RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread John T \(Lists\)
Sure it is not some form or the Pebcak virus Andrew? 

Sorry, couldn't resist. I needed the laugh.

;-)>

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck,
> Andrew
> Sent: Wednesday, June 28, 2006 2:26 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> Importance: Low
> 
> I don't know where that ">" character in front of my From sentence came
> from.  The first character on that line should have been an "F".
> 
> It must be some kind of weird auto-quoting software; that character is
> not in the email that I sent.
> 
> Andrew 8)
> 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Colbeck, Andrew
I don't know where that ">" character in front of my From sentence came
from.  The first character on that line should have been an "F".

It must be some kind of weird auto-quoting software; that character is
not in the email that I sent.

Andrew 8)

 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Colbeck, Andrew
> Sent: Wednesday, June 28, 2006 2:14 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> I haven't seen any yet; I don't know if F-Prot is catching them.
> 
> >From the published information at the antivirus vendors' sites, I'm
> using the BANNAME feature, e.g.
> 
> BANNAME My_Notebook.doc
> 
> And further, I catch most of the viruses as junkmail because 
> they typically come from zombie machines, so they're heavily 
> IP4R listed.
> 
> I do use a SKIPATTACH filter (which I've previously shared on 
> the list, so it's in the web archive if anyone wants it) and 
> I've lowered the weight of that.
> 
> I don't think this virus is spreading well, it's not 
> receiving much attention, and Trend Micro's statistics graph 
> is flatlined.  I think if your mailserver is getting them, 
> you'll continue to get them, otherwise, it's not very likely.
> 
> Andrew 8)
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
> > John T (Lists)
> > Sent: Wednesday, June 28, 2006 1:06 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> > Macro-Virus
> > 
> > Back to the matter indicated in the subject line, how are others 
> > dealing with this?
> > 
> > Is F-Prot and AVG and others catching this now?
> > 
> > Which AV scanners are indeed catching it?
> > 
> > Now for the bigger question: How do we combat this and future such 
> > versions without outright blocking of the file extension? 
> We all know 
> > that relaying on users to not open attachments is problematic.
> > 
> > John T
> > eServices For You
> > 
> > "Seek, and ye shall find!"
> > 
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, 
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> > 
> > 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Colbeck, Andrew
I haven't seen any yet; I don't know if F-Prot is catching them.

>From the published information at the antivirus vendors' sites, I'm
using the BANNAME feature, e.g.

BANNAME My_Notebook.doc

And further, I catch most of the viruses as junkmail because they
typically come from zombie machines, so they're heavily IP4R listed.

I do use a SKIPATTACH filter (which I've previously shared on the list,
so it's in the web archive if anyone wants it) and I've lowered the
weight of that.

I don't think this virus is spreading well, it's not receiving much
attention, and Trend Micro's statistics graph is flatlined.  I think if
your mailserver is getting them, you'll continue to get them, otherwise,
it's not very likely.

Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of John T (Lists)
> Sent: Wednesday, June 28, 2006 1:06 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> Back to the matter indicated in the subject line, how are 
> others dealing with this?
> 
> Is F-Prot and AVG and others catching this now?
> 
> Which AV scanners are indeed catching it?
> 
> Now for the bigger question: How do we combat this and future 
> such versions without outright blocking of the file 
> extension? We all know that relaying on users to not open 
> attachments is problematic.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Ncl Admin
John,

I think that F-prot now is getting it.

Subject: Declude Virus caught a virus
X-Mailer: 
X-Declude-Sender: postmaster [127.0.0.1]
X-Note: Spam Score: 0
X-Note: SMTP Sender: postmaster
X-Note: Reverse DNS & IP: (Private IP) [127.0.0.1]
X-Country-Chain: 
X-Note: To: nclife.com
X-RCPT-TO: <[EMAIL PROTECTED]>

Declude Virus v2.0.6.16 caught the  W32/[EMAIL PROTECTED] virus in tySfRhC.zip
from [EMAIL PROTECTED] to: 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Darrell \([EMAIL PROTECTED])
John, 

CLAMAV is catching it on my systems. 

Darrell 


---
fpReview - Review held mail easily and quickly.
http://www.invariantsystems.com 

John T (Lists) writes: 


Back to the matter indicated in the subject line, how are others dealing
with this? 

Is F-Prot and AVG and others catching this now? 

Which AV scanners are indeed catching it? 


Now for the bigger question: How do we combat this and future such versions
without outright blocking of the file extension? We all know that relaying
on users to not open attachments is problematic. 


John T
eServices For You 

"Seek, and ye shall find!" 

 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Scott Fisher

as every instance we have seen of this has been invalid email.


I certainly regularly receive incorrectly formatted email. I'm pretty small 
volumne, but looking over my logs (I have an external test for this 
condition), it is 111 non-spam messages this month.


My email volume is pretty low. But I'm not looking forward to hand 
correcting 120 of these a month.



- Original Message - 
From: "David Barker" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, June 28, 2006 2:07 PM
Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus



Matt,

The CRLF problem has more to do with the email server and not Declude,
emails that are so badly broken should be either rejected by the email
server or these headers should be standardized by the email server.
Eitherway this is a much more complex issue than you make it out to be, by
just fixing it with a simple regexp, if it was as easy as that, do you not
think we would have done this already ?

"Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around." This is not how we are 
dealing

with this issue, it is not an additional Spam test as I clearly stated we
are dealing with this as a vulnerability because this should be addressed 
at

the email server level and not Declude, therefore the message will be
quarentined - as every instance we have seen of this has been invalid 
email.


The Long base 64 encoding is a similar issue whereby the mail server 
should

deal with these before they get to Declude as such emails are clearly in
violation of the RFC's and should be treated as suspect from the very
beginning.

To conclude, we are making every effort to address these issues because it
is not being done at the server level, have you contacted Imail and asked
for their response and/or fix ?

David B
www.declude.com


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 2:48 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus


David,

The CRLF thing doesn't affect me since I have my own solution, however for
those that use Subject tagging, adding another test won't help unless they
decide to just simply delete such messages.  The header boundary could be
programatically determined with a great deal of ease (a simple regexp), 
and

Declude could insert it's headers into the correct place if this was done.
Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around.

Regarding the other things, I'm very alarmed that the official position is
still not even recognizing that these bugs surely exist, much less fixed 
at

this point.  This concerns me greatly since I rely on this product for my
business, and if it takes months to just confirm a bug, especially one 
that
is widely reported, I can't responsibly rely on that product.  It is 
pretty

much the same thing as having a virus scanner that takes months to catch a
particular virus, or having a Web browser that is never patch for a 
critical

flaw.  I consider both the Mail From issue and the base 64 encoding issues
to be critical flaws that warrant immediate fixes.  I am not alone in 
this.

