[Declude.Virus] More info about encrypted RAR virus and Declude failures
I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] new virus with .rar attachment
Symantec is being short-sighted. This is the same spammer sending this virus that was responsible for the seeded outbreak around New Year's. He starts his attacks at a moment's notice and ends them just as quickly. He can change his text faster than Symantec will ever be able to keep up with should he care to do so. He sends these through his network of spam zombies which he typically uses to send out stock spam. McAfee was detecting this within 2 hours of it first being seen. I saw hundreds of these within those two hours though. Thankfully it appears that almost all if not all were blocked as spam. Another saving grace is the fact that it came out as an encrypted RAR which very few people have support for. Be absolutely certain that he will be back. Matt Gary Steiner wrote: Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message From: "Colbeck, Andrew" <[EMAIL PROTECTED]> Sent: Thursday, April 26, 2007 6:11 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] new virus with .rar attachment Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 10:31 AM To: declude.virus@declude.com Subject: [Declude.Virus] new virus with .rar attachment I started getting some messages today that were picked up as spam, but were not being identified as viruses. They looked suspicious, having subject lines of Virus Activity Detected! Spyware Alert! It containes a .gif message that tells the user to open the .rar file and run the patch there to protect them from the virus/spyware. I ran it on www.virustotal.com, and the only scanner that picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". http://vil.nai.com/vil/content/v_142094.htm Since this a password protected .rar file, should we now be blocking these? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Basically that is what ClamAV is doing. It detects it as a phishing spam. Original Message > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > Sent: Thursday, April 26, 2007 6:11 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] new virus with .rar attachment > > Gary, you beat them by a day with your own assessment, but Symantec > blogged about this virus twice today: > > http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam > _attack_rared_trojan.html > > An interesting point is that they have blocked 1.2 million messages by > tackling the text of the message as spam. > > Andrew. > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Gary Steiner > > Sent: Wednesday, April 25, 2007 10:31 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] new virus with .rar attachment > > > > I started getting some messages today that were picked up as > > spam, but were not being identified as viruses. They looked > > suspicious, having subject lines of > > > > Virus Activity Detected! > > Spyware Alert! > > > > It containes a .gif message that tells the user to open the > > .rar file and run the patch there to protect them from the > > virus/spyware. > > > > I ran it on www.virustotal.com, and the only scanner that > > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > > > http://vil.nai.com/vil/content/v_142094.htm > > > > Since this a password protected .rar file, should we now be > > blocking these? > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] new virus with .rar attachment
Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today: http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gary Steiner > Sent: Wednesday, April 25, 2007 10:31 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] new virus with .rar attachment > > I started getting some messages today that were picked up as > spam, but were not being identified as viruses. They looked > suspicious, having subject lines of > > Virus Activity Detected! > Spyware Alert! > > It containes a .gif message that tells the user to open the > .rar file and run the patch there to protect them from the > virus/spyware. > > I ran it on www.virustotal.com, and the only scanner that > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > http://vil.nai.com/vil/content/v_142094.htm > > Since this a password protected .rar file, should we now be > blocking these? > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.