Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael
Jaworski
Sent: Monday, July 21, 2008 6:59 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
This also appears to been out in other forms in the last few days
-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike
Wiegers
Sent: Tuesday, July 22, 2008 2:58 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
Should the built in declude virus scanner scan inside of zip files (when
we used f-prot
I just took the ban off of zips and it looks like it's catching this virus
now.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike
Wiegers
Sent: Tuesday, July 22, 2008 1:58 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus (.exe
We are seeing them come in. The common static denominators are:
1. Subject line UPS Tracking Number
2. Body contains Unfortunately we were not able to deliver postal package
you sent on July the 1st in time because the recipient's address is not
correct.
Please print out the invoice copy attached
This also appears to been out in other forms in the last few days. Google
it.
M
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice today:
http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
_attack_rared_trojan.html
An interesting point is that they have blocked 1.2 million messages by
tackling the text of
Basically that is what ClamAV is doing. It detects it as a phishing spam.
Original Message
From: Colbeck, Andrew [EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 6:11 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus with .rar attachment
Gary, you
.
Original Message
From: Colbeck, Andrew [EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 6:11 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus with .rar attachment
Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice
ClamAV is now picking this up as Email.Phishing.RB-686
Original Message
From: Gary Steiner [EMAIL PROTECTED]
Sent: Wednesday, April 25, 2007 1:48 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] new virus with .rar attachment
I started getting some messages
p.s. No, the conversation thread at the end of my posting was not
relevant to the antivirus tip, that was simply poor copy and paste on my
part.
Andrew 8)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
Andrew..
Why not block any .exe attachments?
In our system AVG is detecting it.
Kami
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
Andrew
Sent: Saturday, December 30, 2006 12:11 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] New
that this will be a real nuisance for those infected.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kami Razvan
Sent: Saturday, December 30, 2006 9:30 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New virus to add to your banned
Sounds like a very popular eBay scam, not a virus.
Was there actually a hostile application attached?
Submit the executable to:
http://www.virustotal.com/en/indexf.html
Or:
http://virusscan.jotti.org/
I believe that both services share unknown executables with the
antivirus vendors.
Or you
I posted virustotal results a half hour ago... did you see them?
Darin.
- Original Message -
From: Grant Griffith [EMAIL PROTECTED]
To: declude.virus@declude.com
Sent: Tuesday, October 10, 2006 2:17 PM
Subject: RE: [Declude.Virus] New Virus?
It does have a .zip file that contains
, Andrew [EMAIL PROTECTED]
Sent: Tuesday, October 10, 2006 1:50 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus?
Sounds like a very popular eBay scam, not a virus.
Was there actually a hostile application attached?
Submit the executable to:
http://www.virustotal.com
My logs tell me that we received more than the usual number
of viruses yesterday. These were split into two groups, a version of Bagle
that was released back in June, and a new worm which Trend Micro calls
WORM_STRATION.BD
In the samples I looked at, the messages were fake
bounces with an
t 31, 2006 8:59 AMTo:
declude.virus@declude.comSubject: RE: [Declude.Virus] new
virus?
My logs tell me that we received more than the usual
number of viruses yesterday. These were split into two groups, a version
of Bagle that was released back in June, and a new worm which T
I checked and saw just a few of them.
Luis Arango
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karen
MitchellSent: MiƩrcoles, 30 de Agosto de 2006 04:01
p.m.To: declude.virus@declude.comSubject:
[Declude.Virus] new virus?
I am seeing lots
of
Um, no making fun here - I opened it. I thought it was just spam someone
forwarded it to my spam account. I didn't find the Trojan downloader on my
PC. I'm ASSUMING that you have to hit the check prices macro button as no
macro seemed to auto-execute...
