htm -- Greg Little --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Mass mailing maybe new virus
Looks like a match for this new worm W32/Wallon.worm.a http://vil.nai.com/vil/content/v_125096.htm The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the www..security-warning..biz domain. Extra "."s added to address. Greg Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] What is it?
Another way to defend against these is with your desktop AV program. McAfee Enterprise 7.x has some check boxes to turn on testing for these pests. (Because they're not exactly a virus, McAfee makes you turn on the extra checking) Some corporate tools, like remote control or intrusion testing may produce false positives. Because in the "wrong hands" these can be dangerous cracker/hacker tools. So, do some testing before making a mass switch. You may have some tools to exclude from checking. It has worked ok here in early testing. http://vil.nai.com/vil/content/v_100696.htm (This is a typical McAfee write-up for a spyware, Adware-180Solutions) Greg Greg Little wrote: The only other really effective way to "prevent further infections" is to block access to the whole internet. Greg PS These Spyware programs have gotten at least as annoying as the viruses. Between McAfee and Declude most of the viruses never reach the user PCs, but several times a week I'm addressing some kind of Spyware issue. inline: VSE7-ODS-PROGRAM.gif
Re: [Declude.Virus] What is it?
I've been successful on similar junk by unchecking the pest's startup commands in MSConfig. (Also a good research tool) Spybot Search and Destroy has an innoculate function. At a quick glance they add 00's of entries into the HOSTS file. The idea is that www.WorthlessTrash.com will resolve to 0.0.0.0 so that the user can't reach it for the initial download (and neither can an affiliated program that does get through). The only other really effective way to prevent further infections is to block access to the whole internet. Greg PS These Spyware programs have gotten at least as annoying as the viruses. Between McAfee and Declcude most of the viruses never reach the user PCs, but several times a week I'm adressing some kind of Spyware issue. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] HTA Virus
It is consistant with the description for Bagle.AA . McAfee released new DATs about an hour ago. (Others should be available, now or soon) Bagle.AA http://vil.nai.com/vil/content/v_124875.htm Greg Little PS Interesting Note. This one (AA) was moving very fast. This on just made it to a "medium-on-watch" (above a normal medium). The DATs were release while McAfee (and some other I check) still had it labled as "low". Yesterday's Bagle.Z was getting blocked in quantity here, before any of the companies I check even had a description posted. Conclusion. To have any chance to stop these, you MUST be using extension blocking. The new [Invalid XXX files] test in Declude help a lot also. (As I recall you need a recent, 2 or 3 weeks old version of Declude for these tests.) Jay Calvert wrote: I intercepted an email today that has a subject of Changes... no message body and an attachment called the_message.hta. The hta file is actually VB Script that creates an executable called qwrk.exe Anybody recognize this? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus with .cpl ext
Most likely Bagle.AA . McAfee released new DATs about an hour ago. (Others should be available, now or soon) Bagle.AA http://vil.nai.com/vil/content/v_124875.htm Greg Little Jim Matuska wrote: Has anyone seen any new viruses that are using a .cpl extension? I just received a 24k .cpl attachment that was not picked up by declude with F-Prot or my local virus scanner. Any thoughts, also Scott, would you like a copy to your virustrap account for analysis? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Bannotify and SKIPIFFORGING
I assume you don't want to send useless (or confusing) messages as the result of a virus. Unfortunately most of the banned extension hits are nothing but trash that should be thrown away. What I've gone to here is sending the Banned e-mails only to the techs (mostly me). Then I get to make the judgement call as to whether it's customer or virus. If customer, I forward the declude e-mail and the following text to both the sender and receiver. More manual than I would like but ... The only info available to make the choice is From, To, Subject and Extension (and headers) Greg PS This also gives you a heads up when (like the last 2 days) there is a lot of blocked traffic, because a virus in not being trapped by the DAT files. We are blocking attachments with the .EXE, .scr, .com, .bat, .rar, .vbs, .cpl, .hta, .cmd, .pif, .zi and .pi extensions and password protected .ZIPs, in an effort to stop viruses that come in using those extensions. I recommend you change the extension of your file attachment. You may also place your file(s) inside a non-passworded Zip file. We are sorry for any inconvenience this may have caused. Cris Porter wrote: It would be great to be able to skip sending the ban notify e-mail for certain file extensions (scr,pif,cpl). Currently, I'm having to use I-mail rules to delete ban notify messages for these extensions. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus counts?
