RE: [Declude.Virus] If you are using McAfee's on-access virus scanner...
I think it was a conspiracy. They must have found out we "reported bad things" about how the company wanted way too much money for licensing to work with Declude. ;) John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook Express Flaw Permits SystemTakeover Via E-mail
Unfortunately, the people that discovered it did a horrible job of trying to explain it (http://www.securiteam.com/windowsntfocus/6D00B005PU.html). Not only are they not clear about what causes the flaw (whether the vulnerability is in the E-mail headers or the certificate itself), the RFC that they reference doesn't contain some of the terms they use (the same ones that are referring to the RFC). And, the information on Microsoft's site is always very vague about what causes the problem. So unless more details are posted, it will likely not be detected by any software. -Scott At 02:31 PM 10/17/2002, you wrote: Has any one seen this and can Declude Virus help protect against this? A recently announced flaw in Microsoft's Outlook Express e-mail program allows a Windows system to be taken over by a specially crafted incoming message. Ironically, the flaw that allows the attack is part of Microsoft's implementation of S/MIME, a standard that is supposed to enhance security by allowing encryption and digital signing of messages. An attacker can take over the system by sending a message with an excessively long "digital signature." When the message arrives, rogue code contained in the signature can be made to run. The flaw, which Microsoft rates as "critical," affects the company's free Outlook Express, which is bundled with Microsoft Windows and Internet Explorer. It does not affect Outlook, which is part of the costly Microsoft Office suite. Unfortunately, Outlook Express is by far the more widely used of the two John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] declude log
> Is the client sending out the E-mails himself, or is he using IMail to
send
> them?
the emails sent by my client are being sent by himself without using IMAIL.
he uses his own ISP SMTP.
> Which version of Declude are you using ("\IMail\Declude -diag", exactly
> like that, from a command prompt will show you)?
it is version 1.60
> One of the .SMD files shows that the E-mail was scanned twice (two
"Scanned
> for viruses" lines at the bottom), while the other three were once scanned
> once.
Yes I noticed that too... I have no idea why is that, since the client
doesn't use IMAIL for SMTP.
>
> The other thing that I noted was that it was several minutes between the
> time that IMail accepted the bounce messages and Declude Virus was
> encountered this problem. Is there a very heavy load on the server when
> this occurs?
that is rare.. there is not heavy load in the server. we receive between 10K
and 20K emails daily, unless that is heavy load, and our smtp process
between 1K and 3K daily. I have to double check figures..perhaps at that
time everybody was sending emails through the server.
>
> I tried reproducing the problem here with the .SMD files, and wasn't able
to.
>-Scott
thanks for your help and effort to find out what is going on. Today I looked
at declude log again and had several errors. All the SMD's I was able to
look at, came again from the same postmaster as a response to my client
email saying that the sender wasn't found or host didn't exist. Just like
the samples I sent you.
that is really strange. It seems like the message coming from the remote
postmaster has something that drives declude or F-Prot crazy. I have no idea
what to do about it.
I will keep looking
-Luis Arango
---
[Email escaneado contra virus por Panda Consulting -www.pandacons.com-]
[Email scanned for viruses by Panda Consulting -www.pandacons.com-]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
[Declude.Virus] If you are using McAfee's on-access virus scanner...
We have found out that a version of McAfee's virus scanner was reporting a false positive of the "Insane" virus in the Declude.exe file, starting yesterday. McAfee has fixed this (see http://vil.nai.com/vil/content/v_99753.htm for further details). If you are running McAfee's on-access scanner, however, you should check to make sure that it did not rename, quarantine, lock or delete the \IMail\Declude.exe file. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail
I think that's exactly the plan. Upgrade! $$ Craig. >Unfortunately, Outlook Express is by far the more widely used of the two --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail
Yup, shore do gots patches. Both knees be covered with dem. An one on me bum too. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus-owner@;declude.com]On Behalf Of Bill Beach Sent: October 17, 2002 1:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail >those clients that don't keep their systems up to date. Wait, you mean there are people who don't keep up to date with patches? -Bill --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] If you are using McAfee's on-access virusscanner...