If you don't have a lot of people still griping about this stuff, it is
because they are either not aware of the flaws, or they have already given
up on trying to get you guys to fix them, or given up on relying on 
Declude
altogether.  These things should be fixed in hours or days and not weeks 
or

months when they occur.

I assume that you are not the person making these development decisions, 
so

this isn't directed at you, but those that make the calls need to fully
understand the critical nature of these flaws, and their role in making 
sure

that Declude can respond rapidly to such things not just now, but as they
occur in the future.

Thanks,

Matt




David Barker wrote:

Matt,

Headers not using proper CRLF line breaks is currently being tested
using
the new vulnerability NONSTANDARDCRLF test.

As for these items they are on the list for engineers to confirm and
test
and fix if they are bugs.

1. Invalid characters in the Mail FROM
2. Long base 64 encoding causing Declude EVA to fail decoding
3. WHITELIST IP being applied before IPBYPASS

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Matt
Sent: Wednesday, June 28, 2006 1:49 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus

David,

I'm just wondering about the issue with the invalid characters in
the Mail
From's that caused massive spam leakage almost a month ago.  Is this
too
supposed to be fixed?

I'm also very, very curious about the other bugs such as long base
64
e

Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Matt

David,

Mail servers have absolutely no requirement to inspect the contents of 
the data.  This is Declude's job to do.  Additionally, most mail clients 
do support both the CR flaw as well as the long base64  encoding flaw, 
so anything making it past Declude due to the holes created by these 
bugs is a critical flaw.  There are so many things out there that 
violate the RFC's, it's almost not even worth arguing about who's 
responsibility it is since these things definitely exist and need to be 
dealt with appropriately.


The issue with the CR's and Declude is not technically a "vulnerability" 
for any application out there besides Declude itself.  Vulnerabilities 
in Declude have historically been formatting supported by mail clients 
which could be used to sneak past encoded attachments or scripting which 
could cause auto-execution or bypassing of virus scanners.  The 
vulnerability only exists because Declude's SUBJECT action and header 
appending does not work appropriately, and some people chose to filter 
on such things instead of relying on other actions.


I do in fact receive legitimate E-mail that have only CR's.  Any PHP 
programmer out there can make this mistake just like multiple vendors 
are violating RFC's by including a space in the SMTP commands where they 
don't belong, or adding headers that don't properly bracket IP's, etc.  
If this is introduced as a vulnerability, I want to turn it off.  The 
reason is because I don't want to scan a directory full of Q and D files 
searching for false positives, and I know that they will exist.  Others 
may be less anal about this, or have different traffic patterns that 
isolates them from such issues, or might simply not care.  Ultimately 
however, if you just simply placed the Declude inserted headers in the 
best possible place (before the first ) then this wouldn't be an 
issue.


I find it hard to believe that no one there can figure out how to do that.

Regardless of who is right or wrong, right now every Declude user is 
vulnerable to viruses that may exploit the holes created by the base64 
encoding error and the invalid character in the Mail From error.  There 
is a virus that has been spreading for over a year that bypasses 
Declude's Virus' calling of virus scanners due to the long encoding 
lines, and the only reason why this hasn't become an issue is because he 
only sends EXE's which most of us block by default and only causes 
backscatter.  If someone were to write a virus that was in a zip or a 
DOC though, which most of us don't block, it would bypass our virus 
scanners 100% of the time.  If they wanted to exploit some scripting 
holes in mail clients, all they would have to do is send with a non 
ASCII character in the Mail From and they're good to go right past 
Declude.  This is why these things are critical in nature.


I don't want to continually bring this stuff up, I just want you guys to 
get it.  Pretend for a second that I am right, and then look back at 
what you are doing.  Please.


Matt



David Barker wrote:


Matt,

The CRLF problem has more to do with the email server and not Declude,
emails that are so badly broken should be either rejected by the email
server or these headers should be standardized by the email server.
Eitherway this is a much more complex issue than you make it out to be, by
just fixing it with a simple regexp, if it was as easy as that, do you not
think we would have done this already ?

"Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around." This is not how we are dealing
with this issue, it is not an additional Spam test as I clearly stated we
are dealing with this as a vulnerability because this should be addressed at
the email server level and not Declude, therefore the message will be
quarentined - as every instance we have seen of this has been invalid email.

The Long base 64 encoding is a similar issue whereby the mail server should
deal with these before they get to Declude as such emails are clearly in
violation of the RFC's and should be treated as suspect from the very
beginning.

To conclude, we are making every effort to address these issues because it
is not being done at the server level, have you contacted Imail and asked
for their response and/or fix ?

David B
www.declude.com


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 2:48 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus


David,

The CRLF thing doesn't affect me since I have my own solution, however for
those that use Subject tagging, adding another test won't help unless they
decide to just simply delete such messages.  The header boundary could be
programatically d

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread John T \(Lists\)
Back to the matter indicated in the subject line, how are others dealing
with this?

Is F-Prot and AVG and others catching this now?

Which AV scanners are indeed catching it?

Now for the bigger question: How do we combat this and future such versions
without outright blocking of the file extension? We all know that relaying
on users to not open attachments is problematic.

John T
eServices For You

"Seek, and ye shall find!"




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Michael Thomas - Mathbox
David,

>From my point of view, the problem with that response is that if Imail
handle all the issues presented by abnormal mail messages, we would not need
Declude. Imail handles normal messages just fine. If it were not for viruses
and spammers, we would not see these problems. We got Declude to handle
viruses and spammers.