Hopefully Greg H will answer your question for "counts" but, if you want to do it for notification e-mails. (using a % variable) You can set a rule in your e-mail to route ones with this phrase to a place where you will "see" them. We've had very few of these, but in this case one of the customers we host "stacy-insurance.com" sent a few Netsky's. So we contacted them and the viruses quit coming. (For spoofing viruses, which is almost all now days, you won't know the user name, but may be able to get the domain.) Greg Little Declude Virus Ver. 1.79 caught the the W32/[EMAIL PROTECTED] virus in document.pif from [Forged] to: [EMAIL PROTECTED]. Date: 04/13/2004 10:19:27 Subject:Re: Re: Thanks! Spool File: Df6e7707601540904.SMD Remote IP: 64.108.112.144 In or Out: outgoing recipient host: yahoo.com Sender Host:bhfqh.com Headers: Received: from yahoo.com [64.108.112.144] by mail.stacy-insurance.com with ESMTP (SMTPD32-8.05) id A6E770760154; Tue, 13 Apr 2004 10:19:19 -0400 . . . Bob McGregor wrote: Greg, how are you defining the counts inbound/outbound? That would be nice so you know when it's one of your own sending out... --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Banned Files
I'll second the need and usefullness of seeing the full file name. (This becomes more complicated with files inside of zips) Whenever I get a banned e-mail, I get to decide if it is normal customer traffic (send an explaination of what extensions are blocked and how to work around the blocking) or just a new virus or spam (send nothing). So, the more info (like the full file name) I have, the better I can guess between customer and junk. Greg PS The new [Invalid SCR Vulnerability] and [Invalid COM Vulnerability] tests worked GREAT on Monday. They stopped lots of copies of Bagle.Z while we were waiting to get new virus definitions. Banned extensions got most (all?) of the others. R. Scott Perry wrote: No, that is not currently possible. Declude Virus only knows the extension, which is why it is not possible to use a variable for that. This is something that we may change in the future, however. -Scott --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus counts?
I use a much more low tech technique for this. Declude E-Mails me (and a couple of other techs) every time it finds a virus, Vulnerability or Banned Ext. . This is around a 1,000 per day lately. (Most of which are just more Netsky or Vulnerability junk to ignore) In the body of the e-mail I dump a variable (as I recall it is in the standard templates), but I can get the detail if needed. That variable returns Incoming or Outgoing. Once you get that far, I recommend setting up rules within your e-mail program to route certain e-mail to a Folder that will get your attention. (also Banned Extensions should get the same treatment, because these may be normal user work that is getting trapped or a very new virus.) Let us know which part you need help with. (lots of folks can help) Greg Bob McGregor wrote: thanks greg, if you are using unxutils, would you mind sharing how you put the incoming/outgoing together? We have very few infections (so far) from within our school distrcit but when they do occur, it would be nice to know it I t's a great add! bob --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] A way to sneak PW zips through server
Declude can be configured to do several kinds of blocking for these. Block all non-passworded zips. Block zips inside of zips. Until the virus writers use this trick it should be safe to leave this door open. With many different e-mail protection solutions (each handling these situations differently), I doubt this trick will catch-on. But if it does, Scott will give us yet another switch for this combination or teach us a combination that does this. ;) PS Thank you. I plan to share this trick with my local users that want to sneak passworded zips through the server. Greg Little Jeff Maze - Hostmaster wrote: suggested that maybe zipping the password protected zip file would work. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Suggestion, Whitelist password in subject
This might be a way to block virus traffic, but allow employees and selected customers to send and receive EZip files. For example, when a virus sample is sent to McAfee's AVERT, they want a zip encrypted with infected. Currently I expect that since I'm blocking EZips, I could not send a sample to AVERT though my e-mail server. The danger would be that viruses, etc. might use this system against us. As long as each site chose it's own (different) White list Code Word, and changed it as needed, that risk should be low. A few viruses (none of the current batch?) have responded to currently unanswered e-mails, so that would increase the risk of a virus getting through. The White list Code Word would NOT be related to the Zip file password. So the subject might be My important and encrypted info [CodeWord$12] Would we only want to override the ban ezip? Leave other checking like extension blocking (no EXEs or PIFs) in place? Still pass the file to the virus scanners? Although this concept could be extended to white list past all kinds of checking, a poorly configured/administered mail server could have some huge holes. I like the idea, but sometimes the details get messy. For the sites that need to handle EZips, it might be a way to open the door and still keep most of the protections in place. -- Greg Little Kami Razvan wrote: Scott: Just an idea... What if you extend the idea of White list password to Declude Virus- for password protected zip files. If the subject has a code then the attachment with password protected will be skipped. If you can take the subject and delete the password before passing it on it can work great.. Sort of like the password protected list in IMail. This can solve a lot of problems.. But I am sure it can introduce more. Kami --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] How do we block the next Bagle?
