RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
I had to send a copy to Trend Micro (my AV provider), about an hour later they had it taken care of in a new set of definitions. I just blocked ZIP's until the fix came through. Sure, it got me a few complaints but at least it kept everyone from opening it. --SJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Tuesday, July 22, 2008 2:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? Should the built in declude virus scanner scan inside of zip files (when we used f-prot it did)? Are there any settings to get it to scan the zip files. We did have to exclude password protected zip files in the past and we still do but need the virus scanner to scan zip attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, July 21, 2008 6:59 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
I just took the ban off of zips and it looks like it's catching this virus now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Tuesday, July 22, 2008 1:58 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? Should the built in declude virus scanner scan inside of zip files (when we used f-prot it did)? Are there any settings to get it to scan the zip files. We did have to exclude password protected zip files in the past and we still do but need the virus scanner to scan zip attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, July 21, 2008 6:59 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
Should the built in declude virus scanner scan inside of zip files (when we used f-prot it did)? Are there any settings to get it to scan the zip files. We did have to exclude password protected zip files in the past and we still do but need the virus scanner to scan zip attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, July 21, 2008 6:59 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus (.exe) in a zip attachment? This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
This also appears to been out in other forms in the last few days. Google it. M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus (.exe) in a zip attachment?
We are seeing them come in. The common static denominators are: 1. Subject line "UPS Tracking Number" 2. Body contains" Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office Your UPS" Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Monday, July 21, 2008 4:23 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus (.exe) in a zip attachment? We juat saw a new apparent virus/phishing threat come across trying to imposter as a failed UPS delivery notice. The file attached was called UPS_INVOICE_978172.zip and included a .exe file within. Is their anyway to catch these in the BanFile area of Declude? We do allow banned files within a zip in our current config. It would have to be set up as a wild card I imagine (assuming the numbers in the file name would change). We've only seen one of these so far, so do not have anything else to compare to to see if name is changing or not. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus (.exe) in a zip attachment?
We juat saw a new apparent virus/phishing threat come across trying to imposter as a failed UPS delivery notice. The file attached was called UPS_INVOICE_978172.zip and included a .exe file within. Is their anyway to catch these in the BanFile area of Declude? We do allow banned files within a zip in our current config. It would have to be set up as a wild card I imagine (assuming the numbers in the file name would change). We've only seen one of these so far, so do not have anything else to compare to to see if name is changing or not. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] new virus with .rar attachment
Symantec is being short-sighted. This is the same spammer sending this virus that was responsible for the seeded outbreak around New Year's. He starts his attacks at a moment's notice and ends them just as quickly. He can change his text faster than Symantec will ever be able to keep up with should he care to do so. He sends these through his network of spam zombies which he typically uses to send out stock spam. McAfee was detecting this within 2 hours of it first being seen. I saw hundreds of these within those two hours though. Thankfully it appears that almost all if not all were blocked as spam. Another saving grace is the fact that it came out as an encrypted RAR which very few people have support for. Be absolutely certain that he will be back. Matt Gary Steiner wrote: Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message From: "Colbeck, Andrew" <[EMAIL PROTECTED]> Sent: Thursday, April 26, 2007 6:11 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus with .rar attachment Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > Sent: Thursday, April 26, 2007 6:11 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus with .rar attachment > > Gary, you beat them by a day with your own assessment, but Symantec > blogged about this virus twice today: > > http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam > _attack_rared_trojan.html > > An interesting point is that they have blocked 1.2 million messages by > tackling the text of the message as spam. > > Andrew. > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Gary Steiner > > Sent: Wednesday, April 25, 2007 10:31 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] new virus with .rar attachment > > > > I started getting some messages today that were picked up as > > spam, but were not being identified as viruses. They looked > > suspicious, having subject lines of > > > > Virus Activity Detected! > > Spyware Alert! > > > > It containes a .gif message that tells the user to open the > > .rar file and run the patch there to protect them from the > > virus/spyware. > > > > I ran it on www.virustotal.com, and the only scanner that > > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > > > http://vil.nai.com/vil/content/v_142094.htm > > > > Since this a password protected .rar file, should we now be > > blocking these? > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gary Steiner > Sent: Wednesday, April 25, 2007 10:31 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] new virus with .rar attachment > > I started getting some messages today that were picked up as > spam, but were not being identified as viruses. They looked > suspicious, having subject lines of > > Virus Activity Detected! > Spyware Alert! > > It containes a .gif message that tells the user to open the > .rar file and run the patch there to protect them from the > virus/spyware. > > I ran it on www.virustotal.com, and the only scanner that > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > http://vil.nai.com/vil/content/v_142094.htm > > Since this a password protected .rar file, should we now be > blocking these? > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] new virus with .rar attachment
ClamAV is now picking this up as Email.Phishing.RB-686 Original Message > From: "Gary Steiner" <[EMAIL PROTECTED]> > Sent: Wednesday, April 25, 2007 1:48 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] new virus with .rar attachment > > I started getting some messages today that were picked up as spam, but were > not being identified as viruses. They looked suspicious, having subject > lines of > > Virus Activity Detected! > Spyware Alert! > > It containes a .gif message that tells the user to open the .rar file and run > the patch there to protect them from the virus/spyware. > > I ran it on www.virustotal.com, and the only scanner that picked it up was > McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > http://vil.nai.com/vil/content/v_142094.htm > > Since this a password protected .rar file, should we now be blocking these? > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] new virus with .rar attachment
I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New virus - PiggiA
With the extensions listed, any one know if the payload is only in the executuables? W32/Piggi-A is a mass-mailing worm for the Windows platform. W32/Piggi-A spreads via email and may pretend: - to offer a free gift - that your myspace, anti-virus, tax, financial or personal details have been hacked or expired - that an email sent, was failed to deliver - to be showing you a picture, movie, game, sound or website - to offer a gambling, casino or poker technique or strategy Attached files may contain any of the following extensions: - .wav - .wma - .mp3 - .rtf - .html - .txt - .gif - .jpeg - .com - .exe John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
> Why not block any .exe attachments? I don't block .EXE attachments, but that policy may work for others. In my company, we find it very common to receive executables in email, as well as viruses that are plain executables, therefore we neither silently discard them, nor do we reply to likely spoofed mailfrom, nor do we annoy the recipient. I use Declude on a gateway server, and I use Trend Micro ScanMail for Exchange on my internal servers. On those internal servers, I scan for viruses and I ban executable attachments (not the whole message) and notify the recipient and our Help Centre. From the message body, the recipient can determine whether the attachment is valid; the Help Centre could re-send the executable but it would be blocked by Outlook anyway, so the usual case is then for the recipient to ask the sender to re-send the executable in a zip file. > In our system AVG is detecting it. Shortly before I sent that first message, F-Prot received a pattern update and was detecting the greeting cards as W32/Tibs.gen4 and the postcard as W32/Tibs.RA ... And submitting the greeting card to the Sunbelt malware sandbox showed a huge amount of activity. I suspect that this will be a real nuisance for those infected. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Kami Razvan > Sent: Saturday, December 30, 2006 9:30 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New virus to add to your banned > names in virus.cfg > > Andrew.. > > Why not block any .exe attachments? > > In our system AVG is detecting it. > > Kami > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Saturday, December 30, 2006 12:11 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] New virus to add to your banned > names in virus.cfg > > > http://isc.sans.org/diary.php?storyid=1988 > > BANNAME Greeting Card.exe > BANNAME Greeting Postcard.exe > BANNAME GreetingCard.exe > > Which may be related to a rash these that my mailserver > received on Dec 28th, as the executables are the same size > but contain may differences: > > BANNAME postcard.exe > > As of this writing, F-Prot detected neither executable, and > Trend Micro does not yet, unless you use the "CPR" version to > obtain the beta of the next pattern update. > > Andrew. > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Darrell ([EMAIL PROTECTED]) > > Sent: Tuesday, December 26, 2006 6:05 AM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] How to block an IP > > > > Joe, > > > > Just add the IP or CIDR block into the SMTP access control in Imail. > > > > Darrell > > -- > > -- > > Check out http://www.invariantsystems.com for utilities for Declude > > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > > integration, MRTG Integration, and Log Parsers. > > > > - Original Message - > > From: "J Porter" <[EMAIL PROTECTED]> > > To: > > Sent: Monday, December 25, 2006 11:06 PM > > Subject: [Declude.Virus] How to block an IP > > > > > > Is there a way to block an IP address before analysis by > Declude's AV > > (Ver > > 1.82 - Imail 8.x)? > > > > I thought I should be able to do this with rules.ima by > looking for a > > line in the header. So I have a line that says > > H~xxx\.yyy\.zz\. > > but it doesn't work. (In case you can't see it, the lines read \. = > > slash dot per Ipswitch docs) I don't think the H~ (header contains) > > command reads everything in the header. > > > > ~Joe > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
Andrew.. Why not block any .exe attachments? In our system AVG is detecting it. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Saturday, December 30, 2006 12:11 PM To: declude.virus@declude.com Subject: [Declude.Virus] New virus to add to your banned names in virus.cfg http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the "CPR" version to obtain the beta of the next pattern update. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, December 26, 2006 6:05 AM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] How to block an IP > > Joe, > > Just add the IP or CIDR block into the SMTP access control in Imail. > > Darrell > -- > -- > Check out http://www.invariantsystems.com for utilities for Declude > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, MRTG Integration, and Log Parsers. > > - Original Message - > From: "J Porter" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 25, 2006 11:06 PM > Subject: [Declude.Virus] How to block an IP > > > Is there a way to block an IP address before analysis by Declude's AV > (Ver > 1.82 - Imail 8.x)? > > I thought I should be able to do this with rules.ima by looking for a > line in the header. So I have a line that says > H~xxx\.yyy\.zz\. > but it doesn't work. (In case you can't see it, the lines read \. = > slash dot per Ipswitch docs) I don't think the H~ (header contains) > command reads everything in the header. > > ~Joe > > > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus to add to your banned names in virus.cfg
p.s. No, the conversation thread at the end of my posting was not relevant to the antivirus tip, that was simply poor copy and paste on my part. Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New virus to add to your banned names in virus.cfg
http://isc.sans.org/diary.php?storyid=1988 BANNAME Greeting Card.exe BANNAME Greeting Postcard.exe BANNAME GreetingCard.exe Which may be related to a rash these that my mailserver received on Dec 28th, as the executables are the same size but contain may differences: BANNAME postcard.exe As of this writing, F-Prot detected neither executable, and Trend Micro does not yet, unless you use the "CPR" version to obtain the beta of the next pattern update. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, December 26, 2006 6:05 AM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] How to block an IP > > Joe, > > Just add the IP or CIDR block into the SMTP access control in Imail. > > Darrell > -- > -- > Check out http://www.invariantsystems.com for utilities for > Declude And Imail. IMail/Declude Overflow Queue Monitoring, > SURBL/URI integration, MRTG Integration, and Log Parsers. > > - Original Message - > From: "J Porter" <[EMAIL PROTECTED]> > To: > Sent: Monday, December 25, 2006 11:06 PM > Subject: [Declude.Virus] How to block an IP > > > Is there a way to block an IP address before analysis by > Declude's AV (Ver > 1.82 - Imail 8.x)? > > I thought I should be able to do this with rules.ima by > looking for a line > in the header. So I have a line that says > H~xxx\.yyy\.zz\. > but it doesn't work. (In case you can't see it, the lines > read \. = slash > dot per Ipswitch docs) I don't think the H~ (header contains) > command reads > everything in the header. > > ~Joe > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
If you want to submit a virus, don't forget about ClamAV: http://www.clamav.net/sendvirus.html The nice thing about them is when they've used your sample to update their definitions, they will actually send you an email telling you this. Original Message > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > Sent: Tuesday, October 10, 2006 1:50 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus? > > Sounds like a very popular eBay scam, not a virus. > > Was there actually a hostile application attached? > > Submit the executable to: > > http://www.virustotal.com/en/indexf.html > > Or: > > http://virusscan.jotti.org/ > > I believe that both services share unknown executables with the > antivirus vendors. > > Or you directly submit the executable to your preferred antivirus > vendor, usually through a web submission form, e.g.: > > http://subwiz.trendmicro.com/SubWiz/Default.asp > > Or: > > http://www.f-prot.com/virusinfo/submission_form.html > > But the vendor websites are notorious for hoarding information to get a > competitive advantage (at the expense of the customers of every other > antivirus vendor!). > > Andrew 8) > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Grant Griffith > > Sent: Tuesday, October 10, 2006 10:21 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] New Virus? > > > > Hey All > > > > Has anyone seen the email saying that you purchased a Sony > > VAIO for $2,500? > > We received a bunch of these this morning in our mailboxes > > and am trying to figure out how they made it thru the > > scanners. What is the place to send them to see if it is > > begin caught? > > > > Thanks, > > Grant Griffith > > Web Application Developer > > Enhanced Telecommunications > > http://www.etczone.com > > 812-932-1000 > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I posted virustotal results a half hour ago... did you see them? Darin. - Original Message - From: "Grant Griffith" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 2:17 PM Subject: RE: [Declude.Virus] New Virus? It does have a .zip file that contains a .exe file inside it. The message says it contains a .pdf file, but it is really an .exe file. I am running it thru virustotal.com now. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, October 10, 2006 1:32 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Grant Griffith > Sent: Tuesday, October 10, 2006 10:21 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus? > > Hey All > > Has anyone seen the email saying that you purchased a Sony > VAIO for $2,500? > We received a bunch of these this morning in our mailboxes > and am trying to figure out how they made it thru the > scanners. What is the place to send them to see if it is > begin caught? > > Thanks, > Grant Griffith > Web Application Developer > Enhanced Telecommunications > http://www.etczone.com > 812-932-1000 > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
It does have a .zip file that contains a .exe file inside it. The message says it contains a .pdf file, but it is really an .exe file. I am running it thru virustotal.com now. Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, October 10, 2006 1:32 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Grant Griffith > Sent: Tuesday, October 10, 2006 10:21 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus? > > Hey All > > Has anyone seen the email saying that you purchased a Sony > VAIO for $2,500? > We received a bunch of these this morning in our mailboxes > and am trying to figure out how they made it thru the > scanners. What is the place to send them to see if it is > begin caught? > > Thanks, > Grant Griffith > Web Application Developer > Enhanced Telecommunications > http://www.etczone.com > 812-932-1000 > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