Mike

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of David Barker
> Sent: Wednesday, June 28, 2006 3:08 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> Matt,
>  
> The CRLF problem has more to do with the email server and not Declude,
> emails that are so badly broken should be either rejected by the email
> server or these headers should be standardized by the email server.
> Eitherway this is a much more complex issue than you make it 
> out to be, by
> just fixing it with a simple regexp, if it was as easy as 
> that, do you not
> think we would have done this already ?
> 
> "Introducing tests to score conditions that one's software 
> does not handle
> correctly is not a fix, it's a work-around." This is not how 
> we are dealing
> with this issue, it is not an additional Spam test as I 
> clearly stated we
> are dealing with this as a vulnerability because this should 
> be addressed at
> the email server level and not Declude, therefore the message will be
> quarentined - as every instance we have seen of this has been 
> invalid email.
> 
> The Long base 64 encoding is a similar issue whereby the mail 
> server should
> deal with these before they get to Declude as such emails are 
> clearly in
> violation of the RFC's and should be treated as suspect from the very
> beginning.
> 
> To conclude, we are making every effort to address these 
> issues because it
> is not being done at the server level, have you contacted 
> Imail and asked
> for their response and/or fix ?
> 
> David B
> www.declude.com
> ____
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Matt
> Sent: Wednesday, June 28, 2006 2:48 PM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> 
> David,
> 
> The CRLF thing doesn't affect me since I have my own 
> solution, however for
> those that use Subject tagging, adding another test won't 
> help unless they
> decide to just simply delete such messages.  The header 
> boundary could be
> programatically determined with a great deal of ease (a 
> simple regexp), and
> Declude could insert it's headers into the correct place if 
> this was done.
> Introducing tests to score conditions that one's software 
> does not handle
> correctly is not a fix, it's a work-around.
> 
> Regarding the other things, I'm very alarmed that the 
> official position is
> still not even recognizing that these bugs surely exist, much 
> less fixed at
> this point.  This concerns me greatly since I rely on this 
> product for my
> business, and if it takes months to just confirm a bug, 
> especially one that
> is widely reported, I can't responsibly rely on that product. 
>  It is pretty
> much the same thing as having a virus scanner that takes 
> months to catch a
> particular virus, or having a Web browser that is never patch 
> for a critical
> flaw.  I consider both the Mail From issue and the base 64 
> encoding issues
> to be critical flaws that warrant immediate fixes.  I am not 
> alone in this.
> If you don't have a lot of people still griping about this 
> stuff, it is
> because they are either not aware of the flaws, or they have 
> already given
> up on trying to get you guys to fix them, or given up on 
> relying on Declude
> altogether.  These things should be fixed in hours or days 
> and not weeks or
> months when they occur.
> 
> I assume that you are not the person making these development 
> decisions, so
> this isn't directed at you, but those that make the calls 
> need to fully
> understand the critical nature of these flaws, and their role 
> in making sure
> that Declude can respond rapidly to such things not just now, 
> but as they
> occur in the future.
> 
> Thanks,
> 
> Matt
> 
> 
> 
> 
> David Barker wrote: 
> 
>   Matt,
>   
>   Headers not using proper CRLF line breaks is currently 
> being tested
> using
>   the new vulnerability NONSTANDARDCRLF test.
>   
>   As for these items they are on the list for engineers 
> to confirm and
> test
>   a

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread David Barker
Matt,
 
The CRLF problem has more to do with the email server and not Declude,
emails that are so badly broken should be either rejected by the email
server or these headers should be standardized by the email server.
Eitherway this is a much more complex issue than you make it out to be, by
just fixing it with a simple regexp, if it was as easy as that, do you not
think we would have done this already ?

"Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around." This is not how we are dealing
with this issue, it is not an additional Spam test as I clearly stated we
are dealing with this as a vulnerability because this should be addressed at
the email server level and not Declude, therefore the message will be
quarentined - as every instance we have seen of this has been invalid email.

The Long base 64 encoding is a similar issue whereby the mail server should
deal with these before they get to Declude as such emails are clearly in
violation of the RFC's and should be treated as suspect from the very
beginning.

To conclude, we are making every effort to address these issues because it
is not being done at the server level, have you contacted Imail and asked
for their response and/or fix ?

David B
www.declude.com


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 2:48 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus


David,

The CRLF thing doesn't affect me since I have my own solution, however for
those that use Subject tagging, adding another test won't help unless they
decide to just simply delete such messages.  The header boundary could be
programatically determined with a great deal of ease (a simple regexp), and
Declude could insert it's headers into the correct place if this was done.
Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around.

Regarding the other things, I'm very alarmed that the official position is
still not even recognizing that these bugs surely exist, much less fixed at
this point.  This concerns me greatly since I rely on this product for my
business, and if it takes months to just confirm a bug, especially one that
is widely reported, I can't responsibly rely on that product.  It is pretty
much the same thing as having a virus scanner that takes months to catch a
particular virus, or having a Web browser that is never patch for a critical
flaw.  I consider both the Mail From issue and the base 64 encoding issues
to be critical flaws that warrant immediate fixes.  I am not alone in this.
If you don't have a lot of people still griping about this stuff, it is
because they are either not aware of the flaws, or they have already given
up on trying to get you guys to fix them, or given up on relying on Declude
altogether.  These things should be fixed in hours or days and not weeks or
months when they occur.

I assume that you are not the person making these development decisions, so
this isn't directed at you, but those that make the calls need to fully
understand the critical nature of these flaws, and their role in making sure
that Declude can respond rapidly to such things not just now, but as they
occur in the future.

Thanks,

Matt




David Barker wrote: 

Matt,

Headers not using proper CRLF line breaks is currently being tested
using
the new vulnerability NONSTANDARDCRLF test.

As for these items they are on the list for engineers to confirm and
test
and fix if they are bugs.

1. Invalid characters in the Mail FROM
2. Long base 64 encoding causing Declude EVA to fail decoding
3. WHITELIST IP being applied before IPBYPASS

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Matt
Sent: Wednesday, June 28, 2006 1:49 PM
        To: declude.virus@declude.com
    Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus

David,

I'm just wondering about the issue with the invalid characters in
the Mail
From's that caused massive spam leakage almost a month ago.  Is this
too
supposed to be fixed?

I'm also very, very curious about the other bugs such as long base
64
encoding causing Declude Virus to fail decoding, WHITELIST IP being
applied
before IPBYPASS, and the issue where Declude's headers are inserted
at the
bottom of the message when the headers don't use proper CRLF line
breaks?

Thanks,

Matt



David Barker wrote:

  

   

Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Ncl Admin
All of these issues are why I am still on version 2.x.x as well.  I have
been waiting for their resolution for some time while patiently paying my
support fee's.



