hi all
i've seen a new virus in the wild (confirmed by sophos yesterday).
the W32/Bagle-J sends password secured ZIP files in the style of:
From: [EMAIL PROTECTED]
Date: Mittwoch, 3. M�rz 2004 03:39:49
To: [EMAIL PROTECTED]
Subject: Email account utilization warning.
Dear user of "domain.ch" mailing system,
Your e-mail account has been temporary disabled because of unauthorized
access.
Advanced details can be found in attached file.
Attached file protected with the password for security reasons. Password is
13183.
Have a good day,
The domain.ch team http://www.domain.ch
[ZIP File attached, secured with above password]
details:
german http://www.sophos.ch/virusinfo/analyses/w32baglej.html
english http://www.sophos.com/virusinfo/analyses/w32baglej.html
if you see strange things on your sendmail like i did:
Mar 3 22:26:55 daisy sendmail[1228]: i23LQtP4001228:
from=<[EMAIL PROTECTED]>, size=23864, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA, relay=idefix.altrax.ch [81.94.96.66]
Mar 3 22:26:56 daisy sendmail[1228]: i23LQtP4001228: Milter: data,
reject=451 4.7.1 Please try again later
Mar 3 22:26:56 daisy sendmail[1228]: i23LQtP4001228: to=<[EMAIL PROTECTED]>,
delay=00:00:01, pri=53864, stat=Please try again later
and you're checking your (sendmail-)milter plugins, thats because of:
Mar 3 22:28:23 daisy amavisd[1350]: starting. amavisd 0.1 Thu Dec 4
04:54:53 CET 2003
Mar 3 22:29:08 daisy amavisd[1417]: Decoding of msg-1417-4.zip (Zip archive
data, at least v1.0 to extract) failed, leaving it unpacked: error:
encryption unsupported
(message-id=<[EMAIL PROTECTED]>)
Mar 3 22:29:09 daisy amavisd[1417]: Virus scanner failure:
/usr/local/bin/sweep (error code: 2)
Mar 3 22:29:09 daisy amavisd[1417]: All virus scanners failed - mail
requeued
(message-id=<[EMAIL PROTECTED]>)
so, the mail will stay for some days in the queue of the delivering
provider.
just FYI.
-steven
ps: does anyone knows, how to trick amavisd to pass encrypted (zip)
archives?
----------------------------------------------
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/