We've seen them as well today. It's either a new virus or a variant. Here are the results from virustotal AntiVir 7.2.0.25 10.10.2006 HEUR/Crypted Authentium 4.93.8 10.10.2006 W32/[EMAIL PROTECTED] Avast 4.7.892.0 10.10.2006 no virus found AVG 386 10.10.2006 no virus found BitDefender 7.2 10.10.2006 no virus found CAT-QuickHeal 8.00 10.10.2006 (Suspicious) - DNAScan ClamAV devel-20060426 10.10.2006 Trojan.Haxdoor-131 eTrust-InoculateIT 23.73.18 10.10.2006 no virus found eTrust-Vet 30.3.3125 10.10.2006 no virus found DrWeb 4.33 10.10.2006 BackDoor.Haxdoor.359 Ewido 4.0 10.10.2006 no virus found Fortinet 2.82.0.0 10.10.2006 suspicious F-Prot 3.16f 10.10.2006 security risk named W32/[EMAIL PROTECTED] F-Prot4 4.2.1.29 10.10.2006 W32/[EMAIL PROTECTED] Ikarus 0.2.65.0 10.10.2006 Trojan-Downloader.Win32.Small.gen Kaspersky 4.0.2.24 10.10.2006 Backdoor.Win32.Haxdoor.lf McAfee 4870 10.10.2006 BackDoor-BAC Microsoft 1.1603 10.10.2006 no virus found NOD32v2 1.1796 10.10.2006 a variant of Win32/Haxdoor Norman 5.80.02 10.10.2006 Suspicious_F.gen Panda 9.0.0.4 10.10.2006 Suspicious file Sophos 4.10.0 10.05.2006 no virus found TheHacker 6.0.1.094 10.08.2006 no virus found UNA 1.83 10.10.2006 Backdoor.Haxdoor.B43A VBA32 3.11.1 10.10.2006 no virus found VirusBuster 4.3.7:9 10.10.2006 no virus found Darin. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 10, 2006 1:31 PM Subject: RE: [Declude.Virus] New Virus? Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Grant Griffith > Sent: Tuesday, October 10, 2006 10:21 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus? > > Hey All > > Has anyone seen the email saying that you purchased a Sony > VAIO for $2,500? > We received a bunch of these this morning in our mailboxes > and am trying to figure out how they made it thru the > scanners. What is the place to send them to see if it is > begin caught? > > Thanks, > Grant Griffith > Web Application Developer > Enhanced Telecommunications > http://www.etczone.com > 812-932-1000 > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
Yes. Saw that come in this morning. Grant Griffith wrote: Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses courtesy of Netslyder, Inc.(http://www.netslyder.net)] --- [This E-mail scanned for viruses courtesy of Netslyder, Inc.(http://www.netslyder.net)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Sounds like a very popular eBay scam, not a virus. Was there actually a hostile application attached? Submit the executable to: http://www.virustotal.com/en/indexf.html Or: http://virusscan.jotti.org/ I believe that both services share unknown executables with the antivirus vendors. Or you directly submit the executable to your preferred antivirus vendor, usually through a web submission form, e.g.: http://subwiz.trendmicro.com/SubWiz/Default.asp Or: http://www.f-prot.com/virusinfo/submission_form.html But the vendor websites are notorious for hoarding information to get a competitive advantage (at the expense of the customers of every other antivirus vendor!). Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Grant Griffith > Sent: Tuesday, October 10, 2006 10:21 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus? > > Hey All > > Has anyone seen the email saying that you purchased a Sony > VAIO for $2,500? > We received a bunch of these this morning in our mailboxes > and am trying to figure out how they made it thru the > scanners. What is the place to send them to see if it is > begin caught? > > Thanks, > Grant Griffith > Web Application Developer > Enhanced Telecommunications > http://www.etczone.com > 812-932-1000 > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus?
Hey All Has anyone seen the email saying that you purchased a Sony VAIO for $2,500? We received a bunch of these this morning in our mailboxes and am trying to figure out how they made it thru the scanners. What is the place to send them to see if it is begin caught? Thanks, Grant Griffith Web Application Developer Enhanced Telecommunications http://www.etczone.com 812-932-1000 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
The Internet Storm Center also notes two items... That a new-ish botnet has been found: http://isc.sans.org/diary.php?storyid=1657 Previously, that there is elevated port scanning for 139/TCP: http://isc.sans.org/diary.php?storyid=1654 In that second link, they note two malwares that are attacking the "Server" service that Microsoft patched most recently in August with MS06-040: https://www.microsoft.com/technet/security/bulletin/ms06-040.mspx Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, August 31, 2006 8:59 AMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] new virus? My logs tell me that we received more than the usual number of viruses yesterday. These were split into two groups, a version of Bagle that was released back in June, and a new worm which Trend Micro calls WORM_STRATION.BD In the samples I looked at, the messages were fake bounces with an executable attachment which had a.dat.pif extension. Here's the writeup on that: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSTRATION%2EBH&VSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Wednesday, August 30, 2006 2:01 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
My logs tell me that we received more than the usual number of viruses yesterday. These were split into two groups, a version of Bagle that was released back in June, and a new worm which Trend Micro calls WORM_STRATION.BD In the samples I looked at, the messages were fake bounces with an executable attachment which had a.dat.pif extension. Here's the writeup on that: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSTRATION%2EBH&VSect=T Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Wednesday, August 30, 2006 2:01 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] new virus?
I checked and saw just a few of them. Luis Arango From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen MitchellSent: Miércoles, 30 de Agosto de 2006 04:01 p.m.To: declude.virus@declude.comSubject: [Declude.Virus] new virus? I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] new virus?
I am seeing lots of .com attachments blocked with Declude. Random two word subject from many different ip addresses. Is anyone else seeing them? Karen M. MitchellSenior NewMedia Systems AdministratorAccuWeather, Inc.385 Science Park RoadState College, PA 16803814-235-8698"Get the best weather on the web" - http://www.accuweather.com ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Sure it is not some form or the Pebcak virus Andrew? Sorry, couldn't resist. I needed the laugh. ;-)> John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, > Andrew > Sent: Wednesday, June 28, 2006 2:26 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > Importance: Low > > I don't know where that ">" character in front of my From sentence came > from. The first character on that line should have been an "F". > > It must be some kind of weird auto-quoting software; that character is > not in the email that I sent. > > Andrew 8) > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I don't know where that ">" character in front of my From sentence came from. The first character on that line should have been an "F". It must be some kind of weird auto-quoting software; that character is not in the email that I sent. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Wednesday, June 28, 2006 2:14 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > I haven't seen any yet; I don't know if F-Prot is catching them. > > >From the published information at the antivirus vendors' sites, I'm > using the BANNAME feature, e.g. > > BANNAME My_Notebook.doc > > And further, I catch most of the viruses as junkmail because > they typically come from zombie machines, so they're heavily > IP4R listed. > > I do use a SKIPATTACH filter (which I've previously shared on > the list, so it's in the web archive if anyone wants it) and > I've lowered the weight of that. > > I don't think this virus is spreading well, it's not > receiving much attention, and Trend Micro's statistics graph > is flatlined. I think if your mailserver is getting them, > you'll continue to get them, otherwise, it's not very likely. > > Andrew 8) > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > John T (Lists) > > Sent: Wednesday, June 28, 2006 1:06 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > > Macro-Virus > > > > Back to the matter indicated in the subject line, how are others > > dealing with this? > > > > Is F-Prot and AVG and others catching this now? > > > > Which AV scanners are indeed catching it? > > > > Now for the bigger question: How do we combat this and future such > > versions without outright blocking of the file extension? > We all know > > that relaying on users to not open attachments is problematic. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I haven't seen any yet; I don't know if F-Prot is catching them. >From the published information at the antivirus vendors' sites, I'm using the BANNAME feature, e.g. BANNAME My_Notebook.doc And further, I catch most of the viruses as junkmail because they typically come from zombie machines, so they're heavily IP4R listed. I do use a SKIPATTACH filter (which I've previously shared on the list, so it's in the web archive if anyone wants it) and I've lowered the weight of that. I don't think this virus is spreading well, it's not receiving much attention, and Trend Micro's statistics graph is flatlined. I think if your mailserver is getting them, you'll continue to get them, otherwise, it's not very likely. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of John T (Lists) > Sent: Wednesday, June 28, 2006 1:06 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Back to the matter indicated in the subject line, how are > others dealing with this? > > Is F-Prot and AVG and others catching this now? > > Which AV scanners are indeed catching it? > > Now for the bigger question: How do we combat this and future > such versions without outright blocking of the file > extension? We all know that relaying on users to not open > attachments is problematic. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, I think that F-prot now is getting it. Subject: Declude Virus caught a virus X-Mailer: X-Declude-Sender: postmaster [127.0.0.1] X-Note: Spam Score: 0 X-Note: SMTP Sender: postmaster X-Note: Reverse DNS & IP: (Private IP) [127.0.0.1] X-Country-Chain: X-Note: To: nclife.com X-RCPT-TO: <[EMAIL PROTECTED]> Declude Virus v2.0.6.16 caught the W32/[EMAIL PROTECTED] virus in tySfRhC.zip from [EMAIL PROTECTED] to: --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, CLAMAV is catching it on my systems. Darrell --- fpReview - Review held mail easily and quickly. http://www.invariantsystems.com John T (Lists) writes: Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
as every instance we have seen of this has been invalid email. I certainly regularly receive incorrectly formatted email. I'm pretty small volumne, but looking over my logs (I have an external test for this condition), it is 111 non-spam messages this month. My email volume is pretty low. But I'm not looking forward to hand correcting 120 of these a month. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 28, 2006 2:07 PM Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? "Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around." This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 e
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, Mail servers have absolutely no requirement to inspect the contents of the data. This is Declude's job to do. Additionally, most mail clients do support both the CR flaw as well as the long base64 encoding flaw, so anything making it past Declude due to the holes created by these bugs is a critical flaw. There are so many things out there that violate the RFC's, it's almost not even worth arguing about who's responsibility it is since these things definitely exist and need to be dealt with appropriately. The issue with the CR's and Declude is not technically a "vulnerability" for any application out there besides Declude itself. Vulnerabilities in Declude have historically been formatting supported by mail clients which could be used to sneak past encoded attachments or scripting which could cause auto-execution or bypassing of virus scanners. The vulnerability only exists because Declude's SUBJECT action and header appending does not work appropriately, and some people chose to filter on such things instead of relying on other actions. I do in fact receive legitimate E-mail that have only CR's. Any PHP programmer out there can make this mistake just like multiple vendors are violating RFC's by including a space in the SMTP commands where they don't belong, or adding headers that don't properly bracket IP's, etc. If this is introduced as a vulnerability, I want to turn it off. The reason is because I don't want to scan a directory full of Q and D files searching for false positives, and I know that they will exist. Others may be less anal about this, or have different traffic patterns that isolates them from such issues, or might simply not care. Ultimately however, if you just simply placed the Declude inserted headers in the best possible place (before the first ) then this wouldn't be an issue. I find it hard to believe that no one there can figure out how to do that. Regardless of who is right or wrong, right now every Declude user is vulnerable to viruses that may exploit the holes created by the base64 encoding error and the invalid character in the Mail From error. There is a virus that has been spreading for over a year that bypasses Declude's Virus' calling of virus scanners due to the long encoding lines, and the only reason why this hasn't become an issue is because he only sends EXE's which most of us block by default and only causes backscatter. If someone were to write a virus that was in a zip or a DOC though, which most of us don't block, it would bypass our virus scanners 100% of the time. If they wanted to exploit some scripting holes in mail clients, all they would have to do is send with a non ASCII character in the Mail From and they're good to go right past Declude. This is why these things are critical in nature. I don't want to continually bring this stuff up, I just want you guys to get it. Pretend for a second that I am right, and then look back at what you are doing. Please. Matt David Barker wrote: Matt, The CRLF problem has more to do with the email server and not Declude, emails that are so badly broken should be either rejected by the email server or these headers should be standardized by the email server. Eitherway this is a much more complex issue than you make it out to be, by just fixing it with a simple regexp, if it was as easy as that, do you not think we would have done this already ? "Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around." This is not how we are dealing with this issue, it is not an additional Spam test as I clearly stated we are dealing with this as a vulnerability because this should be addressed at the email server level and not Declude, therefore the message will be quarentined - as every instance we have seen of this has been invalid email. The Long base 64 encoding is a similar issue whereby the mail server should deal with these before they get to Declude as such emails are clearly in violation of the RFC's and should be treated as suspect from the very beginning. To conclude, we are making every effort to address these issues because it is not being done at the server level, have you contacted Imail and asked for their response and/or fix ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 2:48 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically d
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Back to the matter indicated in the subject line, how are others dealing with this? Is F-Prot and AVG and others catching this now? Which AV scanners are indeed catching it? Now for the bigger question: How do we combat this and future such versions without outright blocking of the file extension? We all know that relaying on users to not open attachments is problematic. John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, >From my point of view, the problem with that response is that if Imail handle all the issues presented by abnormal mail messages, we would not need Declude. Imail handles normal messages just fine. If it were not for viruses and spammers, we would not see these problems. We got Declude to handle viruses and spammers. Mike > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Wednesday, June 28, 2006 3:08 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Matt, > > The CRLF problem has more to do with the email server and not Declude, > emails that are so badly broken should be either rejected by the email > server or these headers should be standardized by the email server. > Eitherway this is a much more complex issue than you make it > out to be, by > just fixing it with a simple regexp, if it was as easy as > that, do you not > think we would have done this already ? > > "Introducing tests to score conditions that one's software > does not handle > correctly is not a fix, it's a work-around." This is not how > we are dealing > with this issue, it is not an additional Spam test as I > clearly stated we > are dealing with this as a vulnerability because this should > be addressed at > the email server level and not Declude, therefore the message will be > quarentined - as every instance we have seen of this has been > invalid email. > > The Long base 64 encoding is a similar issue whereby the mail > server should > deal with these before they get to Declude as such emails are > clearly in > violation of the RFC's and should be treated as suspect from the very > beginning. > > To conclude, we are making every effort to address these > issues because it > is not being done at the server level, have you contacted > Imail and asked > for their response and/or fix ? > > David B > www.declude.com > ____ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matt > Sent: Wednesday, June 28, 2006 2:48 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > > David, > > The CRLF thing doesn't affect me since I have my own > solution, however for > those that use Subject tagging, adding another test won't > help unless they > decide to just simply delete such messages. The header > boundary could be > programatically determined with a great deal of ease (a > simple regexp), and > Declude could insert it's headers into the correct place if > this was done. > Introducing tests to score conditions that one's software > does not handle > correctly is not a fix, it's a work-around. > > Regarding the other things, I'm very alarmed that the > official position is > still not even recognizing that these bugs surely exist, much > less fixed at > this point. This concerns me greatly since I rely on this > product for my > business, and if it takes months to just confirm a bug, > especially one that > is widely reported, I can't responsibly rely on that product. > It is pretty > much the same thing as having a virus scanner that takes > months to catch a > particular virus, or having a Web browser that is never patch > for a critical > flaw. I consider both the Mail From issue and the base 64 > encoding issues > to be critical flaws that warrant immediate fixes. I am not > alone in this. > If you don't have a lot of people still griping about this > stuff, it is > because they are either not aware of the flaws, or they have > already given > up on trying to get you guys to fix them, or given up on > relying on Declude > altogether. These things should be fixed in hours or days > and not weeks or > months when they occur. > > I assume that you are not the person making these development > decisions, so > this isn't directed at you, but those that make the calls > need to fully > understand the critical nature of these flaws, and their role > in making sure > that Declude can respond rapidly to such things not just now, > but as they > occur in the future. > > Thanks, > > Matt > > > > > David Barker wrote: > > Matt, > > Headers not using proper CRLF line breaks is currently > being tested > using > the new vulnerability NONSTANDARDCRLF test. > > As for these items they are on the list for engineers > to confirm and > test > a
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt,
The CRLF problem has more to do with the email server and not Declude,
emails that are so badly broken should be either rejected by the email
server or these headers should be standardized by the email server.