From what I understand, it is a false positive. It shows up on machines running the latest virus definitions but NOT the latest engine. From mcafee.com: AVERT has received reports of false "W32/Insane.dam" detections when using the 4229 DAT files and old, and unsupported, engine versions 4.0.70, and 4.1.40. Users who are seeing such a detection are urged to update their engine to the current version, 4.1.60, as soon as possible to correct this false detection. Kris At 03:35 PM 10/17/2002 -0400, you wrote: does anybody have info on the w32/insane.dam virus? I have a user in CA who claims to be getting nailed by it right now... The only place I found info was at McAffee's site and the name of the virus is the only info provided. She said it is deleting excel.exe on the infected machines Kris Rickerson Server Administrator Middle Georgia College - Cochran, GA 31014 478.934.3432 [EMAIL PROTECTED] "Even if the Internet bubble had continued to swell, AOL's days would have been numbered. The reason is simple: It was never really an Internet company. AOL was based on the idea that people needed to live in a halfway house while they became accustomed to the Net." - James Surowiecki, Wired --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail
Microsoft sent out this security bulletin on the 10th. http://www.microsoft.com/technet/security/bulletin/MS02-058.asp John John Tolmachoff wrote: > > Has any one seen this and can Declude Virus help protect against this? > > A recently announced flaw in Microsoft's Outlook Express e-mail program > allows a Windows system to be taken over by a specially crafted incoming > message. > Ironically, the flaw that allows the attack is part of Microsoft's > implementation of S/MIME, a standard that is supposed to enhance security by > allowing encryption and digital signing of messages. An attacker can take > over the system by sending a message with an excessively long "digital > signature." When the message arrives, rogue code contained in the signature > can be made to run. > > The flaw, which Microsoft rates as "critical," affects the company's free > Outlook Express, which is bundled with Microsoft Windows and Internet > Explorer. It does not affect Outlook, which is part of the costly Microsoft > Office suite. Unfortunately, Outlook Express is by far the more widely used > of the two > > John Tolmachoff > IT Manager, Network Engineer > RelianceSoft, Inc. > Fullerton, CA 92835 > www.reliancesoft.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] If you are using McAfee's on-access virus scanner...
does anybody have info on the w32/insane.dam virus? I have a user in CA who claims to be getting nailed by it right now... The only place I found info was at McAffee's site and the name of the virus is the only info provided. She said it is deleting excel.exe on the infected machines I use F-prot/Declude Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 17, 2002 12:44 PM Subject: [Declude.Virus] If you are using McAfee's on-access virus scanner... > We have found out that a version of McAfee's virus scanner was reporting a > false positive of the "Insane" virus in the Declude.exe file, starting > yesterday. McAfee has fixed this (see > http://vil.nai.com/vil/content/v_99753.htm for further details). > > If you are running McAfee's on-access scanner, however, you should check to > make sure that it did not rename, quarantine, lock or delete the > \IMail\Declude.exe file. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail
>those clients that don't keep their systems up to date. Wait, you mean there are people who don't keep up to date with patches? -Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail
>Unfortunately, the people that discovered it did a horrible job of trying >to explain it >(http://www.securiteam.com/windowsntfocus/6D00B005PU.html). And, the >information on Microsoft's site is always >very vague about what causes the problem. So unless more details are >posted, it will likely not be detected by any software. OK. Thanks John Carter, I did see the patch, but was wondering about protecting those clients that don't keep their systems up to date. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Outlook Express Flaw Permits System Takeover Via E-mail
Has any one seen this and can Declude Virus help protect against this? A recently announced flaw in Microsoft's Outlook Express e-mail program allows a Windows system to be taken over by a specially crafted incoming message. Ironically, the flaw that allows the attack is part of Microsoft's implementation of S/MIME, a standard that is supposed to enhance security by allowing encryption and digital signing of messages. An attacker can take over the system by sending a message with an excessively long "digital signature." When the message arrives, rogue code contained in the signature can be made to run. The flaw, which Microsoft rates as "critical," affects the company's free Outlook Express, which is bundled with Microsoft Windows and Internet Explorer. It does not affect Outlook, which is part of the costly Microsoft Office suite. Unfortunately, Outlook Express is by far the more widely used of the two John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] declude log
> One of the .SMD files shows that the E-mail was scanned twice (two "Scanned > for viruses" lines at the bottom), while the other three were once scanned > once. Yes I noticed that too... I have no idea why is that, since the client doesn't use IMAIL for SMTP. That will likely be a very important factor, if we can figure out why it happened. thanks for your help and effort to find out what is going on. Today I looked at declude log again and had several errors. When this happens, are there leftover \IMail\spool\*.vir directories? Somehow, Windows is reporting that the \IMail\spool\*.vir directory that Declude wants to create already exists -- yet that's nearly impossible, unless there is another instance of Declude running (since the directory names are based on the 'almost unique' IMail spool file name, with a .vir extension). But if there was another instance of Declude running, the log files would have duplicate entries, but they don't. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
