Mr. Obvious says:
You would have to change the URL plus the name of the file
you're unzipping!
So that I didn't have to change my script much, I changed
my wget line to:
The -O parameter tells wget to save the requested file with
that particular filename.
I think that NAI/McAfee changed the path as part of the web
interface change to funnel people through their EULA. When I follow it
through, the web interface takes you to a filenames that now have a dynamic
instead of static name.
If they change the URL again, we may need a smarter script
that can scrape out the correct name from the webpage. Hopefully, they'll
bring the static name back, perhaps parallel to the Stinger
download.
Andrew 8)
p.s. I only use McAfee as a backup, standalone
scanner. Not part of my Declude at all.
I changed the subject so that people can be alerted to this.
Announcements of things like this would be useful to the entire Declude
customer base. I am afraid that we are a little over a month
behind. Those with a single scanner would be screwed.
I adjusted
my scripts to use the link that you provided and it does in fact work just
great...so far :)
Thanks,
Matt
Scott Fisher
wrote:
Great catch Matt.
Mine's gone too since August 2....
Thank you Declude for multiple virus scanner
option.
Try:
From:
-----
Original Message -----
Sent:
Monday, September 12, 2005 2:26 PM
Subject:
Re: [Declude.Virus] Seemingly bad virus this morning
This is a new Bagel variant:
http://vil.nai.com/vil/content/v_129588.htm
I
was wrong about what was detecting it first...it was F-Prot. I just
figured out that my McAfee update script is no longer working. Does
anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.
Thanks,
Matt
John
Tolmachoff (Lists) wrote:
OK, so it is cpl file, which we should all have in our list of banned
extensions including banned if within a zip file, so we should all be safe,
correct?
John T
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan Geiser
Sent: Monday, September 12, 2005 11:49 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Seemingly bad virus this morning
I opened the zip file and it contained one file called "1.cpl" (without
the
quotes). Some sort of malicious Control Panel applet?
----- Original Message -----
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Monday, September 12, 2005 11:55 AM
Subject: RE: [Declude.Virus] Seemingly bad virus this morning
What is the payload inside the zip?
John T
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Monday, September 12, 2005 7:52 AM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Seemingly bad virus this morning
FYI, We found a rapidly spreading zip virus beginning at about 8:15
a.m.
this morning, first coming from Eastern Europe. McAfee seems to be
detecting all of them now, but F-Prot as of this moment is not on our
system. Every attachment name seemingly contained the word "price".
Here's a quick filter that I had put together for it:
HEADERS END NOTCONTAINS boundary="--------
BODY END NOTCONTAINS attachment; filename="
BODY END NOTCONTAINS .zip" Content-Transfer-Encoding
BODY 15 CONTAINS price
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
-------------------------------------------------------------------
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
-------------------------------------------------------------------
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
|