Eitherway this is a much more complex issue than you make it out to be, by
just fixing it with a simple regexp, if it was as easy as that, do you not
think we would have done this already ?
"Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around." This is not how we are dealing
with this issue, it is not an additional Spam test as I clearly stated we
are dealing with this as a vulnerability because this should be addressed at
the email server level and not Declude, therefore the message will be
quarentined - as every instance we have seen of this has been invalid email.
The Long base 64 encoding is a similar issue whereby the mail server should
deal with these before they get to Declude as such emails are clearly in
violation of the RFC's and should be treated as suspect from the very
beginning.
To conclude, we are making every effort to address these issues because it
is not being done at the server level, have you contacted Imail and asked
for their response and/or fix ?
David B
www.declude.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, June 28, 2006 2:48 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David,
The CRLF thing doesn't affect me since I have my own solution, however for
those that use Subject tagging, adding another test won't help unless they
decide to just simply delete such messages. The header boundary could be
programatically determined with a great deal of ease (a simple regexp), and
Declude could insert it's headers into the correct place if this was done.
Introducing tests to score conditions that one's software does not handle
correctly is not a fix, it's a work-around.
Regarding the other things, I'm very alarmed that the official position is
still not even recognizing that these bugs surely exist, much less fixed at
this point. This concerns me greatly since I rely on this product for my
business, and if it takes months to just confirm a bug, especially one that
is widely reported, I can't responsibly rely on that product. It is pretty
much the same thing as having a virus scanner that takes months to catch a
particular virus, or having a Web browser that is never patch for a critical
flaw. I consider both the Mail From issue and the base 64 encoding issues
to be critical flaws that warrant immediate fixes. I am not alone in this.
If you don't have a lot of people still griping about this stuff, it is
because they are either not aware of the flaws, or they have already given
up on trying to get you guys to fix them, or given up on relying on Declude
altogether. These things should be fixed in hours or days and not weeks or
months when they occur.
I assume that you are not the person making these development decisions, so
this isn't directed at you, but those that make the calls need to fully
understand the critical nature of these flaws, and their role in making sure
that Declude can respond rapidly to such things not just now, but as they
occur in the future.
Thanks,
Matt
David Barker wrote:
Matt,
Headers not using proper CRLF line breaks is currently being tested
using
the new vulnerability NONSTANDARDCRLF test.
As for these items they are on the list for engineers to confirm and
test
and fix if they are bugs.
1. Invalid characters in the Mail FROM
2. Long base 64 encoding causing Declude EVA to fail decoding
3. WHITELIST IP being applied before IPBYPASS
David B
www.declude.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Matt
Sent: Wednesday, June 28, 2006 1:49 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
David,
I'm just wondering about the issue with the invalid characters in
the Mail
From's that caused massive spam leakage almost a month ago. Is this
too
supposed to be fixed?
I'm also very, very curious about the other bugs such as long base
64
encoding causing Declude Virus to fail decoding, WHITELIST IP being
applied
before IPBYPASS, and the issue where Declude's headers are inserted
at the
bottom of the message when the headers don't use proper CRLF line
breaks?
Thanks,
Matt
David Barker wrote:
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
All of these issues are why I am still on version 2.x.x as well. I have been waiting for their resolution for some time while patiently paying my support fee's. At 01:48 PM 6/28/2006 -0400, you wrote: >David, > >I'm just wondering about the issue with the invalid characters in the >Mail From's that caused massive spam leakage almost a month ago. Is >this too supposed to be fixed? > >I'm also very, very curious about the other bugs such as long base 64 >encoding causing Declude Virus to fail decoding, WHITELIST IP being >applied before IPBYPASS, and the issue where Declude's headers are >inserted at the bottom of the message when the headers don't use proper >CRLF line breaks? > >Thanks, > >Matt > > > >David Barker wrote: > >>I have added the request to the wish list. We are focusing on replicating >>problems and fixing items from the list I had posted earlier last week. We >>are looking to do a release Thursday 8 July it is currently under going >>testing. This is all obviously subject to change just trying to keep you >>informed. >> >>Items in next release: >> >>1. Fix - ALLOWVULNERABILITIESFROM - full email address only >> >>2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path >> >>3. Add - Error in SM envelope file: if errors are found the mail will be >>moved to the error directory >> >>4. Add - If the headers files are not found then the data file is moved to >>error directory. >> >>5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check >>for the end of the headers. >> >>David B >>www.declude.com >> >> >> >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt >>Sent: Tuesday, June 27, 2006 7:04 PM >>To: declude.virus@declude.com >>Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus >> >> >>John, >> >>Not to say that this wouldn't be something that is nice to have, I can think >>of dozens of things that are very largely useful on a much more regular >>basis. In fact, the current functionality provides an appropriate mechanism >>for blocking these as-is. >> >>I would just simply like to see Declude catch up by fixing the known bugs >>first. When they catch up, then certainly they should consider feature >>requests, but it would make sense focus on new tests and improving existing >>ones, along with refining functionality. I will personally continue to hold >>back from such discussions until it is clear that they are capable of >>handling the bugs. >> >>Sorry to make an example of you here; that's not the intention of course. I >>just thought that it would be constructive to point this stuff out for the >>benefit of Declude and it's customers alike. >> >>Matt >> >> >> >>John T (Lists) wrote: >> >> I know. :( >> >> Declude, this is a feature who's time has come. >> >> John T >> eServices For You >> >> "Seek, and ye shall find!" >> >> >> >> >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >>Behalf Of Markus >> Gufler >> Sent: Tuesday, June 27, 2006 3:10 PM >> To: declude.virus@declude.com >> Subject: RE: [Declude.Virus] New Virus: zipped word doc with >>Macro-Virus >> >> As I know yes but >> >> BANNAME my_notebook.doc >> >> wouldn't work for files within zip-archives. >> >> Markus >> >> >> >> -Original Message- >> From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On >> Behalf Of John T (Lists) >> Sent: Tuesday, June 27, 2006 11:48 PM >> To: declude.virus@declude.com >> Subject: RE: [Declude.Virus] New Virus: zipped word >>doc with >> Macro-Virus >> >> Is the word document only named that? >> >> John T >> eServices For You >>
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David, The CRLF thing doesn't affect me since I have my own solution, however for those that use Subject tagging, adding another test won't help unless they decide to just simply delete such messages. The header boundary could be programatically determined with a great deal of ease (a simple regexp), and Declude could insert it's headers into the correct place if this was done. Introducing tests to score conditions that one's software does not handle correctly is not a fix, it's a work-around. Regarding the other things, I'm very alarmed that the official position is still not even recognizing that these bugs surely exist, much less fixed at this point. This concerns me greatly since I rely on this product for my business, and if it takes months to just confirm a bug, especially one that is widely reported, I can't responsibly rely on that product. It is pretty much the same thing as having a virus scanner that takes months to catch a particular virus, or having a Web browser that is never patch for a critical flaw. I consider both the Mail From issue and the base 64 encoding issues to be critical flaws that warrant immediate fixes. I am not alone in this. If you don't have a lot of people still griping about this stuff, it is because they are either not aware of the flaws, or they have already given up on trying to get you guys to fix them, or given up on relying on Declude altogether. These things should be fixed in hours or days and not weeks or months when they occur. I assume that you are not the person making these development decisions, so this isn't directed at you, but those that make the calls need to fully understand the critical nature of these flaws, and their role in making sure that Declude can respond rapidly to such things not just now, but as they occur in the future. Thanks, Matt David Barker wrote: Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: I have added the request to the wish list. We are focusing on replicating problems and fixing items from the list I had posted earlier last week. We are looking to do a release Thursday 8 July it is currently under going testing. This is all obviously subject to change just trying to keep you informed. Items in next release: 1. Fix - ALLOWVULNERABILITIESFROM - full email address only 2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path 3. Add - Error in SM envelope file: if errors are found the mail will be moved to the error directory 4. Add - If the headers files are not found then the data file is moved to error directory. 5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check for the end of the headers. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, June 27, 2006 7:04 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it'
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt, Headers not using proper CRLF line breaks is currently being tested using the new vulnerability NONSTANDARDCRLF test. As for these items they are on the list for engineers to confirm and test and fix if they are bugs. 1. Invalid characters in the Mail FROM 2. Long base 64 encoding causing Declude EVA to fail decoding 3. WHITELIST IP being applied before IPBYPASS David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 28, 2006 1:49 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt David Barker wrote: >I have added the request to the wish list. We are focusing on >replicating problems and fixing items from the list I had posted >earlier last week. We are looking to do a release Thursday 8 July it is >currently under going testing. This is all obviously subject to change >just trying to keep you informed. > >Items in next release: > >1. Fix - ALLOWVULNERABILITIESFROM - full email address only > >2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path > >3. Add - Error in SM envelope file: if errors are found the mail will >be moved to the error directory > >4. Add - If the headers files are not found then the data file is moved >to error directory. > >5. Add - A new vulnerability test NONSTANDARDCRLF will be included to >check for the end of the headers. > >David B >www.declude.com > > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Matt >Sent: Tuesday, June 27, 2006 7:04 PM >To: declude.virus@declude.com >Subject: Re: [Declude.Virus] New Virus: zipped word doc with >Macro-Virus > > >John, > >Not to say that this wouldn't be something that is nice to have, I can >think of dozens of things that are very largely useful on a much more >regular basis. In fact, the current functionality provides an >appropriate mechanism for blocking these as-is. > >I would just simply like to see Declude catch up by fixing the known >bugs first. When they catch up, then certainly they should consider >feature requests, but it would make sense focus on new tests and >improving existing ones, along with refining functionality. I will >personally continue to hold back from such discussions until it is >clear that they are capable of handling the bugs. > >Sorry to make an example of you here; that's not the intention of >course. I just thought that it would be constructive to point this >stuff out for the benefit of Declude and it's customers alike. > >Matt > > > >John T (Lists) wrote: > > I know. :( > > Declude, this is a feature who's time has come. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > > -Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Markus > Gufler > Sent: Tuesday, June 27, 2006 3:10 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with >Macro-Virus > > As I know yes but > > BANNAME my_notebook.doc > > wouldn't work for files within zip-archives. > > Markus > > > > -----Original Message- > From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On > Behalf Of John T (Lists) > Sent: Tuesday, June 27, 2006 11:48 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Is the word document only named that? > > John T > eServices For You > > "Seek, and ye
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Matt - Thanks for keeping track of all of this for the rest of us. Rob -Original Message- David, I'm just wondering about the issue with the invalid characters in the Mail From's that caused massive spam leakage almost a month ago. Is this too supposed to be fixed? I'm also very, very curious about the other bugs such as long base 64 encoding causing Declude Virus to fail decoding, WHITELIST IP being applied before IPBYPASS, and the issue where Declude's headers are inserted at the bottom of the message when the headers don't use proper CRLF line breaks? Thanks, Matt --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
David,
I'm just wondering about the issue with the invalid characters in the
Mail From's that caused massive spam leakage almost a month ago. Is
this too supposed to be fixed?
