Title: Message
Interesting!

Matt



Colbeck, Andrew wrote:
Thanks for the insight, Matt.
 
We are used to seeing virus authors doing their seeding from the home-user cable, DSL and even dial-up pools, but these samples were definitely spammer web and email server blocks, and not XBL listings and not collateral damage SBL listings.
 
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Thursday, April 21, 2005 10:27 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] How to check VIRUSCODEs

I've sent my request.

Andrew, regarding the SBL IP's that are sending out viruses.  There is no doubt that seeding is taking place, however this is always done from other hijacked machines.  SBL has a very bad practice of tagging blocks from /24 to /16 in residential or mixed IP space especially in Asia.  This has caused numerous false positives for me when scanning SBL on multiple hops because I get a fair amount of legitimate Asian traffic.  I'm guessing that the IP's that you are seeing that are listed in SBL are in fact just zombies, and no different than a Comcast or RR zombie when it comes down to it.

I've send probably 6 different E-mails to SBL in the past year asking them to stop this practice, but instead of stopping, they have been stepping it up, and they have even chosen to do collateral damage to ISP's by listing their legitimate mail servers as well.  I see this as being no different than listing Comcast's mail servers, something that wouldn't be tolerated, yet these Asian hosts are probably pretty much clueless and/or otherwise incapable of stopping the zombies on their networks because they tend to be many years behind us in terms of infrastructure.  SBL should not be listing DUL space.

Matt



Colbeck, Andrew wrote:
The return code = 8 in F-Prot does mean "suspicious file" and not "virus".  In this case, they are not calling the executable Bagle, they are calling it Mitglieder, which is a Bagle-related file and is commonly seen as a dropper.
 
I sent a support request asking them reconsider how they are classifying this executable.  I'm not holding my breath though, because previous email support response time as been between 4 days and 2 weeks, by which time I expect this particular problem to be gone.
 
In fact, I'm seeing no new warnings in 15 hours.
 
Also, I spot-checked a few IP addresses that had sent us multiple copies, and one came from a known spammer block (as listed in SBL) in Brazil, and another from Korea.  I used to think it was the spammers who were sloppy and had infected machines; nope, it's pretty clear now that the spammers and virus authors are collaborating.
 
Wouldn't it be nifty if Declude shared some stats on their MTLDB database vis-a-vis correlating IPs that send viruses to IPs that send spam?
 
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, April 20, 2005 8:35 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] How to check VIRUSCODEs

What you have means that a matching virus code was found for each scanner.  If a scanner throws a code besides one that you specify, it will be logged in much the same way that the virus is shown.  The following is exactly what F-Prot will show when it throws a code of 8 and when you aren't configured to tag that as a virus:

    04/20/2005 00:28:37 Qda6b06e0014e9ee2 Error 8 in virus scanner 1.

We're going on 5 or 6 days now where F-Prot has been throwing a Virus Code 8 for some newer Bagle variants, and it is starting to look more and more like this is purposeful, though if so it would also be short-sighted.  Maybe someone should contact F-Prot and ask for an explanation and indicate that it would be helpful not to mix the codes like this for known viruses.  Apparently Virus Code 8 can hit non-viruses, and I think it will throw that code when it detects an encrypted zip of any sort, but I'm not certain about that either.  I would certainly prefer to not have to rely on Virus Code 8 in F-Prot because I don't want to be deleting E-mail that doesn't contain a virus and where Declude offers better granularity (such as only banning encrypted zips with a banned extension within it).

Has anyone contacted F-Prot?

Matt



Goran Jovanovic wrote:

This was originally a thread from the Junkmail list but I am moving it over to the virus list.

> Check your virus log and you may see some code 8

> errors in it. Adding viruscode 8 will at least stop them.

How do you see if there are any code 8s in the virus log file. I use F-Prot and McAfee. My viruscodes for F-Prot are 3 and 6 and for McAfee is only 13

An example of a virus

04/20/2005 05:03:10 Q1AB803D9008C6B32 MIME file: demo.exe [base64; Length=40800 Checksum=4318001]

04/20/2005 05:03:10 Q1AB803D9008C6B32 Banning file with exe extension [application/x-msdownload].

04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 1: Virus= W32/Plexus.G Attachment=demo.exe [2] O

04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanner 2: Virus= the MultiDropper-KR trojan !!! Attachment=demo.exe [2] O

04/20/2005 05:03:10 Q1AB803D9008C6B32 File(s) are INFECTED [ W32/Plexus.G: 13]

04/20/2005 05:03:10 Q1AB803D9008C6B32 Scanned: CONTAINS A VIRUS [MIME: 2 40959]

04/20/2005 05:03:10 Q1AB803D9008C6B32 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 213.59.118.9]

04/20/2005 05:03:10 Q1AB803D9008C6B32 Subject: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...  

The only thing that I see that resembles my viruscodes is the line “File(s) are INFECTED [ W32/Plexus.G: 13]” and the 13 in this line is from McAfee (scanner2). I do not see any result from F-Prot (scanner1).

I am logging on high. Am I missing something here?

     Goran Jovanovic

     The LAN Shoppe

> -----Original Message-----

> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-

> [EMAIL PROTECTED]] On Behalf Of Tyler Jensen

> Sent: Wednesday, April 20, 2005 8:22 PM

> To: Declude.JunkMail@declude.com

> Subject: Re: [Declude.JunkMail] New Spam or Virus????!!

>

> I had something similar over the weekend. Standard zip file. If you are

> using F-Prot you may want to add VirusCode 8 to the config. This will stop

> them as Unknown Virus. Check your virus log and you may see some code 8

> errors in it. Adding viruscode 8 will at least stop them.

>

> Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling

> it w32/mitglieder.c. I submitted my findings to Declude support earlier in

> the week and spoke with a someone yesterday. Sent the file to him and he

> said the AVG called it a Bagle of some sort.

>

> What is strange is outside of email, f-prot was detecting it. But without

> viruscode 8, nothing.

>

> Tyler

>

>

> ---------- Original Message ----------------------------------

> From: "Chuck Schick" <[EMAIL PROTECTED]>

> Reply-To: Declude.JunkMail@declude.com

> Date:  Wed, 20 Apr 2005 18:05:08 -0600

>

> >Starting to see messages that have a zip attachement with the format

> 5.zip

> >or 7.zip  - I do not know if it is spam or a virus.  Anyone else seeing

> >this?  Virus scanner is not catching it so I do not know if it is a virus

> or

> >not.

> >

> >Chuck Schick

> >Warp 8, Inc.

> >(303)-421-5140

> >www.warp8.com

> >

> >---

> >This E-mail came from the Declude.JunkMail mailing list.  To

> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and

> >type "unsubscribe Declude.JunkMail".  The archives can be found

> >at http://www.mail-archive.com.

> >---

> >[This E-mail scanned for viruses by Declude Virus]

> >

> >

>

> ---

> [This E-mail scanned for viruses by Declude Virus]

>

> ---

> This E-mail came from the Declude.JunkMail mailing list.  To

> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and

> type "unsubscribe Declude.JunkMail".  The archives can be found

> at http://www.mail-archive.com.


-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================

-- 
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================


Reply via email to