I just downloaded the intelligent
: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John,
Not to say that this wouldn't be something that is nice to have, I can think
of dozens of things that are very largely useful on a much more regular
basis
:[EMAIL PROTECTED] On
Behalf Of Marc Catuogno
Sent: Wednesday, June 28, 2006 6:03 AM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Um, no making fun here - I opened it. I thought it was just
spam someone forwarded it to my spam
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)
Sent: Tuesday, June 27, 2006 5:48 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Is the word document only named that?
John T
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Matt -
Thanks for keeping track of all of this for the rest of us.
Rob
-Original Message-
David,
I'm just wondering about the issue with the invalid characters in the Mail
From's that caused massive spam leakage almost a month ago. Is this too
supposed to be fixed?
I'm also very,
@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
John,
Not to say that this wouldn't be something that is nice to have, I can
think of dozens of things that are very largely useful on a much more
regular basis. In fact, the current functionality provides
PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David,
I'm just wondering about the issue with the invalid characters in the Mail
From's that caused massive spam leakage almost a month ago. Is this too
supposed to be fixed?
I'm also very
www.declude.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John,
Not to say that this wouldn't
www.declude.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Matt
Sent: Wednesday, June 28, 2006 1:49 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro
to handle
viruses and spammers.
Mike
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Wednesday, June 28, 2006 3:08 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Matt
Back to the matter indicated in the subject line, how are others dealing
with this?
Is F-Prot and AVG and others catching this now?
Which AV scanners are indeed catching it?
Now for the bigger question: How do we combat this and future such versions
without outright blocking of the file
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David,
The CRLF thing doesn't affect me since I have my own solution, however for
those that use Subject tagging, adding another test won't help unless they
decide to just simply delete
. But I'm not looking forward to hand
correcting 120 of these a month.
- Original Message -
From: David Barker [EMAIL PROTECTED]
To: declude.virus@declude.com
Sent: Wednesday, June 28, 2006 2:07 PM
Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt,
The CRLF
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Back to the matter indicated in the subject line, how are
others dealing with this?
Is F-Prot and AVG and others catching this now?
Which AV scanners are indeed catching it?
Now for the bigger
PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, June 28, 2006 2:14 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
I haven't seen any yet; I don't know if F-Prot is catching them.
From the published
2:26 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Importance: Low
I don't know where that character in front of my From sentence came
from. The first character on that line should have been an F.
It must be some kind of weird
Mcafee is catching these Trojan.Myno on my systems.
Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, Imail,
mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log
Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on
first virus. F-Prot is def. not catching it though.
Darrell
Darrell ([EMAIL PROTECTED]) writes:
Mcafee is catching these Trojan.Myno on my systems.
Darrell
---
Check out
PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Darrell ([EMAIL PROTECTED])
Sent: Tuesday, June 27, 2006 12:08 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Actually, it is CLAMAV catching it. Not sure about McAfee as
I stop
Is the word document only named that?
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 11:32 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] New
: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Is the word document only named that?
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006
: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
As I know yes but
BANNAME my_notebook.doc
wouldn't work for files within zip-archives.
Markus
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday
:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 3:38 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Importance: High
I know. :(
Declude, this is a feature who's time has come.
John T
eServices
y, June 27, 2006 11:48 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
Is the word document only named that?
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTE
If they are encrypted zips ensure you
have:
BANEXT EZIP
in your virus.cfg
David B
www.declude.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruce LoughlinSent:
Friday, June 16, 2006 4:31 PMTo:
declude.virus@declude.comSubject: [Declude.Virus] new
virus
Is
anyone
Yes,
04dotzip just came through here but McAfee stopped it. But F-prot not
getting it.
