RE: [Declude.Virus] W32/Valla.a virus

2004-02-17 Thread Kami Razvan 
Thanks Scott:

I guess I was fooled by:

Tue, 17 Feb 2004 20:09:49 +0100
FROM: "Administrator" [EMAIL PROTECTED]
TO: "Inet Client" [EMAIL PROTECTED]
SUBJECT: Failure Message
X-ID: 798895329822232376

The from address in the header shows as @microsoft.com and that made me
think it is forged.. The actual from address is @net-up.com.

OK so it is not forging.. thanks

Kami 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, February 17, 2004 3:15 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] W32/Valla.a virus


>here is the alert for the virus:

It doesn't look like this one was forged:

>From: [EMAIL PROTECTED]

The return address domain of net-up.com matches:

>Received: from msg1.net-up.com [62.106.65.252] by foroosh.com
>(SMTPD32-8.05) id A7513150058; Tue, 17 Feb 2004 14:11:13 -0500

the reverse DNS of 62.106.65.252 (ns3.net-up.com).


-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] W32/Valla.a virus

2004-02-17 Thread R. Scott Perry 

here is the alert for the virus:
It doesn't look like this one was forged:

From: [EMAIL PROTECTED]
The return address domain of net-up.com matches:

Received: from msg1.net-up.com [62.106.65.252] by foroosh.com
(SMTPD32-8.05) id A7513150058; Tue, 17 Feb 2004 14:11:13 -0500
the reverse DNS of 62.106.65.252 (ns3.net-up.com).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] W32/Valla.a virus

2004-02-17 Thread Kami Razvan 



Scott:
 
here is the alert 
for the virus:
 
Regards,
Kami
 
=
The Declude 
Virus software [Ver: 1.77i30] on durability.com has reported that you were sent 
an E-mail:

From: [EMAIL PROTECTED]Containing: the W32/Valla.a virus !!! virusIn: dotoo.exe attachmentSubject: 
"Failure Message"
The E-mail containing the virus has been deleted to 
prevent further damage. If the From address appears as [Forged] the virus has 
forged its sender therefore can not be tracked.
Headers Follow:
===
Received: from msg1.net-up.com [62.106.65.252] by 
foroosh.com(SMTPD32-8.05) id A7513150058; Tue, 17 
Feb 2004 14:11:13 -0500Received: from nqip 
([62.106.16.173]) by msg1.net-up.com with SMTPid 
[EMAIL PROTECTED];Tue, 17 Feb 2004 20:09:49 +0100FROM: 
"Administrator" [EMAIL PROTECTED]TO: "Inet Client" [EMAIL PROTECTED]SUBJECT: Failure MessageX-ID: 
798895329822232376Mime-Version: 
1.0Content-Type: 
multipart/alternative;boundary="fnwhhglu"Message-Id: [EMAIL PROTECTED]Date: Tue, 17 Feb 2004 20:10:34 
+0100

Re: [Declude.Virus] W32.Valla.2048

2004-02-17 Thread R. Scott Perry 

Just received a new virus that apparently has been around since November 24.

It seems like this virus is forging but Declude does not mark it as forging..
We don't have any information indicating that it may be a forging 
virus.  Do you have the full headers for one of these?

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] W32.Valla.2048

2004-02-17 Thread Kami Razvan 



Hi;
 
Just received a 
new virus that apparently has been around since November 24.
 
It seems like this 
virus is forging but Declude does not mark it as forging..

From: [EMAIL PROTECTED]Containing: 
the W32/Valla.a virus !!! virusIn: dotoo.exe attachmentSubject: "Failure 
Message"
The following is the 
link at Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.valla.2048.html
Any 
ideas?
Regards,
Kami
 

RE: [Declude.Virus] Help!

2004-02-17 Thread R. Scott Perry 

You were right about our newsletter sending software.  The problem was being
caused by a CFMAILPARAM tag, if you're familiar with Cold Fusion.  I pasted
it below.  Just curious what caused the error... Removing the line entirely
seems to solve the problem, but should we include a different type of PARAM
with our newsletter sendouts to increase their efficiency so to speak?

I'm not very familiar with CF -- but it looks like this is an option that 
shouldn't be allowed.  It sounds like CF handles all the MIME segments, but 
allows you to insert "pretend" MIME headers.  If that line triggers the 
Outlook 'MIME segment in MIME preamble' Vulnerability, then that line is 
inserting MIME headers somewhere where they won't do anything.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] Help!

2004-02-17 Thread Matt 




Chris,

The Declude Virus manual page (http://www.declude.com/virus/manual.htm)
explains this issue:

Outlook 'MIME segment in MIME preamble' Vulnerability:
This vulnerability
occurs when it appears as though a MIME segment is occurring before it
should
(specifically, a MIME segment with a boundary other than the one
specified
appears in the MIME preamble). Outlook may see this as an attachment.
Although
technically valid, there is no legitimate reason for an E-mail to be
sent like this.