I'm also very, very curious about the other bugs such as long base 64
encoding causing Declude Virus to fail decoding, WHITELIST IP being
applied before IPBYPASS, and the issue where Declude's headers are
inserted at the bottom of the message when the headers don't use proper
CRLF line breaks?
Thanks,
Matt
David Barker wrote:
I have added the request to the wish list. We are focusing on replicating
problems and fixing items from the list I had posted earlier last week. We
are looking to do a release Thursday 8 July it is currently under going
testing. This is all obviously subject to change just trying to keep you
informed.
Items in next release:
1. Fix - ALLOWVULNERABILITIESFROM - full email address only
2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path
3. Add - Error in SM envelope file: if errors are found the mail will be
moved to the error directory
4. Add - If the headers files are not found then the data file is moved to
error directory.
5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check
for the end of the headers.
David B
www.declude.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John,
Not to say that this wouldn't be something that is nice to have, I can think
of dozens of things that are very largely useful on a much more regular
basis. In fact, the current functionality provides an appropriate mechanism
for blocking these as-is.
I would just simply like to see Declude catch up by fixing the known bugs
first. When they catch up, then certainly they should consider feature
requests, but it would make sense focus on new tests and improving existing
ones, along with refining functionality. I will personally continue to hold
back from such discussions until it is clear that they are capable of
handling the bugs.
Sorry to make an example of you here; that's not the intention of course. I
just thought that it would be constructive to point this stuff out for the
benefit of Declude and it's customers alike.
Matt
John T (Lists) wrote:
I know. :(
Declude, this is a feature who's time has come.
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
As I know yes but
BANNAME my_notebook.doc
wouldn't work for files within zip-archives.
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 11:48 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word
doc with
Macro-Virus
Is the word document only named that?
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006 11:32 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] New Virus: zipped
word doc with Macro-Virus
Some of us has noted in the past two hours
that messages with an
zip-file
as
attachment has passed our virus filters
It's a zip-file containing a MS Word
Document named
"my_notebook.doc"
Most Virus-Scanners ca
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Hi John: I have received 3 of these that are not in zip files. My_new_comp.doc About_me.doc Hp_laptops.doc All are similar in concept: With the following in the body and different subjects. Name after hello is also different. --- Hello Cristian Asanachescu Regards, "Cristian Asanachescu" Or - Hello Patricia Myrose Regards, "Patricia Myrose" - All files are 52 KB attachments. I am trying to see why it was not caught as virus.. It does not look right. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 5:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You "Seek, and ye shall find!" --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the dropper file that the macro drops. If it's there, the macro was executed, and the dropper has probably also download further malware. Modern versions of Office will, by default, not execute the macro so you might be safe. I don't know if Symantec has signatures for this document, the dropper or the payload it downloads. Trend Micro does, so you could use their web based HouseCall antivirus scanner from here: http://housecall.trendmicro.com/ Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Marc Catuogno > Sent: Wednesday, June 28, 2006 6:03 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Um, no making fun here - I opened it. I thought it was just > spam someone forwarded it to my spam account. I didn't find > the Trojan downloader on my PC. I'm ASSUMING that you have > to hit the "check prices" macro button as no macro seemed to > auto-execute... > > I just downloaded the intelligent updater for NAV 9 (as the > live update button only gave me definitions of the 21st) and > am running a scan now. > > Remind me not to make so much fun of other people for opening > attachments. > > Marc > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Markus Gufler > Sent: Tuesday, June 27, 2006 2:32 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > Some of us has noted in the past two hours that messages with > an zip-file as attachment has passed our virus filters > > It's a zip-file containing a MS Word Document named "my_notebook.doc" > > Most Virus-Scanners can't catch it. Virustotal has returned > only two scanners with positive results > > Sophos has found "WM97/Kukudro-A" > UNA has found a "Macro Virus" > > No other AV-Engine has catched the suspicious file. > > We've added the following lines to our virus.cfg in order to > block as much was we can at the moment. > > BANNAME prices.zip > BANNAME apple_prices.zip > BANNAME sony_prices.zip > BANNAME hp_prices.zip > BANNAME dell_prices.zip > BANNAME My_Notebook.doc > > Regards > Markus > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I have added the request to the wish list. We are focusing on replicating
problems and fixing items from the list I had posted earlier last week. We
are looking to do a release Thursday 8 July it is currently under going
testing. This is all obviously subject to change just trying to keep you
informed.
Items in next release:
1. Fix - ALLOWVULNERABILITIESFROM - full email address only
2. Fix - QUEUEFILE_SAVEFILE log shows incorrect directory path
3. Add - Error in SM envelope file: if errors are found the mail will be
moved to the error directory
4. Add - If the headers files are not found then the data file is moved to
error directory.
5. Add - A new vulnerability test NONSTANDARDCRLF will be included to check
for the end of the headers.
David B
www.declude.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, June 27, 2006 7:04 PM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John,
Not to say that this wouldn't be something that is nice to have, I can think
of dozens of things that are very largely useful on a much more regular
basis. In fact, the current functionality provides an appropriate mechanism
for blocking these as-is.
I would just simply like to see Declude catch up by fixing the known bugs
first. When they catch up, then certainly they should consider feature
requests, but it would make sense focus on new tests and improving existing
ones, along with refining functionality. I will personally continue to hold
back from such discussions until it is clear that they are capable of
handling the bugs.
Sorry to make an example of you here; that's not the intention of course. I
just thought that it would be constructive to point this stuff out for the
benefit of Declude and it's customers alike.
Matt
John T (Lists) wrote:
I know. :(
Declude, this is a feature who's time has come.
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Markus
Gufler
Sent: Tuesday, June 27, 2006 3:10 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word doc with
Macro-Virus
As I know yes but
BANNAME my_notebook.doc
wouldn't work for files within zip-archives.
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Tuesday, June 27, 2006 11:48 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] New Virus: zipped word
doc with
Macro-Virus
Is the word document only named that?
John T
eServices For You
"Seek, and ye shall find!"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Markus Gufler
Sent: Tuesday, June 27, 2006 11:32 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] New Virus: zipped
word doc with Macro-Virus
Some of us has noted in the past two hours
that messages with an
zip-file
as
attachment has passed our virus filters
It's a zip-file containing a MS Word
Document named
"my_notebook.doc"
Most Virus-Scanners can't catch it.
Virustotal has returned
only two
scanners with positive results
Sophos has found "WM97/Kukudro-A"
UNA has found a "Macro Virus"
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Um, no making fun here - I opened it. I thought it was just spam someone forwarded it to my spam account. I didn't find the Trojan downloader on my PC. I'm ASSUMING that you have to hit the "check prices" macro button as no macro seemed to auto-execute... I just downloaded the intelligent updater for NAV 9 (as the live update button only gave me definitions of the 21st) and am running a scan now. Remind me not to make so much fun of other people for opening attachments. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 2:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
John, Not to say that this wouldn't be something that is nice to have, I can think of dozens of things that are very largely useful on a much more regular basis. In fact, the current functionality provides an appropriate mechanism for blocking these as-is. I would just simply like to see Declude catch up by fixing the known bugs first. When they catch up, then certainly they should consider feature requests, but it would make sense focus on new tests and improving existing ones, along with refining functionality. I will personally continue to hold back from such discussions until it is clear that they are capable of handling the bugs. Sorry to make an example of you here; that's not the intention of course. I just thought that it would be constructive to point this stuff out for the benefit of Declude and it's customers alike. Matt John T (Lists) wrote: I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 3:10 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, June 27, 2006 11:48 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Is the word document only named that? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler Sent: Tuesday, June 27, 2006 11:32 AM To: declude.virus@declude.com Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
JT> Declude, this is a feature who's time has come. Hear, hear! The ability to ban filenames that are contained in archives would be a good feature, and most of the code must be in place, because Declude Virus already pulls apart at least the zip file format for selective file scanning. It is also well placed in the market. I checked my up-to-the-minute ScanMail for Exchange from Trend Micro, and they don't have that feature. I also tested it to see whether filename blocking would work anyway, and no, it didn't. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of John T (Lists) > Sent: Tuesday, June 27, 2006 3:38 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > Importance: High > > I know. :( > > Declude, this is a feature who's time has come. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Markus Gufler > > Sent: Tuesday, June 27, 2006 3:10 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > > Macro-Virus > > > > As I know yes but > > > > BANNAME my_notebook.doc > > > > wouldn't work for files within zip-archives. > > > > Markus > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of > > > John T (Lists) > > > Sent: Tuesday, June 27, 2006 11:48 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > > > Macro-Virus > > > > > > Is the word document only named that? > > > > > > John T > > > eServices For You > > > > > > "Seek, and ye shall find!" > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf > > > > Of Markus Gufler > > > > Sent: Tuesday, June 27, 2006 11:32 AM > > > > To: declude.virus@declude.com > > > > Subject: [Declude.Virus] New Virus: zipped word doc with > > > > Macro-Virus > > > > > > > > Some of us has noted in the past two hours that > messages with an > > > > zip-file > > > as > > > > attachment has passed our virus filters > > > > > > > > It's a zip-file containing a MS Word Document named > > > "my_notebook.doc" > > > > > > > > Most Virus-Scanners can't catch it. Virustotal has returned > > > only two > > > > scanners with positive results > > > > > > > > Sophos has found "WM97/Kukudro-A" > > > > UNA has found a "Macro Virus" > > > > > > > > No other AV-Engine has catched the suspicious file. > > > > > > > > We've added the following lines to our virus.cfg in order > > > to block as > > > > much was we can at the moment. > > > > > > > > BANNAME prices.zip > > > > BANNAME apple_prices.zip > > > > BANNAME sony_prices.zip > > > > BANNAME hp_prices.zip > > > > BANNAME dell_prices.zip > > > > BANNAME My_Notebook.doc > > > > > > > > Regards > > > > Markus > > > > > > > > > > > > > > > > --- > > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, > > > > just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.Virus".The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
I know. :( Declude, this is a feature who's time has come. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus > Gufler > Sent: Tuesday, June 27, 2006 3:10 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > As I know yes but > > BANNAME my_notebook.doc > > wouldn't work for files within zip-archives. > > Markus > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of John T (Lists) > > Sent: Tuesday, June 27, 2006 11:48 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > > Macro-Virus > > > > Is the word document only named that? > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Markus Gufler > > > Sent: Tuesday, June 27, 2006 11:32 AM > > > To: declude.virus@declude.com > > > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > > > > > Some of us has noted in the past two hours that messages with an > > > zip-file > > as > > > attachment has passed our virus filters > > > > > > It's a zip-file containing a MS Word Document named > > "my_notebook.doc" > > > > > > Most Virus-Scanners can't catch it. Virustotal has returned > > only two > > > scanners with positive results > > > > > > Sophos has found "WM97/Kukudro-A" > > > UNA has found a "Macro Virus" > > > > > > No other AV-Engine has catched the suspicious file. > > > > > > We've added the following lines to our virus.cfg in order > > to block as > > > much was we can at the moment. > > > > > > BANNAME prices.zip > > > BANNAME apple_prices.zip > > > BANNAME sony_prices.zip > > > BANNAME hp_prices.zip > > > BANNAME dell_prices.zip > > > BANNAME My_Notebook.doc > > > > > > Regards > > > Markus > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
As I know yes but BANNAME my_notebook.doc wouldn't work for files within zip-archives. Markus > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of John T (Lists) > Sent: Tuesday, June 27, 2006 11:48 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Is the word document only named that? > > John T > eServices For You > > "Seek, and ye shall find!" > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Markus Gufler > > Sent: Tuesday, June 27, 2006 11:32 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > > > Some of us has noted in the past two hours that messages with an > > zip-file > as > > attachment has passed our virus filters > > > > It's a zip-file containing a MS Word Document named > "my_notebook.doc" > > > > Most Virus-Scanners can't catch it. Virustotal has returned > only two > > scanners with positive results > > > > Sophos has found "WM97/Kukudro-A" > > UNA has found a "Macro Virus" > > > > No other AV-Engine has catched the suspicious file. > > > > We've added the following lines to our virus.cfg in order > to block as > > much was we can at the moment. > > > > BANNAME prices.zip > > BANNAME apple_prices.zip > > BANNAME sony_prices.zip > > BANNAME hp_prices.zip > > BANNAME dell_prices.zip > > BANNAME My_Notebook.doc > > > > Regards > > Markus > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Is the word document only named that? John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus > Gufler > Sent: Tuesday, June 27, 2006 11:32 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > Some of us has noted in the past two hours that messages with an zip-file as > attachment has passed our virus filters > > It's a zip-file containing a MS Word Document named "my_notebook.doc" > > Most Virus-Scanners can't catch it. Virustotal has returned only two > scanners with positive results > > Sophos has found "WM97/Kukudro-A" > UNA has found a "Macro Virus" > > No other AV-Engine has catched the suspicious file. > > We've added the following lines to our virus.cfg in order to block as much > was we can at the moment. > > BANNAME prices.zip > BANNAME apple_prices.zip > BANNAME sony_prices.zip > BANNAME hp_prices.zip > BANNAME dell_prices.zip > BANNAME My_Notebook.doc > > Regards > Markus > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