At 04:30 PM 6/16/2006 -0400, you wrote:
Is anyone else seeing new virus zip files getting past F-Prot?
the last one was just numbers.zip
Earlier a few came through with name.zip
Bruce Loughlin
---
This
.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ncl Admin
Sent: Friday, June 16, 2006 2:03 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] new virus
Yes,
04dotzip just came through here but McAfee stopped it. But
F
and TradersWorld.com if
that's any use.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Ncl Admin
Sent: Friday, June 16, 2006 2:03 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] new virus
Yes,
04dotzip just came
Of
Colbeck, Andrew
Sent: Friday, June 16, 2006 5:31 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus
This is what I've received recently:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB
REPBOT%2EAVSect=T
My F-Prot and Trend Micro do detect
, SURBL/URI integration, MRTG
Integration, and Log Parsers.
- Original Message -
From: Goran Jovanovic [EMAIL PROTECTED]
To: declude.virus@declude.com
Sent: Friday, June 16, 2006 6:04 PM
Subject: RE: [Declude.Virus] new virus
My F-Prot is finding it but it does not know what it is. Both
, 2006 6:59 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] new virus
Goran,
Do you have exit code 8 also listed for F-Prot in your virus.cfg? If
not
you should.
Darrell
Check out http
])
Sent: Friday, June 16, 2006 6:59 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] new virus
Goran,
Do you have exit code 8 also listed for F-Prot in your
virus.cfg? If
not
you should.
Darrell
Upon further investigation and uploading to VirusTotal, these are a group
that came in from one IP that had corrupted/incomplete file attachments and
were non-viable Kasper viruses.
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: [EMAIL PROTECTED]
GuflerSent: Wednesday, January 18, 2006 1:39
AMTo: Declude.Virus@declude.comSubject: RE:
[Declude.Virus] New Virus?
That's exactly how I use the notifications.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent
ReimerSent: Wednesday, January 18, 2006 1:43 PMTo:
Declude.Virus@declude.comSubject: RE: [Declude.Virus] New
Virus?
Should we be blocking .mim file types? One of the new viruses that was
blocked was a .mim file type. What is it used for?
Mark ReimerIT Project ManagerAmerican
that doesn't detect this
malware.
Andrew.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer
Sent: Monday, January 16, 2006 12:42 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] New Virus?
I think this started happening after I
that; they're the only big name that
doesn't detect this malware.
Andrew.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer
Sent: Monday, January 16, 2006 12:42 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] New
the only big name that doesn't detect this
malware.
Andrew.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer
Sent: Monday, January 16, 2006 12:42 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] New Virus?
I think
s turn out to be flagging a new
worm.
Andrew.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Tuesday, January 17, 2006 3:36 PMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] New
Virus?
Regarding the names, this is why I would recommend t
06 3:36 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New Virus?
Regarding the names, this is why I would recommend that people
completely abandon any form of postmaster and sender bounce messages
for detected viruses...it's just too much to keep up with without
creating backscatter
Subject: RE: [Declude.Virus] New Virus?
I've seen many of this Kapser.A today. I've added it to the
forging virus list and (oops) forgot to write it on the
Declude.Virus list.
As we can see more and more that AV-Companies has forgotten
how to call one Virus using one name we should maybe
That's exactly how I use the notifications.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Wednesday, January 18, 2006 12:48 AMTo:
Declude.Virus@declude.comSubject: RE: [Declude.Virus] New
Virus?
I agree completely
@declude.com
Subject: RE: [Declude.Virus] New Virus?
I think this started happening after I updated my F-prot
virus defs to 16th.
Does anyone else see this?
Mark Reimer
IT Project Manager
American CareSource
214-596-2464
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Darin,
Would you add these to virus.cfg? Similir to BANEXT?
Thanks,
Dan
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, November 21, 2005 5:04 PM
Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
For those of us
Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
Darin,
Would you add these to virus.cfg? Similir to BANEXT?
Thanks,
Dan
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, November 21, 2005 5:04 PM
Subject: Re: [Declude.Virus
:56 PM
Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
Yep.
I've added several more today, but haven't had time to research all of the
Bagle, MyTob, and Sober variants to see if this is an exhaustive list of
attachments.
BANNAME accept-terms.zip
BANNAME accepted-password.zip
McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still
missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and
McAfee seems to have had this one tagged prior to the outbreak starting
since none have slipped through yet.
