Was it something I said ? :) PING
David B
www.declude.com
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Wednesday, April 26, 2006 4:50 PM
To: Declude.Virus@declude.com; Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] CLAMAV & SANE Phishing
Posting Again
Hi John,
I apologize for not responding sooner but I have been very busy. I am also
cross posting to the Virus list where this should really be discussed. Sorry
for the delay in responding but I guess better late than never :-)
My notes on what I did are very rough but there should be enough information
for you to follow through my steps. I would also like to thank Scott Fisher
for pointing all this out and also for the commands in the attached file
(rename it to .cmd).
Went to http://www.sosdg.org/clamav-win32/ to download Version 0.88-2
Downloaded from MajorGeeks.com
- had to turn off Anti-Spyware and Gateway Antivirus on Sonicwall to get
the download to finish.
File downloaded is clamav-0.88.2.exe
This will install into the C:\clamav-devel directory
Went to http://www.smartbusiness.net/imail/declude/ to get the runclamd.zip
and runclamscan.zip files
Installed CLAMAV
Ran RUNCLAMD to make CLAMAV into a service
Use RUNCLAMSCAN to run virus scans out of declude
# Running against CLAM Daemon
SCANFILE3 C:\clamav-devel\runclamd\runclamscan.exe log=2
C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt
VIRUSCODE3 1
REPORT3 FOUND
Use my Get-Clam-Phish.cmd on a schedule to download SANE Security Phishing
DB and CLAM signatures
Goran Jovanovic
Omega Network Solutions
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Doyle
Sent: Thursday, April 06, 2006 10:29 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Virus?
Goran
Can you give me some information on installing the sane security phishing
filters with CLAM. I found and went to the sane web site, and can see how to
download,
But I'm not sure how clamwin is set up to use the file.
Any help would be appreciated.
Thanks
John
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, April 06, 2006 2:20 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Virus?
Richard,
I implemented CLAM AV with the Sane Security phishing filters. This is from
the thread that Andrew included. I run F-Prot then McAfee then CLAM AV with
the ExitOnFirstDetect (or whatever that directive is). Clam is the scanner
that catches pretty much all phishing attempts. The other two don't do much
in that department.
Goran Jovanovic
Omega Network Solutions
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Thursday, April 06, 2006 2:03 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Virus?
Richard, you might want to check this thread from the archives. Goran can
clarify, but I'm pretty sure that this is the source of the "Sane Security"
detection string.
For what it's worth, Message Sniffer catches the email message body you
supplied with the MALWARE category.
The hosting provider, 0catch.com are not bad guys but their express hosting
model makes them a frequently used hoster of malware and pharmacy
sales/scams.
The link was still active, so I downloaded and ran it through various
antivirus engines out of curiousity. Trend Micro didn't detect it, but
F-Prot, McAfee and CLAM-AV all did.
Here are the results from VirusTotal.com :
Results of a file scan
This is a report processed by VirusTotal on 04/06/2006 at 19:19:19 (CET)
after scanning the file "postcard.gif.exe" file.
Antivirus
Version
Update
Result
AntiVir
6.34.0.24
04.06.2006
TR/Zapchas.F
Avast
4.6.695.0
04.03.2006
Win32:Parite
AVG
386
04.06.2006
IRC/BackDoor.Flood
Avira
6.34.0.56
04.06.2006
TR/Zapchas.F
BitDefender
7.2
04.06.2006
Backdoor.IRC.Zapchast.AY
CAT-QuickHeal
8.00
04.06.2006
no virus found
ClamAV
devel-20060202
04.06.2006
W32.Parite.B
DrWeb
4.33
04.06.2006
no virus found
eTrust-InoculateIT
23.71.121
04.06.2006
no virus found
eTrust-Vet
12.4.2151
04.06.2006
no virus found
Ewido
3.5
04.06.2006
no virus found
Fortinet
2.71.0.0
04.06.2006
BAT/Zapchast.S-tr
F-Prot
3.16c
04.06.2006
security risk or a "backdoor" program
Ikarus
0.2.59.0
04.06.2006
no virus found
Kaspersky
4.0.2.24
04.06.2006
Backdoor.IRC.Zapchast
McAfee
4734
04.05.2006
IRC/Flood.ev
NOD32v2
1.1474
04.05.2006
IRC/Zapchast.L
Norman
5.90.15
04.06.2006
Smalldrp.IYU
Panda
9.0.0.4
04.05.2006
no virus found
Sophos
4.04.0
04.06.2006
W32/Parite-B
Symantec
8.0
04.06.2006
Trojan.Dropper
TheHacker
5.9.7.125
04.05.2006
no virus found
UNA
1.83
04.05.2006
no virus found
VBA32
3.10.5
04.06.2006
Backdoor.IRC.Zapchast
Andrew 8)
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris
Sent: Thursday, April 06, 2006 10:20 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Virus?
Which virus scanner do you use?
Richard Farris
Ethixs Online
1.270.247.5555 Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"
----- Original Message -----
From: Goran Jovanovic <mailto:[EMAIL PROTECTED]>
To: Declude.JunkMail@declude.com
Sent: Thursday, April 06, 2006 10:47 AM
Subject: RE: [Declude.JunkMail] Virus?
I had to manually release your message from the virus queue because it got
tagged as
Virus: Html.Phishing.Card.Sanesecurity.06022100
Goran Jovanovic
Omega Network Solutions
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris
Sent: Thursday, April 06, 2006 9:04 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Virus?
I just received about 10 of these at 7:30 this morning...any ideas what is
going on..
Richard Farris
Ethixs Online
1.270.247.5555 Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"