http://www.f-secure.com/weblog/archives/archive-062006.html#0909 The writeup is interesting in the follow-on details but the information that Markus posted earlier is more helpful to us in keeping the darn thing out of users' mailboxes. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, June 27, 2006 12:08 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Actually, it is CLAMAV catching it. Not sure about McAfee as > I stop on first virus. F-Prot is def. not catching it though. > > Darrell > > Darrell ([EMAIL PROTECTED]) writes: > > > Mcafee is catching these Trojan.Myno on my systems. > > > > Darrell > > --- > > Check out http://www.invariantsystems.com for utilities for > Declude, > > Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, > > SURBL/URI integration, MRTG Integration, and Log Parsers. > > > > > > Markus Gufler writes: > > > >> Some of us has noted in the past two hours that messages with an > >> zip-file as attachment has passed our virus filters > >> > >> It's a zip-file containing a MS Word Document named > "my_notebook.doc" > >> > >> Most Virus-Scanners can't catch it. Virustotal has > returned only two > >> scanners with positive results > >> > >> Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" > >> > >> No other AV-Engine has catched the suspicious file. > >> > >> We've added the following lines to our virus.cfg in order > to block as > >> much was we can at the moment. > >> > >> BANNAME prices.zip > >> BANNAME apple_prices.zip > >> BANNAME sony_prices.zip > >> BANNAME hp_prices.zip > >> BANNAME dell_prices.zip > >> BANNAME My_Notebook.doc > >> > >> Regards > >> Markus > >> > >> > >> > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > > > > --- > Check out http://www.invariantsystems.com for utilities for > Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow > Queue Monitoring, SURBL/URI integration, MRTG Integration, > and Log Parsers. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Actually, it is CLAMAV catching it. Not sure about McAfee as I stop on first virus. F-Prot is def. not catching it though. Darrell Darrell ([EMAIL PROTECTED]) writes: Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus: zipped word doc with Macro-Virus
Mcafee is catching these Trojan.Myno on my systems. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Markus Gufler writes: Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus: zipped word doc with Macro-Virus
Some of us has noted in the past two hours that messages with an zip-file as attachment has passed our virus filters It's a zip-file containing a MS Word Document named "my_notebook.doc" Most Virus-Scanners can't catch it. Virustotal has returned only two scanners with positive results Sophos has found "WM97/Kukudro-A" UNA has found a "Macro Virus" No other AV-Engine has catched the suspicious file. We've added the following lines to our virus.cfg in order to block as much was we can at the moment. BANNAME prices.zip BANNAME apple_prices.zip BANNAME sony_prices.zip BANNAME hp_prices.zip BANNAME dell_prices.zip BANNAME My_Notebook.doc Regards Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
> Could not find parse string Infection: in report.txt > > Means that it did not find the word infection in the file Correct, that is what the Declude line means. Other codes like 8 don't include the Infection: text, so an f-prot result line like: .exe is a security risk named W32/Mitglieder.gen Won't pick up the name because "Infection:" simply wasn't in the line. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Goran Jovanovic > Sent: Friday, June 16, 2006 4:18 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus > > Yup I got it. I think that the message > > Could not find parse string Infection: in report.txt > > Means that it did not find the word infection in the file > > SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT > /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt > VIRUSCODE13 > VIRUSCODE16 > VIRUSCODE 8 > VIRUSCODE 9 > VIRUSCODE 10 > REPORT1 Infection: > > Goran Jovanovic > Omega Network Solutions > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Darrell ([EMAIL PROTECTED]) > > Sent: Friday, June 16, 2006 6:59 PM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] new virus > > > > > > Goran, > > > > Do you have exit code 8 also listed for F-Prot in your > virus.cfg? If > not > > you should. > > > > Darrell > > > -- > -- > > Check out http://www.invariantsystems.com for utilities for Declude > And > > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, > > MRTG > > Integration, and Log Parsers. > > > > - Original Message - > > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > > To: > > Sent: Friday, June 16, 2006 6:04 PM > > Subject: RE: [Declude.Virus] new virus > > > > > > My F-Prot is finding it but it does not know what it is. > Both the MAIL > > FROM and the RCPT TO are the same address > > > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability > flags = 64 > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: > > [text/html][7bit; Length=43 Checksum=2820] > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip > [base64; > > Length=10548 Checksum=1347367] > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with > exe > > extension. > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner > 1 reports > > exit code of 8 > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse > > string Infection: in report.txt > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are > INFECTED [: > 8] > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A > VIRUS > > [MIME: 2 10657] > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: > > [EMAIL PROTECTED] [outgoing from 209.239.24.62] > > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 > > > > Goran Jovanovic > > Omega Network Solutions > > Tel: 416 322-0333 > > Cell: 416 805-HELP (4357) > > [EMAIL PROTECTED] > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of > > > Colbeck, Andrew > > > Sent: Friday, June 16, 2006 5:31 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] new virus > > > > > > This is what I've received recently: > > > > > > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam > e=BKDR%5FB > > > REPBOT%2EA&VSect=T > > > > > > My F-Prot and Trend Micro do detect it. When I submit the > executable > > > inside the payload to http://virusscan.jotti.org or > > > http://www.virustotal.com I get these results: > > > > > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > Authentium 4.93.8 > > > 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus > > > found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 > > > 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.00 > 06.16.2006 no virus > > > found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 > DrWeb 4.33 > > > 06.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.4
RE: [Declude.Virus] new virus
Yup I got it. I think that the message Could not find parse string Infection: in report.txt Means that it did not find the word infection in the file SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /AI /TYPE /SILENT /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE 8 VIRUSCODE 9 VIRUSCODE 10 REPORT1 Infection: Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Friday, June 16, 2006 6:59 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] new virus > > > Goran, > > Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not > you should. > > Darrell > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG > Integration, and Log Parsers. > > - Original Message - > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > To: > Sent: Friday, June 16, 2006 6:04 PM > Subject: RE: [Declude.Virus] new virus > > > My F-Prot is finding it but it does not know what it is. Both the MAIL > FROM and the RCPT TO are the same address > > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: > [text/html][7bit; Length=43 Checksum=2820] > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; > Length=10548 Checksum=1347367] > 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe > extension. > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports > exit code of 8 > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse > string Infection: in report.txt > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS > [MIME: 2 10657] > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [outgoing from 209.239.24.62] > 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 > > Goran Jovanovic > Omega Network Solutions > Tel: 416 322-0333 > Cell: 416 805-HELP (4357) > [EMAIL PROTECTED] > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Colbeck, Andrew > > Sent: Friday, June 16, 2006 5:31 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] new virus > > > > This is what I've received recently: > > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB > > REPBOT%2EA&VSect=T > > > > My F-Prot and Trend Micro do detect it. When I submit the executable > > inside the payload to http://virusscan.jotti.org or > > http://www.virustotal.com I get these results: > > > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > > Authentium 4.93.8 06.16.2006 W32/Brepibot.gen > > Avast 4.7.844.0 06.15.2006 no virus found > > AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN > > BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD > > CAT-QuickHeal 8.00 06.16.2006 no virus found > > ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 > > DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer > > eTrust-InoculateIT 23.72.40 06.16.2006 no virus found > > eTrust-Vet 12.6.2259 06.16.2006 no virus found > > Ewido 3.5 06.16.2006 no virus found > > Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr > > F-Prot 3.16f 06.16.2006 W32/Brepibot.gen > > Ikarus 0.2.65.0 06.16.2006 photo3.exe > > Kaspersky 4.0.2.24 06.16.2006 > > Backdoor.Win32.Breplibot.ai > > McAfee 4786 06.16.2006 W32/Brepibot.gen > > Microsoft 1.1441 06.16.2006 no virus found > > NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH > > Norman 5.90.21 06.16.2006 W32/Malware > > Panda 9.0.0.4 06.16.2006 Suspicious file > > Sophos 4.06.0 06.16.2006 Troj/Stinx-W > > Symantec 8.0 06.16.2006 Backdoor.Naninf.E > > TheHacker 5.9.8.160 06.16.2006 no virus found > > > > > > Andrew 8) > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of Colbeck, Andrew > > > Sent: Friday, June 16, 2006 2:21 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] new virus > > > > > > It might be this, if my F-Prot is more up to date than
Re: [Declude.Virus] new virus
Goran, Do you have exit code 8 also listed for F-Prot in your virus.cfg? If not you should. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Friday, June 16, 2006 6:04 PM Subject: RE: [Declude.Virus] new virus My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Friday, June 16, 2006 5:31 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus > > This is what I've received recently: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB > REPBOT%2EA&VSect=T > > My F-Prot and Trend Micro do detect it. When I submit the executable > inside the payload to http://virusscan.jotti.org or > http://www.virustotal.com I get these results: > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > Authentium 4.93.8 06.16.2006 W32/Brepibot.gen > Avast 4.7.844.0 06.15.2006 no virus found > AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN > BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD > CAT-QuickHeal 8.00 06.16.2006 no virus found > ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 > DrWeb 4.33 06.16.2006 BackDoor.IRC.Boxer > eTrust-InoculateIT 23.72.40 06.16.2006 no virus found > eTrust-Vet 12.6.2259 06.16.2006 no virus found > Ewido 3.5 06.16.2006 no virus found > Fortinet 2.77.0.0 06.16.2006 W32/Brepibot.AS!tr > F-Prot 3.16f 06.16.2006 W32/Brepibot.gen > Ikarus 0.2.65.0 06.16.2006 photo3.exe > Kaspersky 4.0.2.24 06.16.2006 > Backdoor.Win32.Breplibot.ai > McAfee 4786 06.16.2006 W32/Brepibot.gen > Microsoft 1.1441 06.16.2006 no virus found > NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH > Norman 5.90.21 06.16.2006 W32/Malware > Panda 9.0.0.4 06.16.2006 Suspicious file > Sophos 4.06.0 06.16.2006 Troj/Stinx-W > Symantec 8.0 06.16.2006 Backdoor.Naninf.E > TheHacker 5.9.8.160 06.16.2006 no virus found > > > Andrew 8) > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Colbeck, Andrew > > Sent: Friday, June 16, 2006 2:21 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] new virus > > > > It might be this, if my F-Prot is more up to date than yours, > > as mine has identified a few zip files with a plus sign in > > the name as W32/Brepibot.gen > > > > http://www.f-secure.com/weblog/archives/archive-062006.html#0902 > > > > The fake HELO names were CNN.com and TradersWorld.com if > > that's any use. > > > > Andrew 8) > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Ncl Admin > > > Sent: Friday, June 16, 2006 2:03 PM > > > To: declude.virus@declude.com > > > Subject: Re: [Declude.Virus] new virus > > > > > > Yes, > > > > > > 04dotzip just came through here but McAfee stopped it. But > > F-prot not > > > getting it. > > > > > > At 04:30 PM 6/16/2006 -0400, you wrote: > > > >>>> > > > Is anyone else seeing new virus zip files getting past F-Prot? > > > the last one was just numbers.zip > > > Earlier a few came through with name.zip > > > > > > Bruce Loughlin > > > > > > --- > > > This E
RE: [Declude.Virus] new virus
My F-Prot is finding it but it does not know what it is. Both the MAIL FROM and the RCPT TO are the same address 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Vulnerability flags = 64 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: [text/html][7bit; Length=43 Checksum=2820] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd MIME file: 06.zip [base64; Length=10548 Checksum=1347367] 06/16/2006 17:55:56.748 q28de0a3700ce75a5.smd Banning .ZIP file with exe extension. 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Virus scanner 1 reports exit code of 8 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Could not find parse string Infection: in report.txt 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd File(s) are INFECTED [: 8] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Scanned: CONTAINS A VIRUS [MIME: 2 10657] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 209.239.24.62] 06/16/2006 17:55:57.295 q28de0a3700ce75a5.smd Subject: 05 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Friday, June 16, 2006 5:31 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus > > This is what I've received recently: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB > REPBOT%2EA&VSect=T > > My F-Prot and Trend Micro do detect it. When I submit the executable > inside the payload to http://virusscan.jotti.org or > http://www.virustotal.com I get these results: > > AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 > Authentium4.93.8 06.16.2006 W32/Brepibot.gen > Avast 4.7.844.0 06.15.2006 no virus found > AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN > BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD > CAT-QuickHeal 8.0006.16.2006 no virus found > ClamAVdevel-20060426 06.16.2006 Trojan.IRCBot-638 > DrWeb 4.3306.16.2006 BackDoor.IRC.Boxer > eTrust-InoculateIT23.72.4006.16.2006 no virus found > eTrust-Vet12.6.2259 06.16.2006 no virus found > Ewido 3.5 06.16.2006 no virus found > Fortinet 2.77.0.006.16.2006 W32/Brepibot.AS!tr > F-Prot3.16f 06.16.2006 W32/Brepibot.gen > Ikarus0.2.65.006.16.2006 photo3.exe > Kaspersky 4.0.2.2406.16.2006 > Backdoor.Win32.Breplibot.ai > McAfee478606.16.2006 W32/Brepibot.gen > Microsoft 1.1441 06.16.2006 no virus found > NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH > Norman5.90.21 06.16.2006 W32/Malware > Panda 9.0.0.4 06.16.2006 Suspicious file > Sophos4.06.0 06.16.2006 Troj/Stinx-W > Symantec 8.0 06.16.2006 Backdoor.Naninf.E > TheHacker 5.9.8.160 06.16.2006 no virus found > > > Andrew 8) > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Colbeck, Andrew > > Sent: Friday, June 16, 2006 2:21 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] new virus > > > > It might be this, if my F-Prot is more up to date than yours, > > as mine has identified a few zip files with a plus sign in > > the name as W32/Brepibot.gen > > > > http://www.f-secure.com/weblog/archives/archive-062006.html#0902 > > > > The fake HELO names were CNN.com and TradersWorld.com if > > that's any use. > > > > Andrew 8) > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Ncl Admin > > > Sent: Friday, June 16, 2006 2:03 PM > > > To: declude.virus@declude.com > > > Subject: Re: [Declude.Virus] new virus > > > > > > Yes, > > > > > > 04dotzip just came through here but McAfee stopped it. But > > F-prot not > > > getting it. > > > > > > At 04:30 PM 6/16/2006 -0400, you wrote: > > > >>>> > > > Is anyone else seeing new virus zip files getting past F-Prot? > > > the last one was just numbers.zip > > > Earlier a few came through with name.zip > > > > > > Bruce Loughlin > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > > Declude.Virus". The archives can be found at > > > http://www.