Matt
Rick Davidson wrote:
heads
I have only seen a 5 of these with the following subjects.
hi,_ive_a_new_mail_address
hi, ive a new mail address
Paris Hilton Nicole Richie
and the following attachment
File-packed_dataInfo.exe
I have no idea what the payload is as we delete .exe files before virus
scanning.
All other
Message -
From: Matt [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, November 21, 2005 2:51 PM
Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still
missing it. My first hit was at 2:08
should be handled by the CDC. :)
John C
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson
Sent: Monday, November 21, 2005 2:12 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
It is coming
@declude.com
Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems
It is coming in with alot of different zip file names and body names now,
I
blocked all zip files and submitted samples
I am really getting hit hard
Rick Davidson
National Systems Manager
North American Title Group
Looks like F-Prot is now catching it as SoberZ
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Rick Davidson
Sent: Monday, November 21, 2005 12:12 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New Virus
BANNAME RTL-Admin_Text.zip
BANNAME RTL_Text.zip
BANNAME Webmaster_Text.zip
BANNAME RTL-TV_Text.zip
Darin.
- Original Message -
From: John T (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Monday, November 21, 2005 4:53 PM
Subject: RE: [Declude.Virus] New Virus Strain Pounding
Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems
If you have Pro version you should be always blocking using BANZIPEXTS ON
and BANEZIPEXTS ON.
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Rick Davidson
Sent
@declude.com
Sent: Monday, November 21, 2005 4:53 PM
Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems
If you have Pro version you should be always blocking using
BANZIPEXTS ON
and BANEZIPEXTS ON.
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED
I am seeing it also. I already submitted it to Mcafee...
My desktop AV (Trend) is detecting it as a Bagle variant...
Don
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 9:59 AM
Subject: [Declude.Virus]
John,
What do the filenames appear to be - any pattern either filename, subject,
body content etc?
Darrell
John Tolmachoff (Lists) writes:
One of the servers I manage is getting hit with lots of messages being
caught with banned exe within zip.
They are coming from different IPs
Subject: Re: [Declude.Virus] New virus out?
John,
What do the filenames appear to be - any pattern either filename, subject,
body content etc?
Darrell
John Tolmachoff (Lists) writes:
One of the servers I manage is getting hit with lots of messages being
caught with banned exe within zip
])
Sent: Tuesday, May 31, 2005 8:22 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New virus out?
John,
What do the filenames appear to be - any pattern either filename, subject,
body content etc?
Darrell
John Tolmachoff (Lists) writes:
One of the servers I manage
I've gotten a few:
26KB files named 1.zip, 7.zip and work.zip so far
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Tuesday, May 31, 2005 11:22 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New virus
:31 AM
Subject: RE: [Declude.Virus] New virus out?
I've gotten a few:
26KB files named 1.zip, 7.zip and work.zip so far
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Tuesday, May 31, 2005 11:22 AM
To: Declude.Virus
Yes, a new Bagle and MyTob are out.
See:
http://isc.sans.org/diary.php?date=2005-05-31
http://www.viruslist.com/en/weblog
My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two that were caught by Declude Virus, but it
could be quite a few more
: Tuesday, May 31, 2005 6:39 PM
Subject: RE: [Declude.Virus] New virus out?
Yes, a new Bagle and MyTob are out.
See:
http://isc.sans.org/diary.php?date=2005-05-31
http://www.viruslist.com/en/weblog
My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two
]
[mailto:[EMAIL PROTECTED] On Behalf Of Gianbattista
Toffetti Carughi
Sent: Tuesday, May 31, 2005 9:59 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New virus out?
This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET)
after scanning the file 8.zip file
Worm.Win32.Bagle.AL
price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
Michael Jaworski
Puget Sound Network, Inc.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Tuesday, March
Seems there is something going on, please check your virus logs.
...