Blame Microsoft for having such a terrible MIME parser.

Matt



Chris Hickey wrote:

  Scott,
You were right about our newsletter sending software.  The problem was being
caused by a CFMAILPARAM tag, if you're familiar with Cold Fusion.  I pasted
it below.  Just curious what caused the error... Removing the line entirely
seems to solve the problem, but should we include a different type of PARAM
with our newsletter sendouts to increase their efficiency so to speak?



Thanks,
Chris


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chris Hickey
Sent: Friday, February 13, 2004 9:44 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Help!


We recently upgraded our declude.cfg file, as well as our global.cfg file,
and are now having some problems.  We can no longer send our newsletter, as
all recipients receive an error:


The Declude Virus software on rxpost.net has reported that you were sent an
E-mail from [EMAIL PROTECTED], containing the [Outlook 'MIME
segment in MIME Preamble' Vulnerability] virus in the [No attachment]
attachment. The subject of the E-mail was "New State Board Licensure and
Free CE".
The E-mail containing the virus has been quarantined to prevent further
damage.
Headers Follow:
Received: from WEB645001 [66.179.108.221] by rxpost.net with ESMTP
(SMTPD32-8.05) id AD7036200C2; Fri, 13 Feb 2004 08:29:52 -0700|
Message-ID: [EMAIL PROTECTED]
Date: Fri, 13 Feb 2004 08:26:29 -0700 (MST)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: New State Board Licensure and Free CE
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="==MULTIPART BOUNDARY=="
X-Mailer: ColdFusion MX Application Server


In addition to this problem, the majority of emails sent to us through
Hotmail and Yahoo are getting bounced back to the user.  Please bear with
me, I'm very new to all this.  Any and all help is greatly appreciated.
Thanks!

Chris Hickey
Pharmacy Choice
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.Virus] Help!

2004-02-17 Thread Chris Hickey 
Scott,
You were right about our newsletter sending software.  The problem was being
caused by a CFMAILPARAM tag, if you're familiar with Cold Fusion.  I pasted
it below.  Just curious what caused the error... Removing the line entirely
seems to solve the problem, but should we include a different type of PARAM
with our newsletter sendouts to increase their efficiency so to speak?



Thanks,
Chris


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris Hickey
Sent: Friday, February 13, 2004 9:44 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Help!


We recently upgraded our declude.cfg file, as well as our global.cfg file,
and are now having some problems.  We can no longer send our newsletter, as
all recipients receive an error:


The Declude Virus software on rxpost.net has reported that you were sent an
E-mail from [EMAIL PROTECTED], containing the [Outlook 'MIME
segment in MIME Preamble' Vulnerability] virus in the [No attachment]
attachment. The subject of the E-mail was "New State Board Licensure and
Free CE".
The E-mail containing the virus has been quarantined to prevent further
damage.
Headers Follow:
Received: from WEB645001 [66.179.108.221] by rxpost.net with ESMTP
(SMTPD32-8.05) id AD7036200C2; Fri, 13 Feb 2004 08:29:52 -0700|
Message-ID: [EMAIL PROTECTED]
Date: Fri, 13 Feb 2004 08:26:29 -0700 (MST)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: New State Board Licensure and Free CE
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="==MULTIPART BOUNDARY=="
X-Mailer: ColdFusion MX Application Server


In addition to this problem, the majority of emails sent to us through
Hotmail and Yahoo are getting bounced back to the user.  Please bear with
me, I'm very new to all this.  Any and all help is greatly appreciated.
Thanks!

Chris Hickey
Pharmacy Choice
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread R. Scott Perry 

Scott, has this been added to the forging virus list on your server,
including the variant names?
Yes.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread John Tolmachoff \(Lists\) 
Scott, has this been added to the forging virus list on your server,
including the variant names?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: Tuesday, February 17, 2004 7:01 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] New virus Tanx
> 
> FYI, there is a new virus that was discovered several hours ago, and we've
> already seen several copies come in here.  Details are at
> http://www.sophos.com/virusinfo/analyses/w32tanxa.html .
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Update