RE: [Declude.Virus] new virus
This is what I've received recently: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FB REPBOT%2EA&VSect=T My F-Prot and Trend Micro do detect it. When I submit the executable inside the payload to http://virusscan.jotti.org or http://www.virustotal.com I get these results: AntiVir 6.35.0.13 06.16.2006 Worm/SdBot.32768.26 Authentium 4.93.8 06.16.2006 W32/Brepibot.gen Avast 4.7.844.0 06.15.2006 no virus found AVG 386 06.16.2006 IRC/BackDoor.SdBot2.EDN BitDefender 7.2 06.16.2006 Backdoor.IRCbot.JD CAT-QuickHeal 8.0006.16.2006 no virus found ClamAV devel-20060426 06.16.2006 Trojan.IRCBot-638 DrWeb 4.3306.16.2006 BackDoor.IRC.Boxer eTrust-InoculateIT 23.72.4006.16.2006 no virus found eTrust-Vet 12.6.2259 06.16.2006 no virus found Ewido 3.5 06.16.2006 no virus found Fortinet2.77.0.006.16.2006 W32/Brepibot.AS!tr F-Prot 3.16f 06.16.2006 W32/Brepibot.gen Ikarus 0.2.65.006.16.2006 photo3.exe Kaspersky 4.0.2.2406.16.2006 Backdoor.Win32.Breplibot.ai McAfee 478606.16.2006 W32/Brepibot.gen Microsoft 1.1441 06.16.2006 no virus found NOD32v2 1.1605 06.16.2006 Win32/IRCBot.PH Norman 5.90.21 06.16.2006 W32/Malware Panda 9.0.0.4 06.16.2006 Suspicious file Sophos 4.06.0 06.16.2006 Troj/Stinx-W Symantec8.0 06.16.2006 Backdoor.Naninf.E TheHacker 5.9.8.160 06.16.2006 no virus found Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Friday, June 16, 2006 2:21 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus > > It might be this, if my F-Prot is more up to date than yours, > as mine has identified a few zip files with a plus sign in > the name as W32/Brepibot.gen > > http://www.f-secure.com/weblog/archives/archive-062006.html#0902 > > The fake HELO names were CNN.com and TradersWorld.com if > that's any use. > > Andrew 8) > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Ncl Admin > > Sent: Friday, June 16, 2006 2:03 PM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] new virus > > > > Yes, > > > > 04dotzip just came through here but McAfee stopped it. But > F-prot not > > getting it. > > > > At 04:30 PM 6/16/2006 -0400, you wrote: > > >>>> > > Is anyone else seeing new virus zip files getting past F-Prot? > > the last one was just numbers.zip > > Earlier a few came through with name.zip > > > > Bruce Loughlin > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > Declude.Virus". The archives can be found at > > http://www.mail-archive.com. > > <<<< > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
It might be this, if my F-Prot is more up to date than yours, as mine has identified a few zip files with a plus sign in the name as W32/Brepibot.gen http://www.f-secure.com/weblog/archives/archive-062006.html#0902 The fake HELO names were CNN.com and TradersWorld.com if that's any use. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ncl Admin > Sent: Friday, June 16, 2006 2:03 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] new virus > > Yes, > > 04dotzip just came through here but McAfee stopped it. But > F-prot not getting it. > > At 04:30 PM 6/16/2006 -0400, you wrote: > >>>> > Is anyone else seeing new virus zip files getting past F-Prot? > the last one was just numbers.zip > Earlier a few came through with name.zip > > Bruce Loughlin > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > <<<< > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] new virus
Yes, 04dotzip just came through here but McAfee stopped it. But F-prot not getting it. At 04:30 PM 6/16/2006 -0400, you wrote: Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus
If they are encrypted zips ensure you have: BANEXT EZIP in your virus.cfg David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce LoughlinSent: Friday, June 16, 2006 4:31 PMTo: declude.virus@declude.comSubject: [Declude.Virus] new virus Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
[Declude.Virus] new virus
Is anyone else seeing new virus zip files getting past F-Prot? the last one was just numbers.zip Earlier a few came through with name.zip Bruce Loughlin ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
Upon further investigation and uploading to VirusTotal, these are a group that came in from one IP that had corrupted/incomplete file attachments and were non-viable Kasper viruses. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of John T (Lists) > Sent: Saturday, February 25, 2006 9:04 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] New Virus? > > Seeing HQX, BHX and UUEs being blocked this morning. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus?
Seeing HQX, BHX and UUEs being blocked this morning. John T eServices For You "Seek, and ye shall find!" --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
No, you shouldn't block .mim attachments. The .mim attachment means that there was a MIME formatted, which is encoding that converts binary attachments and non-ASCII text to nice and safe 7 bit ASCII encoding to make SMTP servers happy. You are mostly likely to see this when an entire message is inserted as an attachment, for example, to preserve the headers. Your antivirus solution will decode that attachment and find a virus inside. F-Prot and Trend Micro offerings certainly do. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ReimerSent: Wednesday, January 18, 2006 1:43 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? Should we be blocking .mim file types? One of the new viruses that was blocked was a .mim file type. What is it used for? Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Markus GuflerSent: Wednesday, January 18, 2006 1:39 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember the incident before that. The notifications always turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PRO
RE: [Declude.Virus] New Virus?
Should we be blocking .mim file types? One of the new viruses that was blocked was a .mim file type. What is it used for? Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Markus GuflerSent: Wednesday, January 18, 2006 1:39 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember the incident before that. The notifications always turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from
RE: [Declude.Virus] New Virus?
That's exactly how I use the notifications. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, January 18, 2006 12:48 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] New Virus? I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember the incident before that. The notifications always turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
A virus by any other name would stink just as much: http://isc.sans.org/diary.php?rss&storyid=1051 Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler > Sent: Tuesday, January 17, 2006 2:54 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] New Virus? > > I've seen many of this Kapser.A today. I've added it to the > forging virus list and (oops) forgot to write it on the > Declude.Virus list. > > As we can see more and more that AV-Companies has forgotten > how to call one Virus using one name we should maybe begin to > enhance their naming convention by an initial name of the av-company. > > Something like: F-Prot>W32/[EMAIL PROTECTED] > > Markus > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > > Sent: Tuesday, January 17, 2006 11:21 PM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] New Virus? > > > > A kapser was detected on my F-Prot based system today. > > > > I'm attaching the output of the scan from virustotal.com for your > > interest. > > > > I also scanned it with my TrendMicro which detects it by a different > > name: > > > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam > > e=WORM%5FG > > REW%2EA > > > > You might add: > > > > FORGINGVIRUS KAPSER > > FORGINGVIRUS GREW > > FORGINGVIRUS WORM > > > > To your virus.cfg to cover the various naming conventions in the > > various engines, particularly that last one. > > > > I'll submit the virus to Symantec if someone could point me to the > > right way to do that; they're the only big name that doesn't detect > > this malware. > > > > Andrew. > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer > > > Sent: Monday, January 16, 2006 12:42 PM > > > To: Declude.Virus@declude.com > > > Subject: RE: [Declude.Virus] New Virus? > > > > > > I think this started happening after I updated my F-prot > > virus defs to > > > 16th. > > > Does anyone else see this? > > > > > > Mark Reimer > > > IT Project Manager > > > American CareSource > > > 214-596-2464 > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer > > > Sent: Monday, January 16, 2006 12:32 PM > > > To: Declude.Virus@declude.com > > > Subject: [Declude.Virus] New Virus? > > > > > > > > > I saw an entry in my virus log to day for [EMAIL PROTECTED] > > > Has anyone else seen this? I cannot find any information on it. > > > > > > Mark Reimer > > > IT Project Manager > > > American CareSource > > > 214-596-2464 > > > > > > > > > --- > > > [This E-mail has been scanned for viruses] > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > --- > > > [This E-mail has been scanned for viruses] > > > > > > > > > > > > > > > --- > > > [This E-mail has been scanned for viruses] > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
I should probably correct myself about this. postmaster.eml is fine, it's the otherpostmaster.eml and sender.eml that should be modified. Personally I would also remove them from the standard part of the manual and only include them as a footnote. Since recipient.eml and postmaster.eml are sent to local accounts, you can't make a good argument for changes there. Matt Colbeck, Andrew wrote: I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember the incident before that. The notifications always turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 17, 2006 3:36 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PR
RE: [Declude.Virus] New Virus?
I agree completely. I use the postmaster notification only, so only internal notifications happen. I use the FORGINGVIRUS statements to limit what we have to see. Recently, we had a single "macro virus" type issue, and that was where a HTML based Microsoft Word document used a document template that was referenced as a URL. F-Prot flagged that as a potential vulnerability and our postmaster account was duly notified. After vetting the attachmeent, the message was internally re-queued for the user. I can barely remember the incident before that. The notifications always turn out to be flagging a new worm. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 17, 2006 3:36 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] New Virus? Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things.Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality.I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter.MattColbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus?
Regarding the names, this is why I would recommend that people completely abandon any form of postmaster and sender bounce messages for detected viruses...it's just too much to keep up with without creating backscatter, and most won't bother to keep up with it regardless because they don't know how to or don't pay attention to such things. Just like Scott change BOUNCE to BOUNCEONLYIFYOUMUST (and refused to answer questions directly about why things no longer worked so that users could be tested for their worthiness of continuing to use the functionality), I think that it would be good for the community at large if postmaster.eml and sender.eml were changed to postmasteronlyifyoumust.eml and senderonlyifyoumust.eml while also promoting the idea of abandoning this functionality. I have seen statistics from one of the AV companies showing that macro viruses accounted for less than 1% of all such viruses detected if I recall the exact percentage properly. From the perspective of E-mail, I believe the only messages that are end-user initiated that should be detected by our scanners are macro and hoax viruses. These are very rare, probably far less than 1% of what is blocked by E-mail systems since macro viruses don't mass mail. I think it's safe therefore to assume that even if a virus wasn't forged (some use the infected computer's user instead of a random or predefined one), that it wasn't user initiated and avoid notifying them for fear of creating backscatter. Matt Colbeck, Andrew wrote: A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:42 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] New Virus? I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
I've seen many of this Kapser.A today. I've added it to the forging virus list and (oops) forgot to write it on the Declude.Virus list. As we can see more and more that AV-Companies has forgotten how to call one Virus using one name we should maybe begin to enhance their naming convention by an initial name of the av-company. Something like: F-Prot>W32/[EMAIL PROTECTED] Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew > Sent: Tuesday, January 17, 2006 11:21 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] New Virus? > > A kapser was detected on my F-Prot based system today. > > I'm attaching the output of the scan from virustotal.com for > your interest. > > I also scanned it with my TrendMicro which detects it by a different > name: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam > e=WORM%5FG > REW%2EA > > You might add: > > FORGINGVIRUS KAPSER > FORGINGVIRUS GREW > FORGINGVIRUS WORM > > To your virus.cfg to cover the various naming conventions in > the various engines, particularly that last one. > > I'll submit the virus to Symantec if someone could point me > to the right way to do that; they're the only big name that > doesn't detect this malware. > > Andrew. > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer > > Sent: Monday, January 16, 2006 12:42 PM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] New Virus? > > > > I think this started happening after I updated my F-prot > virus defs to > > 16th. > > Does anyone else see this? > > > > Mark Reimer > > IT Project Manager > > American CareSource > > 214-596-2464 > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer > > Sent: Monday, January 16, 2006 12:32 PM > > To: Declude.Virus@declude.com > > Subject: [Declude.Virus] New Virus? > > > > > > I saw an entry in my virus log to day for [EMAIL PROTECTED] > > Has anyone else seen this? I cannot find any information on it. > > > > Mark Reimer > > IT Project Manager > > American CareSource > > 214-596-2464 > > > > > > --- > > [This E-mail has been scanned for viruses] > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > > [This E-mail has been scanned for viruses] > > > > > > > > > > --- > > [This E-mail has been scanned for viruses] > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
A kapser was detected on my F-Prot based system today. I'm attaching the output of the scan from virustotal.com for your interest. I also scanned it with my TrendMicro which detects it by a different name: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FG REW%2EA You might add: FORGINGVIRUS KAPSER FORGINGVIRUS GREW FORGINGVIRUS WORM To your virus.cfg to cover the various naming conventions in the various engines, particularly that last one. I'll submit the virus to Symantec if someone could point me to the right way to do that; they're the only big name that doesn't detect this malware. Andrew. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer > Sent: Monday, January 16, 2006 12:42 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] New Virus? > > I think this started happening after I updated my F-prot > virus defs to 16th. > Does anyone else see this? > > Mark Reimer > IT Project Manager > American CareSource > 214-596-2464 > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer > Sent: Monday, January 16, 2006 12:32 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] New Virus? > > > I saw an entry in my virus log to day for [EMAIL PROTECTED] > Has anyone else seen this? I cannot find any information on it. > > Mark Reimer > IT Project Manager > American CareSource > 214-596-2464 > > > --- > [This E-mail has been scanned for viruses] > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail has been scanned for viruses] > > > > > --- > [This E-mail has been scanned for viruses] > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > kapser.gif Description: kapser.gif
RE: [Declude.Virus] New Virus?
