[Declude.Virus] How to check VIRUSCODEs

[Goran Jovanovic]

This was originally a thread from the Junkmail list but I am moving it over to the virus list.   > Check your virus log and you may see some code 8 > errors in it. Adding viruscode 8 will at least stop them.   How do you see if there are any code 8s in the virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and for McAfee is only 13   An example of a virus   04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: demo.exe [base64; Length=40800 Checksum=4318001] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file with exe extension [application/x-msdownload]. 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: Virus= W32/Plexus.G Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] O 04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are INFECTED [ W32/Plexus.G: 13] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: CONTAINS A VIRUS [MIME: 2 40959] 04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 213.59.118.9] 04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...     The only thing that I see that resembles my viruscodes is the line “File(s) are INFECTED [ W32/Plexus.G: 13]” and the 13 in this line is from McAfee (scanner2). I do not see any result from F-Prot (scanner1).   I am logging on high. Am I missing something here?          Goran Jovanovic      The LAN Shoppe       > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Tyler Jensen > Sent: Wednesday, April 20, 2005 8:22 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] New Spam or Virus????!! > > I had something similar over the weekend. Standard zip file. If you are > using F-Prot you may want to add VirusCode 8 to the config. This will stop > them as Unknown Virus. Check your virus log and you may see some code 8 > errors in it. Adding viruscode 8 will at least stop them. > > Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling > it w32/mitglieder.c. I submitted my findings to Declude support earlier in > the week and spoke with a someone yesterday. Sent the file to him and he > said the AVG called it a Bagle of some sort. > > What is strange is outside of email, f-prot was detecting it. But without > viruscode 8, nothing. > > Tyler > > > ---------- Original Message ---------------------------------- > From: "Chuck Schick" <[EMAIL PROTECTED]> > Reply-To: Declude.JunkMail@declude.com > Date:  Wed, 20 Apr 2005 18:05:08 -0600 > > >Starting to see messages that have a zip attachement with the format > 5.zip > >or 7.zip  - I do not know if it is spam or a virus.  Anyone else seeing > >this?  Virus scanner is not catching it so I do not know if it is a virus > or > >not. > > > >Chuck Schick > >Warp 8, Inc. > >(303)-421-5140 > >www.warp8.com > > > >--- > >This E-mail came from the Declude.JunkMail mailing list.  To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail".  The archives can be found > >at http://www.mail-archive.com. > >--- > >[This E-mail scanned for viruses by Declude Virus] > > > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list.  To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail".  The archives can be found > at http://www.mail-archive.com.