At 01:48 PM 6/28/2006 -0400, you wrote:
>David,
>
>I'm just wondering about the issue with the invalid characters in the 
>Mail From's that caused massive spam leakage almost a month ago.  Is 
>this too supposed to be fixed?
>
>I'm also very, very curious about the other bugs such as long base 64 
>encoding causing Declude Virus to fail decoding, WHITELIST IP being 
>applied before IPBYPASS, and the issue where Declude's headers are 
>inserted at the bottom of the message when the headers don't use proper 
>CRLF line breaks?
>
>Thanks,
>
>Matt
>
>
>
>David Barker wrote:
>
>>I have added the request to the wish list. We are focusing on replicating
>>problems and fixing items from the list I had posted earlier last week. We
>>are looking to do a release Thursday 8 July it is currently under going
>>testing. This is all obviously subject to change just trying to keep you
>>informed.
>> 
>>Items in next release:
>> 
>>1. Fix - ALLOWVULNERABILITIESFROM - full email address only 
>>
>>2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path  
>> 
>>3. Add - Error in SM envelope file: if errors are found the mail will be
>>moved to the error directory
>>
>>4. Add - If the headers files are not found then the data file is moved to
>>error directory. 
>>
>>5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check
>>for the end of the headers. 
>>
>>David B
>>www.declude.com
>>
>>____
>>
>>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
>>Sent: Tuesday, June 27, 2006 7:04 PM
>>To: declude.virus@declude.com
>>Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
>>
>>
>>John,
>>
>>Not to say that this wouldn't be something that is nice to have, I can think
>>of dozens of things that are very largely useful on a much more regular
>>basis.  In fact, the current functionality provides an appropriate mechanism
>>for blocking these as-is.
>>
>>I would just simply like to see Declude catch up by fixing the known bugs
>>first.  When they catch up, then certainly they should consider feature
>>requests, but it would make sense focus on new tests and improving existing
>>ones, along with refining functionality.  I will personally continue to hold
>>back from such discussions until it is clear that they are capable of
>>handling the bugs.
>>
>>Sorry to make an example of you here; that's not the intention of course.  I
>>just thought that it would be constructive to point this stuff out for the
>>benefit of Declude and it's customers alike.
>>
>>Matt
>>
>>
>>
>>John T (Lists) wrote: 
>>
>>  I know. :(
>>  
>>  Declude, this is a feature who's time has come.
>>  
>>  John T
>>  eServices For You
>>  
>>  "Seek, and ye shall find!"
>>  
>>  
>>
>>
>>  -Original Message-
>>  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
>>Behalf Of Markus
>>  Gufler
>>  Sent: Tuesday, June 27, 2006 3:10 PM
>>  To: declude.virus@declude.com
>>  Subject: RE: [Declude.Virus] New Virus: zipped word doc with
>>Macro-Virus
>>  
>>          As I know yes but
>>  
>>      BANNAME my_notebook.doc
>>  
>>  wouldn't work for files within zip-archives.
>>  
>>  Markus
>>  
>>  
>>
>>  -Original Message-
>>  From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On
>>  Behalf Of John T (Lists)
>>  Sent: Tuesday, June 27, 2006 11:48 PM
>>  To: declude.virus@declude.com
>>  Subject: RE: [Declude.Virus] New Virus: zipped word
>>doc with
>>  Macro-Virus
>>              
>>      Is the word document only named that?
>>  
>>  John T
>>  eServices For You
>> 

Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Matt




David,

The CRLF thing doesn't affect me since I have my own solution, however
for those that use Subject tagging, adding another test won't help
unless they decide to just simply delete such messages.  The header
boundary could be programatically determined with a great deal of ease
(a simple regexp), and Declude could insert it's headers into the
correct place if this was done.  Introducing tests to score conditions
that one's software does not handle correctly is not a fix, it's a
work-around.

Regarding the other things, I'm very alarmed that the official position
is still not even recognizing that these bugs surely exist, much less
fixed at this point.  This concerns me greatly since I rely on this
product for my business, and if it takes months to just confirm a bug,
especially one that is widely reported, I can't responsibly rely on
that product.  It is pretty much the same thing as having a virus
scanner that takes months to catch a particular virus, or having a Web
browser that is never patch for a critical flaw.  I consider both the
Mail From issue and the base 64 encoding issues to be critical flaws
that warrant immediate fixes.  I am not alone in this.  If you don't
have a lot of people still griping about this stuff, it is because they
are either not aware of the flaws, or they have already given up on
trying to get you guys to fix them, or given up on relying on Declude
altogether.  These things should be fixed in hours or days and not
weeks or months when they occur.

I assume that you are not the person making these development
decisions, so this isn't directed at you, but those that make the calls
need to fully understand the critical nature of these flaws, and their
role in making sure that Declude can respond rapidly to such things not
just now, but as they occur in the future.

Thanks,

Matt




David Barker wrote:

  Matt,

Headers not using proper CRLF line breaks is currently being tested using
the new vulnerability NONSTANDARDCRLF test.

As for these items they are on the list for engineers to confirm and test
and fix if they are bugs.

1. Invalid characters in the Mail FROM
2. Long base 64 encoding causing Declude EVA to fail decoding
3. WHITELIST IP being applied before IPBYPASS

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 1:49 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

David,

I'm just wondering about the issue with the invalid characters in the Mail
From's that caused massive spam leakage almost a month ago.  Is this too
supposed to be fixed?

I'm also very, very curious about the other bugs such as long base 64
encoding causing Declude Virus to fail decoding, WHITELIST IP being applied
before IPBYPASS, and the issue where Declude's headers are inserted at the
bottom of the message when the headers don't use proper CRLF line breaks?

Thanks,

Matt



David Barker wrote:

  
  
I have added the request to the wish list. We are focusing on 
replicating problems and fixing items from the list I had posted 
earlier last week. We are looking to do a release Thursday 8 July it is 
currently under going testing. This is all obviously subject to change 
just trying to keep you informed.

Items in next release:

1. Fix - ALLOWVULNERABILITIESFROM - full email address only

2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path

3. Add - Error in SM envelope file: if errors are found the mail will 
be moved to the error directory

4. Add - If the headers files are not found then the data file is moved 
to error directory.

5. Add - A new vulnerability test NONSTANDARDCRLF will be included to 
check for the end of the headers.

David B
www.declude.com



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with 
Macro-Virus


John,

Not to say that this wouldn't be something that is nice to have, I can 
think of dozens of things that are very largely useful on a much more 
regular basis.  In fact, the current functionality provides an 
appropriate mechanism for blocking these as-is.

I would just simply like to see Declude catch up by fixing the known 
bugs first.  When they catch up, then certainly they should consider 
feature requests, but it would make sense focus on new tests and 
improving existing ones, along with refining functionality.  I will 
personally continue to hold back from such discussions until it is 
clear that they are capable of handling the bugs.

Sorry to make an example of you here; that's not the intention of 
course.  I just thought that it would be constructive to point this 
stuff out for the benefit of Declude and it'

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread David Barker
Matt,

Headers not using proper CRLF line breaks is currently being tested using
the new vulnerability NONSTANDARDCRLF test.

As for these items they are on the list for engineers to confirm and test
and fix if they are bugs.

1. Invalid characters in the Mail FROM
2. Long base 64 encoding causing Declude EVA to fail decoding
3. WHITELIST IP being applied before IPBYPASS

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 1:49 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

David,

I'm just wondering about the issue with the invalid characters in the Mail
From's that caused massive spam leakage almost a month ago.  Is this too
supposed to be fixed?