I haven't seen it. It's also not unusual for F-Prot to have a signature for a virus, but no write up on their website. If the virus was caught, you could submit the attachment to one of the free websites that will check an executable against multiple virus engines and give you a summary of which engines detect it, and what they they call it, e.g. http://www.virustotal.com/ http://virusscan.jotti.org/ Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer > Sent: Monday, January 16, 2006 12:42 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] New Virus? > > I think this started happening after I updated my F-prot > virus defs to 16th. > Does anyone else see this? > > Mark Reimer > IT Project Manager > American CareSource > 214-596-2464 > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer > Sent: Monday, January 16, 2006 12:32 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] New Virus? > > > I saw an entry in my virus log to day for [EMAIL PROTECTED] > Has anyone else seen this? I cannot find any information on it. > > Mark Reimer > IT Project Manager > American CareSource > 214-596-2464 > > > --- > [This E-mail has been scanned for viruses] > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail has been scanned for viruses] > > > > > --- > [This E-mail has been scanned for viruses] > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus?
I think this started happening after I updated my F-prot virus defs to 16th. Does anyone else see this? Mark Reimer IT Project Manager American CareSource 214-596-2464 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Reimer Sent: Monday, January 16, 2006 12:32 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] New Virus? I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail has been scanned for viruses] --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus?
I saw an entry in my virus log to day for [EMAIL PROTECTED] Has anyone else seen this? I cannot find any information on it. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
The second part of that list has been updated BANNAME Alice.zip BANNAME Androw.zip BANNAME Ann.zip BANNAME Christian.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Ellen.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Isabell.zip BANNAME James.zip BANNAME Josias.zip BANNAME Judeth.zip BANNAME Katheryne.zip BANNAME Margerye.zip BANNAME Marie.zip BANNAME Martha.zip BANNAME Marye.zip BANNAME Nathaniel.zip BANNAME Nathanyell.zip Darin. - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 3:56 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > For those of us poor saps who don't have Pro, here's a compiled list from > a > couple of sources of zip filenames to ban. > > Due to the variation in filenames, it would be useful to have BANNAME > allow > some minimal pattern matching. That would have made this list a bit > shorter. > > # Added 11/21/2005 to handle new Sober.X/Z variants > BANNAME downloadm.zip > BANNAME Ebay.zip > BANNAME Ebay-User_RegC.zip > BANNAME Email.zip > BANNAME Email_text.zip > BANNAME injection.zip > BANNAME mail.zip > BANNAME mailtext.zip > BANNAME reg_pass.zip > BANNAME reg_pass-data.zip > > BANNAME Service.zip > BANNAME Webmaster.zip > BANNAME Postman.zip > BANNAME Info.zip > BANNAME Hostmaster.zip > BANNAME Postmaster.zip > BANNAME Admin.zip > > BANNAME Service-TextInfo.zip > BANNAME Webmaster-TextInfo.zip > BANNAME Postman-TextInfo.zip > BANNAME Info-TextInfo.zip > BANNAME Hostmaster-TextInfo.zip > BANNAME Postmaster-TextInfo.zip > BANNAME Admin-TextInfo.zip > > BANNAME Downloads.zip > BANNAME BKA.zip > BANNAME Internet.zip > BANNAME Post.zip > BANNAME Anzeige.zip > BANNAME BKA.Bund.zip > > BANNAME AkteDownloads.zip > BANNAME AkteBKA.zip > BANNAME AkteInternet.zip > BANNAME AktePost.zip > BANNAME AkteAnzeige.zip > BANNAME AkteBKA.Bund.zip > > BANNAME Kandidat.zip > BANNAME WWM.zip > BANNAME Auslosung.zip > BANNAME Casting.zip > BANNAME Gewinn.zip > BANNAME Info.zip > BANNAME RTL-Admin.zip > BANNAME RTL.zip > BANNAME Webmaster.zip > BANNAME RTL-TV.zip > > BANNAME Kandidat_Text.zip > BANNAME WWM_Text.zip > BANNAME Auslosung_Text.zip > BANNAME Casting_Text.zip > BANNAME Gewinn_Text.zip > BANNAME Info_Text.zip > BANNAME RTL-Admin_Text.zip > BANNAME RTL_Text.zip > BANNAME Webmaster_Text.zip > BANNAME RTL-TV_Text.zip > > > > Darin. > > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using "BANZIPEXTS > ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 12:12 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> It is coming in with alot of different zip file names and body names n
Re: [Declude.Virus] New Virus Strain Pounding my systems
Yep. I've added several more today, but haven't had time to research all of the Bagle, MyTob, and Sober variants to see if this is an exhaustive list of attachments. BANNAME accept-terms.zip BANNAME accepted-password.zip BANNAME account-details.zip BANNAME account-info.zip BANNAME account-password.zip BANNAME account-report.zip BANNAME approved-password.zip BANNAME claim-infomation.zip BANNAME claim-prize.zip BANNAME details.zip BANNAME document.zip BANNAME email-details.zip BANNAME email-password.zip BANNAME important-details.zip BANNAME merchandise.zip BANNAME msg.zip BANNAME new-password.zip BANNAME password.zip BANNAME question_list.zip BANNAME readme.zip BANNAME ship-prize.zip BANNAME shipping-details.zip BANNAME terms.zip BANNAME updated-password.zip BANNAME winner-details.zip BANNAME winnings.zip BANNAME winnings-report.zip BANNAME Alice.zip BANNAME Cybil.zip BANNAME Edmund.zip BANNAME Elizabeth.zip BANNAME Emanuel.zip BANNAME Ester.zip BANNAME Judeth.zip BANNAME Margerye.zip BANNAME Martha.zip BANNAME Nathaniel.zip Darin. - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 23, 2005 1:15 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > For those of us poor saps who don't have Pro, here's a compiled list from > a > couple of sources of zip filenames to ban. > > Due to the variation in filenames, it would be useful to have BANNAME > allow > some minimal pattern matching. That would have made this list a bit > shorter. > > # Added 11/21/2005 to handle new Sober.X/Z variants > BANNAME downloadm.zip > BANNAME Ebay.zip > BANNAME Ebay-User_RegC.zip > BANNAME Email.zip > BANNAME Email_text.zip > BANNAME injection.zip > BANNAME mail.zip > BANNAME mailtext.zip > BANNAME reg_pass.zip > BANNAME reg_pass-data.zip > > BANNAME Service.zip > BANNAME Webmaster.zip > BANNAME Postman.zip > BANNAME Info.zip > BANNAME Hostmaster.zip > BANNAME Postmaster.zip > BANNAME Admin.zip > > BANNAME Service-TextInfo.zip > BANNAME Webmaster-TextInfo.zip > BANNAME Postman-TextInfo.zip > BANNAME Info-TextInfo.zip > BANNAME Hostmaster-TextInfo.zip > BANNAME Postmaster-TextInfo.zip > BANNAME Admin-TextInfo.zip > > BANNAME Downloads.zip > BANNAME BKA.zip > BANNAME Internet.zip > BANNAME Post.zip > BANNAME Anzeige.zip > BANNAME BKA.Bund.zip > > BANNAME AkteDownloads.zip > BANNAME AkteBKA.zip > BANNAME AkteInternet.zip > BANNAME AktePost.zip > BANNAME AkteAnzeige.zip > BANNAME AkteBKA.Bund.zip > > BANNAME Kandidat.zip > BANNAME WWM.zip > BANNAME Auslosung.zip > BANNAME Casting.zip > BANNAME Gewinn.zip > BANNAME Info.zip > BANNAME RTL-Admin.zip > BANNAME RTL.zip > BANNAME Webmaster.zip > BANNAME RTL-TV.zip > > BANNAME Kandidat_Text.zip > BANNAME WWM_Text.zip > BANNAME Auslosung_Text.zip > BANNAME Casting_Text.zip > BANNAME Gewinn_Text.zip > BANNAME Info_Text.zip > BANNAME RTL-Admin_Text.zip > BANNAME RTL_Text.zip > BANNAME Webmaster_Text.zip > BANNAME RTL-TV_Text.zip > > > > Darin. > > > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using "BANZIPEXTS > ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > >> -Original Message- >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] >> On Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 12:12 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> It is coming in with alot of different zip file names and body names now, > I >> blocked all zip files and submitted samples >> >> I am really getting hit hard >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> - Original Message - >> From: "Matt" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, November 21, 2005 2:51 PM >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is >> > st
Re: [Declude.Virus] New Virus Strain Pounding my systems
Darin, Would you add these to virus.cfg? Similir to BANEXT? Thanks, Dan - Original Message - From: "Darin Cox" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 5:04 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is > still > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > McAfee seems to have had this one tagged prior to the outbreak starting > since none have slipped through yet. > > Matt > > > > Rick Davidson wrote: > >> heads up folks, I am stopping a new zip virus with the following junkmail >> rules, this is all I have seen so far. Contains an exacutable payload >> called File-packed_dataInfo.exe >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -
Re: [Declude.Virus] New Virus Strain Pounding my systems
You could use banned file notification so that if a banned file gets held that is not a known virus a notification is sent out. We send these notifications to the recipient, including enough information for them to decide if the email is legit, and include a link to an ASP script that requeues the file for delivery. The user then just clicks the link if they want to receive the email. Works great for our users. Note that we also use AVAFTERJM ON, so banned files that first fail spam filtering do not send out these notifications, which cuts down significantly on notifications resulting from new virus variants. An/or you could spring for EVA Pro and ban files inside the zip, which should lead to less legit banned files...at least for the time being. Darin. - Original Message - From: "Rick Davidson" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 22, 2005 10:57 AM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems Point well taken... Problem is that prior to virus writers exploiting zip files we pounded it into everyones head to use zip files... can't win for losing. I will spend a day grabbing copies and see what that ramafications of blocking zips would be. Main concern is avoiding getting screamed at for holding up a million dollar real-estate deals. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 9:13 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > This is not about executable formt is is about banning zips and encrypted > zip files. > > > Kevin Bilbee > >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson >> Sent: Monday, November 21, 2005 5:51 PM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> I would but my conundrum is that we receive alot of our loan packages in >> executable format and the lenders could careless about what I have to say >> about that... So I have to temporarily block them then have someone watch >> for legit files and release them from quaratine as they come in. >> >> f-prot was right on top of it with a def release. kudos to them. >> >> John C that is hilarious! >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> - >> - Original Message - >> From: "John T (Lists)" <[EMAIL PROTECTED]> >> To: >> Sent: Monday, November 21, 2005 4:53 PM >> Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems >> >> >> If you have Pro version you should be always blocking using >> "BANZIPEXTS ON" >> and "BANEZIPEXTS ON". >> >> John T >> eServices For You >> >> > -Original Message- >> > From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >> > On Behalf Of Rick Davidson >> > Sent: Monday, November 21, 2005 12:12 PM >> > To: Declude.Virus@declude.com >> > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> > >> > It is coming in with alot of different zip file names and body >> names now, >> I >> > blocked all zip files and submitted samples >> > >> > I am really getting hit hard >> > >> > Rick Davidson >> > National Systems Manager >> > North American Title Group >> > 440-639-0607 - Office >> > 951-233-6342 - Mobile >> > [EMAIL PROTECTED] >> > - >> > - Original Message - >> > From: "Matt" <[EMAIL PROTECTED]> >> > To: >> > Sent: Monday, November 21, 2005 2:51 PM >> > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems >> > >> > >> > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] >> F-Prot is still >> > > missing it. My first hit was at 2:08 p.m. EST, just 40 >> minutes ago and >> > > McAfee seems to have had this one tagged prior to the >> outbreak starting >> > > since none have slipped through yet. >> > > >> > > Matt >> > > >> > > >> > > >> > > Rick Davidson wrote: >> > > >> > >> heads up folks, I am stopping a new zip virus with the following >> junkmail >> > >> rules, this is all I have seen so far. Contains an exacutable >> > >> payload >> > >> called File-packed_dataInfo.exe >> > >>
Re: [Declude.Virus] New Virus Strain Pounding my systems
Point well taken... Problem is that prior to virus writers exploiting zip files we pounded it into everyones head to use zip files... can't win for losing. I will spend a day grabbing copies and see what that ramafications of blocking zips would be. Main concern is avoiding getting screamed at for holding up a million dollar real-estate deals. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 9:13 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems This is not about executable formt is is about banning zips and encrypted zip files. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson Sent: Monday, November 21, 2005 5:51 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems I would but my conundrum is that we receive alot of our loan packages in executable format and the lenders could careless about what I have to say about that... So I have to temporarily block them then have someone watch for legit files and release them from quaratine as they come in. f-prot was right on top of it with a def release. kudos to them. John C that is hilarious! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message ----- > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable > >> payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
This is not about executable formt is is about banning zips and encrypted zip files. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 5:51 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > I would but my conundrum is that we receive alot of our loan packages in > executable format and the lenders could careless about what I have to say > about that... So I have to temporarily block them then have someone watch > for legit files and release them from quaratine as they come in. > > f-prot was right on top of it with a def release. kudos to them. > > John C that is hilarious! > > Rick Davidson > National Systems Manager > North American Title Group > - > - Original Message - > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 4:53 PM > Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems > > > If you have Pro version you should be always blocking using > "BANZIPEXTS ON" > and "BANEZIPEXTS ON". > > John T > eServices For You > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Rick Davidson > > Sent: Monday, November 21, 2005 12:12 PM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > It is coming in with alot of different zip file names and body > names now, > I > > blocked all zip files and submitted samples > > > > I am really getting hit hard > > > > Rick Davidson > > National Systems Manager > > North American Title Group > > 440-639-0607 - Office > > 951-233-6342 - Mobile > > [EMAIL PROTECTED] > > - > > - Original Message - > > From: "Matt" <[EMAIL PROTECTED]> > > To: > > Sent: Monday, November 21, 2005 2:51 PM > > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] > F-Prot is still > > > missing it. My first hit was at 2:08 p.m. EST, just 40 > minutes ago and > > > McAfee seems to have had this one tagged prior to the > outbreak starting > > > since none have slipped through yet. > > > > > > Matt > > > > > > > > > > > > Rick Davidson wrote: > > > > > >> heads up folks, I am stopping a new zip virus with the following > junkmail > > >> rules, this is all I have seen so far. Contains an exacutable payload > > >> called File-packed_dataInfo.exe > > >> > > >> Rick Davidson > > >> National Systems Manager > > >> North American Title Group > > >> 440-639-0607 - Office > > >> 951-233-6342 - Mobile > > >> [EMAIL PROTECTED] > > >> - > > >> --- > > >> This E-mail came from the Declude.Virus mailing list. To > > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >> type "unsubscribe Declude.Virus".The archives can be found > > >> at http://www.mail-archive.com. > > >> > > >> > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