How will we block a virus like Bagle.Q that does not use an auto run vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Scott, Thanks for the recently added Vulnerability blocking. (for Q R S T) -- Greg Little --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Which Scanner is BEST
My experience with McAfee. It then calculates the time between each virus being first spotted somewhere in the world by the MessageLabs consulting group and the time when each anti-virus service has a working fix available to the public (not counting beta versions available only to testers). The Extra.dat files are Not Beta and are available to the public, but are not counted. The Daily DATs are Beta, so are excluded by choice. They are available to the public, not just testers only. These version are always available Very fast. (usually by the time I see copies arriving) While these are handy for those of us who keep watch (over companies and mail servers), they are normally installed manually. Automated installs are usually just for the regular DATs. When a virus is found in large numbers in the wild, it is given a Medium or High risk. Then McAfee will break their weekly update cycle and release the DAT file ASAP. I do feel they have been too slow on a couple of the recent virus to raise it to Medium. (but that's 3 or 4 out of the 30+ recent wild pests). If the virus has been around for a while, then goes Medium, the DATs are released in a couple of hours. If the virus goes straight to Medium (spammed release), then it's normally 4 to 6 hours from outbreak (arriving in my mail boxes) to regular DAT release. For the last year or 2 McAfee has discussed doing fully tested Regular DATs (daily or at least several times per week). I guessing that when the dust settles from the current wave of viruses, they will be changing their cycle. Greg Little --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] declude with mcafee virus scan 8
VS8 is the Retail product. As I recall controlling the exclude directories was removed. (to simplify the product for the retail market) VS 7 retail, if you can still find it, should have that feature. Or the VS 7 Enterprise. But the plan to use just one product for on-line scan will be all the solution you need. Greg Little Venkateswarlu Swarna wrote: In mcafee virus scan 8 (Active shield) we don't have option to exclude users and Imail spool folders. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Maybe a Bagle got through
invalid archive format says to me that it may be a corrupted/incomplete copy of the virus. If that's the case, inconsistent identification would be normal. Sending a copy of the zip to [EMAIL PROTECTED] would let Scott have more info. Greg Little EMail Admin wrote: Scott, I just had a user send me an email with all the signes of Bagle in it. Password zip and all. It came right throught to the user and then it was forwared to me. When I try to extract the zip on a test system I get invaild archive format. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Swen not tagged as forging?
Yes, Swen forges. I don't send any auto-notice to sender or recipient on forging viruses. You don't know who the "real" sender is and it does nothing useful for the recipient to hear "an unknown PC Sent you a virus, but it was blocked by the server". For most of the Macro viruses (and some of the other non-forging) you do want both to get a notice. Greg Little This is from F-Secures site http://www.f-secure.com/v-descs/swen.shtml The attachment name, subject and part of the infected message is randomly composed from text strings hardcoded in the worm's body. The fake sender's address is selected from the following parts: MS Microsoft Corporation Program Internet Network Security Division Section Department Center Technical Public Customer Bulletin Services Assistance Support The domain name for these e-mails is selected from the following parts: news bulletin confidence advisor updates technet support newsletters The domain suffix for these e-mails is selected from the following parts: ms msn msdn microsoft followed by one of the following: .com .net John Tolmachoff (Lists) wrote: SWEN is not known to be forging. Every one that I have seen came from the sender that was indeed infected. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Network Associates Products, McAfee what does it catch?
According to AVERT (McAfee's Virus Lab), their Gateway products are catching the .J (variable password) files, but the desktops are not. I read by "Gateway products" they are pulling the password from the body and using that to unpack and check. Unless there is a "simple/quick" backdoor/crack for passworded ZIPs for the AV companies to use, variable password is going to be a BIG pain for all of us. There are other variations on the random password problem that would make "find it in the e-mail" impossible. So, while I see the short/medium term benefits of "find the password", I doubt that will be our long term solution. I would class the "hint/clue type" as only annoying on that scale, they would tend to follow predictable patterns. (reactive solutions should be possible) Another variable in "What does McAfee catch?" is using the Daily DATs. These are always labeled 4100. Also the Extra.Dat (think quick patch to the regular DAT files) that included .H .I had a generic Zip check. I pull out just that check and it is getting some of the encrypted zips. Looks like the static .F version and not the dynamic .J . (This doesn't add much, except better info. Blocking all pwd protected zips is currently the only safe plan for most of us.) Also they claim that a switch added to the command line can cause it to catch the .J versions. I blanked out the possible switch until I get to do some more testing and the dust settles a little. They are evolving daily, just like Declude. If someone wants to test, e-mail me or AVERT (off list). Greg Little Dear Greg, The following is true: "We DO still detect the !pwdzip at the gateway. We DO NOT detect the !pwdzip at the desktop." However, you can also detect the !pwdzip by using the Command-Line Scanner with the / switch. And: "Of course, when the user opens the zip and provides the password we will still detect the worm and prevent it running." ... Regards, Brant Yaeger Virus Research Analyst McAfee AVERT (TM) A division of McAfee, Inc. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