I'm also very, very curious about the other bugs such as long base 64
encoding causing Declude Virus to fail decoding, WHITELIST IP being applied
before IPBYPASS, and the issue where Declude's headers are inserted at the
bottom of the message when the headers don't use proper CRLF line breaks?

Thanks,

Matt



David Barker wrote:

>I have added the request to the wish list. We are focusing on 
>replicating problems and fixing items from the list I had posted 
>earlier last week. We are looking to do a release Thursday 8 July it is 
>currently under going testing. This is all obviously subject to change 
>just trying to keep you informed.
> 
>Items in next release:
> 
>1. Fix - ALLOWVULNERABILITIESFROM - full email address only
>
>2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path
> 
>3. Add - Error in SM envelope file: if errors are found the mail will 
>be moved to the error directory
>
>4. Add - If the headers files are not found then the data file is moved 
>to error directory.
>
>5. Add - A new vulnerability test NONSTANDARDCRLF will be included to 
>check for the end of the headers.
>
>David B
>www.declude.com
>
>
>
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
>Matt
>Sent: Tuesday, June 27, 2006 7:04 PM
>To: declude.virus@declude.com
>Subject: Re: [Declude.Virus] New Virus: zipped word doc with 
>Macro-Virus
>
>
>John,
>
>Not to say that this wouldn't be something that is nice to have, I can 
>think of dozens of things that are very largely useful on a much more 
>regular basis.  In fact, the current functionality provides an 
>appropriate mechanism for blocking these as-is.
>
>I would just simply like to see Declude catch up by fixing the known 
>bugs first.  When they catch up, then certainly they should consider 
>feature requests, but it would make sense focus on new tests and 
>improving existing ones, along with refining functionality.  I will 
>personally continue to hold back from such discussions until it is 
>clear that they are capable of handling the bugs.
>
>Sorry to make an example of you here; that's not the intention of 
>course.  I just thought that it would be constructive to point this 
>stuff out for the benefit of Declude and it's customers alike.
>
>Matt
>
>
>
>John T (Lists) wrote: 
>
>   I know. :(
>   
>   Declude, this is a feature who's time has come.
>   
>   John T
>   eServices For You
>   
>   "Seek, and ye shall find!"
>   
>   
> 
>
>   -Original Message-----
>       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of 
>Markus
>   Gufler
>   Sent: Tuesday, June 27, 2006 3:10 PM
>   To: declude.virus@declude.com
>   Subject: RE: [Declude.Virus] New Virus: zipped word doc with

>Macro-Virus
>   
>   As I know yes but
>   
>   BANNAME my_notebook.doc
>   
>   wouldn't work for files within zip-archives.
>   
>   Markus
>   
>   
>
>           -----Original Message-----
>   From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On
>   Behalf Of John T (Lists)
>   Sent: Tuesday, June 27, 2006 11:48 PM
>   To: declude.virus@declude.com
>   Subject: RE: [Declude.Virus] New Virus: zipped word
doc with
>   Macro-Virus
>   
>   Is the word document only named that?
>   
>   John T
>   eServices For You
>   
>   "Seek, and ye

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Robert Grosshandler
Matt -

Thanks for keeping track of all of this for the rest of us.

Rob 

-Original Message-

David,

I'm just wondering about the issue with the invalid characters in the Mail
From's that caused massive spam leakage almost a month ago.  Is this too
supposed to be fixed?

I'm also very, very curious about the other bugs such as long base 64
encoding causing Declude Virus to fail decoding, WHITELIST IP being applied
before IPBYPASS, and the issue where Declude's headers are inserted at the
bottom of the message when the headers don't use proper CRLF line breaks?

Thanks,

Matt

---
[This E-mail scanned for viruses by Declude Virus]



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Matt

David,

I'm just wondering about the issue with the invalid characters in the 
Mail From's that caused massive spam leakage almost a month ago.  Is 
this too supposed to be fixed?


I'm also very, very curious about the other bugs such as long base 64 
encoding causing Declude Virus to fail decoding, WHITELIST IP being 
applied before IPBYPASS, and the issue where Declude's headers are 
inserted at the bottom of the message when the headers don't use proper 
CRLF line breaks?


Thanks,

Matt



David Barker wrote:


I have added the request to the wish list. We are focusing on replicating
problems and fixing items from the list I had posted earlier last week. We
are looking to do a release Thursday 8 July it is currently under going
testing. This is all obviously subject to change just trying to keep you
informed.

Items in next release:

1. Fix - ALLOWVULNERABILITIESFROM - full email address only 

2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path  


3. Add - Error in SM envelope file: if errors are found the mail will be
moved to the error directory

4. Add - If the headers files are not found then the data file is moved to
error directory. 


5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check
for the end of the headers. 


David B
www.declude.com



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus


John,

Not to say that this wouldn't be something that is nice to have, I can think
of dozens of things that are very largely useful on a much more regular
basis.  In fact, the current functionality provides an appropriate mechanism
for blocking these as-is.

I would just simply like to see Declude catch up by fixing the known bugs
first.  When they catch up, then certainly they should consider feature
requests, but it would make sense focus on new tests and improving existing
ones, along with refining functionality.  I will personally continue to hold
back from such discussions until it is clear that they are capable of
handling the bugs.

Sorry to make an example of you here; that's not the intention of course.  I
just thought that it would be constructive to point this stuff out for the
benefit of Declude and it's customers alike.

Matt



John T (Lists) wrote: 


I know. :(

Declude, this is a feature who's time has come.

John T
eServices For You

"Seek, and ye shall find!"


	  


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
        Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus

As I know yes but

BANNAME my_notebook.doc

wouldn't work for files within zip-archives.

Markus

		


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 11:48 PM
To: declude.virus@declude.com
            Subject: RE: [Declude.Virus] New Virus: zipped word
doc with
Macro-Virus

Is the word document only named that?

John T
eServices For You

"Seek, and ye shall find!"

			  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006 11:32 AM
To: declude.virus@declude.com
            Subject: [Declude.Virus] New Virus: zipped
word doc with Macro-Virus

Some of us has noted in the past two hours
that messages with an
zip-file



as
			  


attachment has passed our virus filters

It's a zip-file containing a MS Word
Document named



"my_notebook.doc"
			  


Most Virus-Scanners ca

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Kami Razvan
Hi John:

I have received 3 of these that are not in zip files.

My_new_comp.doc
About_me.doc
Hp_laptops.doc

All are similar in concept:
With the following in the body and different subjects.  Name after hello is
also different.