I would but my conundrum is that we receive alot of our loan packages in executable format and the lenders could careless about what I have to say about that... So I have to temporarily block them then have someone watch for legit files and release them from quaratine as they come in. f-prot was right on top of it with a def release. kudos to them. John C that is hilarious! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 12:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > McAfee seems to have had this one tagged prior to the outbreak starting > since none have slipped through yet. > > Matt > > > > Rick Davidson wrote: > >> heads up folks, I am stopping a new zip virus with the following junkmail >> rules, this is all I have seen so far. Contains an exacutable payload >> called File-packed_dataInfo.exe >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
For those of us poor saps who don't have Pro, here's a compiled list from a couple of sources of zip filenames to ban. Due to the variation in filenames, it would be useful to have BANNAME allow some minimal pattern matching. That would have made this list a bit shorter. # Added 11/21/2005 to handle new Sober.X/Z variants BANNAME downloadm.zip BANNAME Ebay.zip BANNAME Ebay-User_RegC.zip BANNAME Email.zip BANNAME Email_text.zip BANNAME injection.zip BANNAME mail.zip BANNAME mailtext.zip BANNAME reg_pass.zip BANNAME reg_pass-data.zip BANNAME Service.zip BANNAME Webmaster.zip BANNAME Postman.zip BANNAME Info.zip BANNAME Hostmaster.zip BANNAME Postmaster.zip BANNAME Admin.zip BANNAME Service-TextInfo.zip BANNAME Webmaster-TextInfo.zip BANNAME Postman-TextInfo.zip BANNAME Info-TextInfo.zip BANNAME Hostmaster-TextInfo.zip BANNAME Postmaster-TextInfo.zip BANNAME Admin-TextInfo.zip BANNAME Downloads.zip BANNAME BKA.zip BANNAME Internet.zip BANNAME Post.zip BANNAME Anzeige.zip BANNAME BKA.Bund.zip BANNAME AkteDownloads.zip BANNAME AkteBKA.zip BANNAME AkteInternet.zip BANNAME AktePost.zip BANNAME AkteAnzeige.zip BANNAME AkteBKA.Bund.zip BANNAME Kandidat.zip BANNAME WWM.zip BANNAME Auslosung.zip BANNAME Casting.zip BANNAME Gewinn.zip BANNAME Info.zip BANNAME RTL-Admin.zip BANNAME RTL.zip BANNAME Webmaster.zip BANNAME RTL-TV.zip BANNAME Kandidat_Text.zip BANNAME WWM_Text.zip BANNAME Auslosung_Text.zip BANNAME Casting_Text.zip BANNAME Gewinn_Text.zip BANNAME Info_Text.zip BANNAME RTL-Admin_Text.zip BANNAME RTL_Text.zip BANNAME Webmaster_Text.zip BANNAME RTL-TV_Text.zip Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 4:53 PM Subject: RE: [Declude.Virus] New Virus Strain Pounding my systems If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
Looks like F-Prot is now catching it as SoberZ John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
If you have Pro version you should be always blocking using "BANZIPEXTS ON" and "BANEZIPEXTS ON". John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 12:12 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > It is coming in with alot of different zip file names and body names now, I > blocked all zip files and submitted samples > > I am really getting hit hard > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > - Original Message - > From: "Matt" <[EMAIL PROTECTED]> > To: > Sent: Monday, November 21, 2005 2:51 PM > Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > > > > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > > McAfee seems to have had this one tagged prior to the outbreak starting > > since none have slipped through yet. > > > > Matt > > > > > > > > Rick Davidson wrote: > > > >> heads up folks, I am stopping a new zip virus with the following junkmail > >> rules, this is all I have seen so far. Contains an exacutable payload > >> called File-packed_dataInfo.exe > >> > >> Rick Davidson > >> National Systems Manager > >> North American Title Group > >> 440-639-0607 - Office > >> 951-233-6342 - Mobile > >> [EMAIL PROTECTED] > >> - > >> --- > >> This E-mail came from the Declude.Virus mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.Virus".The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
I submit this one for the laugh factor only. Just got one of these "claiming" to be from [EMAIL PROTECTED] (Center for Disease Control) with a "download manager" to view Paris Hilton/Nicole Richie videos! Finally the federal government has got something right -- anything to do with Hilton & Richie should be handled by the CDC. :) John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson Sent: Monday, November 21, 2005 2:12 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems > McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still > missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and > McAfee seems to have had this one tagged prior to the outbreak starting > since none have slipped through yet. > > Matt > > > > Rick Davidson wrote: > >> heads up folks, I am stopping a new zip virus with the following junkmail >> rules, this is all I have seen so far. Contains an exacutable payload >> called File-packed_dataInfo.exe >> >> Rick Davidson >> National Systems Manager >> North American Title Group >> 440-639-0607 - Office >> 951-233-6342 - Mobile >> [EMAIL PROTECTED] >> - >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
It is coming in with alot of different zip file names and body names now, I blocked all zip files and submitted samples I am really getting hit hard Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, November 21, 2005 2:51 PM Subject: Re: [Declude.Virus] New Virus Strain Pounding my systems McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
I have only seen a 5 of these with the following subjects. hi,_ive_a_new_mail_address hi, ive a new mail address Paris Hilton & Nicole Richie and the following attachment File-packed_dataInfo.exe I have no idea what the payload is as we delete .exe files before virus scanning. All other viruses today have been [EMAIL PROTECTED] viruses Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 11:34 AM > To: Declude.virus@declude.com > Subject: [Declude.Virus] New Virus Strain Pounding my systems > > > heads up folks, I am stopping a new zip virus with the following junkmail > rules, this is all I have seen so far. Contains an exacutable > payload called > File-packed_dataInfo.exe > > BODY 0 CONTAINS mailtext.zip > BODY 0 CONTAINS downloadm.zip > BODY 0 CONTAINS "mail.zip" > BODY 0 CONTAINS reg_pass-data.zip > BODY 0 CONTAINS Account and Password Information are attached! > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New Virus Strain Pounding my systems
McAfee is detecting this currently as W32/[EMAIL PROTECTED] F-Prot is still missing it. My first hit was at 2:08 p.m. EST, just 40 minutes ago and McAfee seems to have had this one tagged prior to the outbreak starting since none have slipped through yet. Matt Rick Davidson wrote: heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Virus Strain Pounding my systems
I have been seeing a bunch of blocked zip-exe but I have been on the phone with clients for the last hour and have not had a chance to review it. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Davidson > Sent: Monday, November 21, 2005 11:34 AM > To: Declude.virus@declude.com > Subject: [Declude.Virus] New Virus Strain Pounding my systems > > heads up folks, I am stopping a new zip virus with the following junkmail > rules, this is all I have seen so far. Contains an exacutable payload called > File-packed_dataInfo.exe > > BODY 0 CONTAINS mailtext.zip > BODY 0 CONTAINS downloadm.zip > BODY 0 CONTAINS "mail.zip" > BODY 0 CONTAINS reg_pass-data.zip > BODY 0 CONTAINS Account and Password Information are attached! > > Rick Davidson > National Systems Manager > North American Title Group > 440-639-0607 - Office > 951-233-6342 - Mobile > [EMAIL PROTECTED] > - > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] New Virus Strain Pounding my systems
heads up folks, I am stopping a new zip virus with the following junkmail rules, this is all I have seen so far. Contains an exacutable payload called File-packed_dataInfo.exe BODY 0 CONTAINS mailtext.zip BODY 0 CONTAINS downloadm.zip BODY 0 CONTAINS "mail.zip" BODY 0 CONTAINS reg_pass-data.zip BODY 0 CONTAINS Account and Password Information are attached! Rick Davidson National Systems Manager North American Title Group 440-639-0607 - Office 951-233-6342 - Mobile [EMAIL PROTECTED] - --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
On my "8.zip" sample, McAfee finds W32/[EMAIL PROTECTED] so VirusTotal probably has an older McAfee update. VirusTotal doesn't use Trend Micro, but they don't think it warrants a new signature. They already catch it as TROJ_BAGLE.GEN Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gianbattista Toffetti Carughi Sent: Tuesday, May 31, 2005 9:59 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) after scanning the file "8.zip" file. Antivirus Version Update Result AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR AVG 718 05.31.2005 no virus found Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR BitDefender 7.0 05.31.2005 [EMAIL PROTECTED] ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352 eTrust-Iris 7.1.194.0 05.31.2005 no virus found eTrust-Vet 11.9.1.0 05.31.2005 no virus found Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr Ikarus 2.32 05.31.2005 no virus found Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo McAfee 4502 05.30.2005 no virus found NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus Norman 5.70.10 05.30.2005 W32/Downloader Panda 8.02.00 05.31.2005 Suspect File Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo Symantec 8.0 05.30.2005 Trojan.Tooso.B VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3 - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 6:39 PM Subject: RE: [Declude.Virus] New virus out? Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as "W32/[EMAIL PROTECTED]". That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used "plug n play" code to mix and match one delivery agent with another payload in one viral executable. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) after scanning the file "8.zip" file. Antivirus Version Update Result AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR AVG 718 05.31.2005 no virus found Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR BitDefender 7.0 05.31.2005 [EMAIL PROTECTED] ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352 eTrust-Iris 7.1.194.0 05.31.2005 no virus found eTrust-Vet 11.9.1.0 05.31.2005 no virus found Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr Ikarus 2.32 05.31.2005 no virus found Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo McAfee 4502 05.30.2005 no virus found NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus Norman 5.70.10 05.30.2005 W32/Downloader Panda 8.02.00 05.31.2005 Suspect File Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo Symantec 8.0 05.30.2005 Trojan.Tooso.B VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3 - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 6:39 PM Subject: RE: [Declude.Virus] New virus out? Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as "W32/[EMAIL PROTECTED]". That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used "plug n play" code to mix and match one delivery agent with another payload in one viral executable. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
Yes, a new Bagle and MyTob are out. See: http://isc.sans.org/diary.php?date=2005-05-31 http://www.viruslist.com/en/weblog My current F-Prot *.def is detecting this as a suspicious file (return code = 8); I've only seen two that were caught by Declude Virus, but it could be quite a few more caught as spam. When I run F-Prot on them manually, they are detected as "W32/[EMAIL PROTECTED]". That's interesting, because I thought that Mitglieder and MyTob were the same; maybe there's only one new virus but in the form of a dropper and a payload? I remember something a few weeks back (maybe in the Kaspersky diary?) that mentioned that some virus programmer had essentially used "plug n play" code to mix and match one delivery agent with another payload in one viral executable. I haven't seen any of the new MyTob yet, but for more detailed info: WORM_MyTob.BI http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FM YTOB%2EBI&VSect=P Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, May 31, 2005 8:00 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New virus out? One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] New virus out?
I just received an EXTRA.DAT file from Mcafee...to detect this.. I also submitted it to F-Prot I will try attaching the EXTRA.DAT file to this email Don - Original Message - From: "Marc Catuogno" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 10:31 AM Subject: RE: [Declude.Virus] New virus out? I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: One of the servers I manage is getting hit with lots of messages being caught with banned exe within zip. They are coming from different IPs John T eServices For You --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] EXTRA.DAT Description: Binary data
RE: [Declude.Virus] New virus out?
I've gotten a few: 26KB files named 1.zip, 7.zip and work.zip so far -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, May 31, 2005 11:22 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New virus out? John, What do the filenames appear to be - any pattern either filename, subject, body content etc? Darrell John Tolmachoff (Lists) writes: > One of the servers I manage is getting hit with lots of messages being > caught with banned exe within zip. > > They are coming from different IPs > > John T > eServices For You > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New virus out?
Various named zip files. The D*.smd file is 26KB in length. No subject line. Varing IP addresses and apparent forged from address. Blank HTML body. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Tuesday, May 31, 2005 8:22 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] New virus out? > > John, > > What do the filenames appear to be - any pattern either filename, subject, > body content etc? > > Darrell > > John Tolmachoff (Lists) writes: > > > One of the servers I manage is getting hit with lots of messages being > > caught with banned exe within zip. > > > > They are coming from different IPs > > > > John T > > eServices For You > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG > Integration, and Log Parsers. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