There are comming in a lot of messages (SMD-file has a filesize of 23 kByte)
containing zip-files like
BANNAME new__price.zip
BANNAME price_new.zip
BANNAME price.zip
BANNAME price2.zip
F-Prot or Mcafee is already catching
Had some caught with Declude Spam before it hit the virus scanners.
Tyler
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Tuesday, March 01, 2005 10:25 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] New virus
I am seeing it detected as Bagle.BL by F-Prot. It is not being detected
by Mcafee right now.
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue
F-Prot was catching some price...zips
Mcafee caught one at 6:30
But then this appears:
03/01/2005 09:09:30 Q8599093a02820e36 MIME file: price.zip [base64;
Length=15789 Checksum=2053241]
03/01/2005 09:09:30 Q8599093a02820e36 Banning .ZIP file with exe extension.
03/01/2005 09:09:33
Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability?
The problem with the current virus strains is that they do not contain any
vulnerabilty at all
The IFRAME vulnerability exists on the site contained in the body link
Rick Davidson
National Systems Manager
North American
McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml
http://vil.nai.com/vil/content/v_129633.htm
Virus
Characteristics:
This is a
generic detection covering email messages sent by W32/[EMAIL PROTECTED]
and
PROTECTED]
Sent: Wednesday, November 10, 2004 10:05
AM
Subject: Re: [Declude.Virus] New virus
with unusual deployment
McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm
Anyone hear of this one. It just popped in on an old e-mail account I
reactivated for SPAM testing/control/rule building.
There was an attachment named %domain%.com.zip (e.g. declude.com.zip). Is
it a new variant?
It seems to be a new virus/variant. People are going to open it because it
Hi Jeff,
I just got one of these as well with our domain.com.zip and inside it
was a domain.com.htm.(a lot of spaces).com
My winzip would not extract it to the desktop. Neither F-Prot nor McAfee
on the e-mail server found it and my desktop Symantec v9 did not find it
either.
Bad
: Re: [Declude.Virus] New Virus?
Anyone hear of this one. It just popped in on an old e-mail account
I
reactivated for SPAM testing/control/rule building.
There was an attachment named %domain%.com.zip (e.g.
declude.com.zip).
Is
it a new variant?
It seems to be a new virus/variant
: Monday, July 26, 2004 10:19 AM
Subject: RE: [Declude.Virus] New Virus?
It seems to be a new virus/variant. People are going to open
it because it looks to them like a domain name
(example.com) rather than filename (puppy.com).
Up to now I can't find any com.zip in the vir0726.log file
: Re: [Declude.Virus] New Virus?
Looks like a new MyDoom Virus going around.
We are seeing a lot of them incoming and the latest Mcafee beta definition
files detect is as MyDoom.O
http://vil.nai.com/vil/content/v_127033.htm
Don
- Original Message -
From: Markus Gufler [EMAIL PROTECTED
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] New Virus?
Hi Jeff,
I just got one of these as well with our domain.com.zip and inside it was a
domain.com.htm.(a lot of spaces).com
My winzip would not extract it to the desktop. Neither F-Prot nor McAfee on
the e-mail server found it and my
It seems to be a new virus/variant. People are going to open
it because it looks to them like a domain name
(example.com) rather than filename (puppy.com).
Up to now I can't find any com.zip in the vir0726.log file
But in the meantime I've banned .zip attachments on our server.
BANEXT
. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 26, 2004 6:27 PM
Subject: Re: [Declude.Virus] New Virus?
Does anyone have an updated forge list?
This question comes up quite often -- you can always find it in the
sender.eml file at http://www.declude.com/virus/manual.htm
Sounds good. Now the question of the day is...how do we subscribe?
Darin.
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, March 26, 2004 3:29 PM
Subject: [Declude.Virus] New Virus Alert mailing list for urgent virus
information
FYI, at
1 - 100 of 160 matches
Mail list logo