---
Hello Cristian Asanachescu


Regards, "Cristian Asanachescu" 


Or
-
Hello Patricia Myrose


Regards, "Patricia Myrose" 
-

All files are 52 KB attachments.

I am trying to see why it was not caught as virus.. It does not look right.

Regards,
Kami
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)
Sent: Tuesday, June 27, 2006 5:48 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

Is the word document only named that?

John T
eServices For You

"Seek, and ye shall find!"




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Colbeck, Andrew
Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the
dropper file that the macro drops.  If it's there, the macro was
executed, and the dropper has probably also download further malware.

Modern versions of Office will, by default, not execute the macro so you
might be safe.

I don't know if Symantec has signatures for this document, the dropper
or the payload it downloads.  Trend Micro does, so you could use their
web based HouseCall antivirus scanner from here:

http://housecall.trendmicro.com/

Andrew 8)



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Marc Catuogno
> Sent: Wednesday, June 28, 2006 6:03 AM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> Um, no making fun here - I opened it.  I thought it was just 
> spam someone forwarded it to my spam account. I didn't find 
> the Trojan downloader on my PC.  I'm ASSUMING that you have 
> to hit the "check prices" macro button as no macro seemed to 
> auto-execute... 
> 
> I just downloaded the intelligent updater for NAV 9 (as the 
> live update button only gave me definitions of the 21st) and 
> am running a scan now.
> 
> Remind me not to make so much fun of other people for opening 
> attachments.
> 
> Marc
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Markus Gufler
> Sent: Tuesday, June 27, 2006 2:32 PM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> 
> Some of us has noted in the past two hours that messages with 
> an zip-file as attachment has passed our virus filters
> 
> It's a zip-file containing a MS Word Document named "my_notebook.doc"
> 
> Most Virus-Scanners can't catch it. Virustotal has returned 
> only two scanners with positive results
> 
> Sophos has found "WM97/Kukudro-A" 
> UNA has found a "Macro Virus"
> 
> No other AV-Engine has catched the suspicious file.
> 
> We've added the following lines to our virus.cfg in order to 
> block as much was we can at the moment.
> 
> BANNAME prices.zip
> BANNAME apple_prices.zip
> BANNAME sony_prices.zip
> BANNAME hp_prices.zip
> BANNAME dell_prices.zip
> BANNAME My_Notebook.doc
> 
> Regards
> Markus
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread David Barker
I have added the request to the wish list. We are focusing on replicating
problems and fixing items from the list I had posted earlier last week. We
are looking to do a release Thursday 8 July it is currently under going
testing. This is all obviously subject to change just trying to keep you
informed.
 
Items in next release:
 
1. Fix - ALLOWVULNERABILITIESFROM - full email address only 

2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path  
 
3. Add - Error in SM envelope file: if errors are found the mail will be
moved to the error directory

4. Add - If the headers files are not found then the data file is moved to
error directory. 

5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check
for the end of the headers. 

David B
www.declude.com



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus


John,

Not to say that this wouldn't be something that is nice to have, I can think
of dozens of things that are very largely useful on a much more regular
basis.  In fact, the current functionality provides an appropriate mechanism
for blocking these as-is.

I would just simply like to see Declude catch up by fixing the known bugs
first.  When they catch up, then certainly they should consider feature
requests, but it would make sense focus on new tests and improving existing
ones, along with refining functionality.  I will personally continue to hold
back from such discussions until it is clear that they are capable of
handling the bugs.

Sorry to make an example of you here; that's not the intention of course.  I
just thought that it would be constructive to point this stuff out for the
benefit of Declude and it's customers alike.

Matt



John T (Lists) wrote: 

I know. :(

Declude, this is a feature who's time has come.

John T
eServices For You

"Seek, and ye shall find!"


  

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
    Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus

As I know yes but

BANNAME my_notebook.doc

wouldn't work for files within zip-archives.

Markus



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 11:48 PM
To: declude.virus@declude.com
            Subject: RE: [Declude.Virus] New Virus: zipped word
doc with
Macro-Virus

Is the word document only named that?

John T
eServices For You

"Seek, and ye shall find!"

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006 11:32 AM
To: declude.virus@declude.com
                Subject: [Declude.Virus] New Virus: zipped
word doc with Macro-Virus

Some of us has noted in the past two hours
that messages with an
zip-file


as
  

attachment has passed our virus filters

It's a zip-file containing a MS Word
Document named


"my_notebook.doc"
  

Most Virus-Scanners can't catch it.
Virustotal has returned


only two
  

scanners with positive results

Sophos has found "WM97/Kukudro-A"
UNA has found a "Macro Virus"
  

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-28 Thread Marc Catuogno
Um, no making fun here - I opened it.  I thought it was just spam someone
forwarded it to my spam account. I didn't find the Trojan downloader on my
PC.  I'm ASSUMING that you have to hit the "check prices" macro button as no
macro seemed to auto-execute... 

I just downloaded the intelligent updater for NAV 9 (as the live update
button only gave me definitions of the 21st) and am running a scan now.

Remind me not to make so much fun of other people for opening attachments.

Marc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 2:32 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

Some of us has noted in the past two hours that messages with an zip-file as
attachment has passed our virus filters

It's a zip-file containing a MS Word Document named "my_notebook.doc"

Most Virus-Scanners can't catch it. Virustotal has returned only two
scanners with positive results

Sophos has found "WM97/Kukudro-A" 
UNA has found a "Macro Virus"

No other AV-Engine has catched the suspicious file.

We've added the following lines to our virus.cfg in order to block as much
was we can at the moment.

BANNAME prices.zip
BANNAME apple_prices.zip
BANNAME sony_prices.zip
BANNAME hp_prices.zip
BANNAME dell_prices.zip
BANNAME My_Notebook.doc

Regards
Markus



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Matt




John,

Not to say that this wouldn't be something that is nice to have, I can
think of dozens of things that are very largely useful on a much more
regular basis.  In fact, the current functionality provides an
appropriate mechanism for blocking these as-is.

I would just simply like to see Declude catch up by fixing the known
bugs first.  When they catch up, then certainly they should consider
feature requests, but it would make sense focus on new tests and
improving existing ones, along with refining functionality.  I will
personally continue to hold back from such discussions until it is
clear that they are capable of handling the bugs.

Sorry to make an example of you here; that's not the intention of
course.  I just thought that it would be constructive to point this
stuff out for the benefit of Declude and it's customers alike.

Matt



John T (Lists) wrote:

  I know. :(

Declude, this is a feature who's time has come.

John T
eServices For You

"Seek, and ye shall find!"


  
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

As I know yes but

BANNAME my_notebook.doc

wouldn't work for files within zip-archives.

Markus



  -Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 11:48 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus

Is the word document only named that?

John T
eServices For You

"Seek, and ye shall find!"

  
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006 11:32 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

Some of us has noted in the past two hours that messages with an
zip-file

  
  as
  
  
attachment has passed our virus filters

It's a zip-file containing a MS Word Document named

  
  "my_notebook.doc"
  
  
Most Virus-Scanners can't catch it. Virustotal has returned

  
  only two
  
  
scanners with positive results

Sophos has found "WM97/Kukudro-A"
UNA has found a "Macro Virus"

No other AV-Engine has catched the suspicious file.

We've added the following lines to our virus.cfg in order

  
  to block as
  
  
much was we can at the moment.

BANNAME prices.zip
BANNAME apple_prices.zip
BANNAME sony_prices.zip
BANNAME hp_prices.zip
BANNAME dell_prices.zip
BANNAME My_Notebook.doc

Regards
Markus



---
This E-mail came from the Declude.Virus mailing list.  To

  
  unsubscribe,
  
  
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

  
  


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


  



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

  
  



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



  




---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.

RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Colbeck, Andrew
JT> Declude, this is a feature who's time has come.

Hear, hear!  The ability to ban filenames that are contained in archives
would be a good feature, and most of the code must be in place, because
Declude Virus already pulls apart at least the zip file format for
selective file scanning.

It is also well placed in the market.  I checked my up-to-the-minute
ScanMail for Exchange from Trend Micro, and they don't have that
feature.  I also tested it to see whether filename blocking would work
anyway, and no, it didn't.

Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of John T (Lists)
> Sent: Tuesday, June 27, 2006 3:38 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> Importance: High
> 
> I know. :(
> 
> Declude, this is a feature who's time has come.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Markus Gufler
> > Sent: Tuesday, June 27, 2006 3:10 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> > Macro-Virus
> > 
> > As I know yes but
> > 
> > BANNAME my_notebook.doc
> > 
> > wouldn't work for files within zip-archives.
> > 
> > Markus
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of 
> > > John T (Lists)
> > > Sent: Tuesday, June 27, 2006 11:48 PM
> > > To: declude.virus@declude.com
> > > Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> > > Macro-Virus
> > >
> > > Is the word document only named that?
> > >
> > > John T
> > > eServices For You
> > >
> > > "Seek, and ye shall find!"
> > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> On Behalf 
> > > > Of Markus Gufler
> > > > Sent: Tuesday, June 27, 2006 11:32 AM
> > > > To: declude.virus@declude.com
> > > > Subject: [Declude.Virus] New Virus: zipped word doc with 
> > > > Macro-Virus
> > > >
> > > > Some of us has noted in the past two hours that 
> messages with an 
> > > > zip-file
> > > as
> > > > attachment has passed our virus filters
> > > >
> > > > It's a zip-file containing a MS Word Document named
> > > "my_notebook.doc"
> > > >
> > > > Most Virus-Scanners can't catch it. Virustotal has returned
> > > only two
> > > > scanners with positive results
> > > >
> > > > Sophos has found "WM97/Kukudro-A"
> > > > UNA has found a "Macro Virus"
> > > >
> > > > No other AV-Engine has catched the suspicious file.
> > > >
> > > > We've added the following lines to our virus.cfg in order
> > > to block as
> > > > much was we can at the moment.
> > > >
> > > > BANNAME prices.zip
> > > > BANNAME apple_prices.zip
> > > > BANNAME sony_prices.zip
> > > > BANNAME hp_prices.zip
> > > > BANNAME dell_prices.zip
> > > > BANNAME My_Notebook.doc
> > > >
> > > > Regards
> > > > Markus
> > > >
> > > >
> > > >
> > > > ---
> > > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe,
> > > > just send an E-mail to [EMAIL PROTECTED], and
> > > > type "unsubscribe Declude.Virus".The archives can be found
> > > > at http://www.mail-archive.com.
> > >
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To 
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > >
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, 
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread John T \(Lists\)
I know. :(

Declude, this is a feature who's time has come.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus
> Gufler
> Sent: Tuesday, June 27, 2006 3:10 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> 
> As I know yes but
> 
> BANNAME my_notebook.doc
> 
> wouldn't work for files within zip-archives.
> 
> Markus
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of John T (Lists)
> > Sent: Tuesday, June 27, 2006 11:48 PM
> > To: declude.virus@declude.com
> > Subject: RE: [Declude.Virus] New Virus: zipped word doc with
> > Macro-Virus
> >
> > Is the word document only named that?
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Markus Gufler
> > > Sent: Tuesday, June 27, 2006 11:32 AM
> > > To: declude.virus@declude.com
> > > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> > >
> > > Some of us has noted in the past two hours that messages with an
> > > zip-file
> > as
> > > attachment has passed our virus filters
> > >
> > > It's a zip-file containing a MS Word Document named
> > "my_notebook.doc"
> > >
> > > Most Virus-Scanners can't catch it. Virustotal has returned
> > only two
> > > scanners with positive results
> > >
> > > Sophos has found "WM97/Kukudro-A"
> > > UNA has found a "Macro Virus"
> > >
> > > No other AV-Engine has catched the suspicious file.
> > >
> > > We've added the following lines to our virus.cfg in order
> > to block as
> > > much was we can at the moment.
> > >
> > > BANNAME prices.zip
> > > BANNAME apple_prices.zip
> > > BANNAME sony_prices.zip
> > > BANNAME hp_prices.zip
> > > BANNAME dell_prices.zip
> > > BANNAME My_Notebook.doc
> > >
> > > Regards
> > > Markus
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe,
> > > just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".The archives can be found
> > > at http://www.mail-archive.com.
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Markus Gufler
As I know yes but 

BANNAME my_notebook.doc 

wouldn't work for files within zip-archives.

Markus 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of John T (Lists)
> Sent: Tuesday, June 27, 2006 11:48 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> Is the word document only named that?
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Markus Gufler
> > Sent: Tuesday, June 27, 2006 11:32 AM
> > To: declude.virus@declude.com
> > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> > 
> > Some of us has noted in the past two hours that messages with an 
> > zip-file
> as
> > attachment has passed our virus filters
> > 
> > It's a zip-file containing a MS Word Document named 
> "my_notebook.doc"
> > 
> > Most Virus-Scanners can't catch it. Virustotal has returned 
> only two 
> > scanners with positive results
> > 
> > Sophos has found "WM97/Kukudro-A"
> > UNA has found a "Macro Virus"
> > 
> > No other AV-Engine has catched the suspicious file.
> > 
> > We've added the following lines to our virus.cfg in order 
> to block as 
> > much was we can at the moment.
> > 
> > BANNAME prices.zip
> > BANNAME apple_prices.zip
> > BANNAME sony_prices.zip
> > BANNAME hp_prices.zip
> > BANNAME dell_prices.zip
> > BANNAME My_Notebook.doc
> > 
> > Regards
> > Markus
> > 
> > 
> > 
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, 
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread John T \(Lists\)
Is the word document only named that?

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus
> Gufler
> Sent: Tuesday, June 27, 2006 11:32 AM
> To: declude.virus@declude.com
> Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
> 
> Some of us has noted in the past two hours that messages with an zip-file
as
> attachment has passed our virus filters
> 
> It's a zip-file containing a MS Word Document named "my_notebook.doc"
> 
> Most Virus-Scanners can't catch it. Virustotal has returned only two
> scanners with positive results
> 
> Sophos has found "WM97/Kukudro-A"
> UNA has found a "Macro Virus"
> 
> No other AV-Engine has catched the suspicious file.
> 
> We've added the following lines to our virus.cfg in order to block as much
> was we can at the moment.
> 
> BANNAME prices.zip
> BANNAME apple_prices.zip
> BANNAME sony_prices.zip
> BANNAME hp_prices.zip
> BANNAME dell_prices.zip
> BANNAME My_Notebook.doc
> 
> Regards
> Markus
> 
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Colbeck, Andrew
http://www.f-secure.com/weblog/archives/archive-062006.html#0909

The writeup is interesting in the follow-on details but the information
that Markus posted earlier is more helpful to us in keeping the darn
thing out of users' mailboxes.

Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Darrell ([EMAIL PROTECTED])
> Sent: Tuesday, June 27, 2006 12:08 PM
> To: declude.virus@declude.com
> Subject: Re: [Declude.Virus] New Virus: zipped word doc with 
> Macro-Virus
> 
> Actually, it is CLAMAV catching it.  Not sure about McAfee as 
> I stop on first virus.  F-Prot is def. not catching it though. 
> 
> Darrell 
> 
> Darrell ([EMAIL PROTECTED]) writes: 
> 
> > Mcafee is catching these Trojan.Myno on my systems.  
> > 
> > Darrell
> > ---
> > Check out http://www.invariantsystems.com for utilities for 
> Declude, 
> > Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, 
> > SURBL/URI integration, MRTG Integration, and Log Parsers.
> > 
> > 
> > Markus Gufler writes:  
> > 
> >> Some of us has noted in the past two hours that messages with an 
> >> zip-file as attachment has passed our virus filters
> >> 
> >> It's a zip-file containing a MS Word Document named 
> "my_notebook.doc"  
> >> 
> >> Most Virus-Scanners can't catch it. Virustotal has 
> returned only two 
> >> scanners with positive results
> >> 
> >> Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus"  
> >> 
> >> No other AV-Engine has catched the suspicious file.  
> >> 
> >> We've added the following lines to our virus.cfg in order 
> to block as 
> >> much was we can at the moment.
> >> 
> >> BANNAME prices.zip
> >> BANNAME apple_prices.zip
> >> BANNAME sony_prices.zip
> >> BANNAME hp_prices.zip
> >> BANNAME dell_prices.zip
> >> BANNAME My_Notebook.doc
> >> 
> >> Regards
> >> Markus
> >> 
> >>   
> >> 
> >> ---
> >> This E-mail came from the Declude.Virus mailing list.  To 
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >> type "unsubscribe Declude.Virus".The archives can be found
> >> at http://www.mail-archive.com.  
> >> 
>  
> 
> 
>  ---
> Check out http://www.invariantsystems.com for utilities for 
> Declude, Imail, mxGuard, and ORF.  IMail/Declude Overflow 
> Queue Monitoring, SURBL/URI integration, MRTG Integration, 
> and Log Parsers.
> 
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Darrell \([EMAIL PROTECTED])
Actually, it is CLAMAV catching it.  Not sure about McAfee as I stop on 
first virus.  F-Prot is def. not catching it though. 

Darrell 

Darrell ([EMAIL PROTECTED]) writes: 

Mcafee is catching these Trojan.Myno on my systems.  


Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, 
Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, 
SURBL/URI integration, MRTG Integration, and Log Parsers.  



Markus Gufler writes:  

Some of us has noted in the past two hours that messages with an zip-file 
as
attachment has passed our virus filters  

It's a zip-file containing a MS Word Document named "my_notebook.doc"  


Most Virus-Scanners can't catch it. Virustotal has returned only two
scanners with positive results  

Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus"  

No other AV-Engine has catched the suspicious file.  

We've added the following lines to our virus.cfg in order to block as 
much
was we can at the moment.  


BANNAME prices.zip
BANNAME apple_prices.zip
BANNAME sony_prices.zip
BANNAME hp_prices.zip
BANNAME dell_prices.zip
BANNAME My_Notebook.doc  


Regards
Markus  

  


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.  





---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers.



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Darrell \([EMAIL PROTECTED])
Mcafee is catching these Trojan.Myno on my systems. 


Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 



Markus Gufler writes: 


Some of us has noted in the past two hours that messages with an zip-file as
attachment has passed our virus filters 

It's a zip-file containing a MS Word Document named "my_notebook.doc" 


Most Virus-Scanners can't catch it. Virustotal has returned only two
scanners with positive results 

Sophos has found "WM97/Kukudro-A" 
UNA has found a "Macro Virus" 

No other AV-Engine has catched the suspicious file. 


We've added the following lines to our virus.cfg in order to block as much
was we can at the moment. 


BANNAME prices.zip
BANNAME apple_prices.zip
BANNAME sony_prices.zip
BANNAME hp_prices.zip
BANNAME dell_prices.zip
BANNAME My_Notebook.doc 


Regards
Markus 

 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



[Declude.Virus] New Virus: zipped word doc with Macro-Virus

2006-06-27 Thread Markus Gufler
Some of us has noted in the past two hours that messages with an zip-file as
attachment has passed our virus filters

It's a zip-file containing a MS Word Document named "my_notebook.doc"

Most Virus-Scanners can't catch it. Virustotal has returned only two
scanners with positive results

Sophos has found "WM97/Kukudro-A" 
UNA has found a "Macro Virus"

No other AV-Engine has catched the suspicious file.

We've added the following lines to our virus.cfg in order to block as much
was we can at the moment.

BANNAME prices.zip
BANNAME apple_prices.zip
BANNAME sony_prices.zip
BANNAME hp_prices.zip
BANNAME dell_prices.zip
BANNAME My_Notebook.doc

Regards
Markus



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.