2004-02-17 Thread John Tolmachoff \(Lists\) 
Thanks Charles.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Charles Frolick
> Sent: Tuesday, February 17, 2004 9:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] F-Prot Update
> 
> There are command line options to make it command line only, they are
> burried on the support website.  This is what I run in Task Scheduler:
> "C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe" /internet /hidden
> 
> Thanks,
> Chuck Frolick
> ArgoLink.net
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
> (Lists)
> Sent: Tuesday, February 17, 2004 11:40 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.Virus] F-Prot Update
> 
> 
> I just noticed this also on a server I consult on. The F-Prot Scheduler
> did not run the update.
> 
> There is no fpupdater.exe. There is an updater.exe, but that is a 32bit
> app with no command line. Opens up a window in which you must chose to
> update now.
> 
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> > [EMAIL PROTECTED] On Behalf Of Dan Star
> > Sent: Monday, February 16, 2004 11:08 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Declude.Virus] F-Prot Update
> >
> > On 2/16/04 10:57 AM, Hermann Strassner wrote:
> >
> > >We use F-PROT Windows as virus scanner. The update engine runs only
> > >when the computer is logged in.
> > >
> > >Is there a possibility to update also when the computer is not logged
> 
> > >in?
> > >
> > >Hermann
> > >
> > >---
> > >[This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> > >
> > >---
> > >This E-mail came from the Declude.Virus mailing list.  To
> > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >type "unsubscribe Declude.Virus".The archives can be found
> > >at http://www.mail-archive.com.
> > >
> > >
> > Write a script and schedule the script to run and fire off the
> > fpupdater.exe.
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> 
> > just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".The archives can be found
> > at http://www.mail-archive.com.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Update

2004-02-17 Thread Charles Frolick 
There are command line options to make it command line only, they are
burried on the support website.  This is what I run in Task Scheduler:
"C:\Program Files\FSI\F-Prot\FP-Updater\Updater.exe" /internet /hidden

Thanks,
Chuck Frolick
ArgoLink.net

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, February 17, 2004 11:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] F-Prot Update


I just noticed this also on a server I consult on. The F-Prot Scheduler
did not run the update. 

There is no fpupdater.exe. There is an updater.exe, but that is a 32bit
app with no command line. Opens up a window in which you must chose to
update now.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus- 
> [EMAIL PROTECTED] On Behalf Of Dan Star
> Sent: Monday, February 16, 2004 11:08 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] F-Prot Update
> 
> On 2/16/04 10:57 AM, Hermann Strassner wrote:
> 
> >We use F-PROT Windows as virus scanner. The update engine runs only 
> >when the computer is logged in.
> >
> >Is there a possibility to update also when the computer is not logged

> >in?
> >
> >Hermann
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.Virus mailing list.  To 
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> Write a script and schedule the script to run and fire off the 
> fpupdater.exe.
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To unsubscribe,

> just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] F-Prot Update

2004-02-17 Thread John Tolmachoff \(Lists\) 
I just noticed this also on a server I consult on. The F-Prot Scheduler did
not run the update. 

There is no fpupdater.exe. There is an updater.exe, but that is a 32bit app
with no command line. Opens up a window in which you must chose to update
now.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.Virus-
> [EMAIL PROTECTED] On Behalf Of Dan Star
> Sent: Monday, February 16, 2004 11:08 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] F-Prot Update
> 
> On 2/16/04 10:57 AM, Hermann Strassner wrote:
> 
> >We use F-PROT Windows as virus scanner. The update engine runs only when
> >the computer is logged in.
> >
> >Is there a possibility to update also when the computer is not logged
> >in?
> >
> >Hermann
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.Virus mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.Virus".The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> Write a script and schedule the script to run and fire off the
> fpupdater.exe.
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Rick Klinge 
I chuck it with ASSP and if it makes it past that then declude should kick
it via the ban extension exe.  If still passes that then hopefully the
F-Prot will woof it.

~Rick

Using mail server mail.famhost.com.220 ict-famhost.email.system X1
HELO www.declude.com
250 hello JaRay.net
MAIL FROM: 
250 ok
RCPT TO: 
250 ok its for 
DATA
354 ok, send it; end with .
[Body of E-mail]
500 Executable attachments are not allowed -- Compress before mailing.
Sorry, an error occurred!

 
> > Symantec labeled it [EMAIL PROTECTED]  HA.. I just label it an
> > "exe attachment virus" and carry on.  
> 
> 
> Well, you can try to add
> 
> FORGINGVIRUS exe attachment virus
> 
> ...but I expect this will not change anything.  
> 

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Markus Gufler 

> Symantec labeled it [EMAIL PROTECTED]  HA.. I just label it an 
> "exe attachment virus" and carry on.  


Well, you can try to add

FORGINGVIRUS exe attachment virus

...but I expect this will not change anything.  

Markus ;-)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Charles Frolick 
Sorry, I always think of bagels when I see that virus name. Guess I'm
just hungry.

Thanks,
Chuck Frolick
ArgoLink.net

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Tuesday, February 17, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] New virus Tanx



> F-Prot calls it w32/[EMAIL PROTECTED]

You mean "Bagle" and not "Bagel"  ?!

Markus


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Rick Klinge 
Symantec labeled it [EMAIL PROTECTED]  HA.. I just label it an "exe attachment
virus" and carry on.  Surprisingly, since I thought most email admins block
exe attachments, this one is moving fast.

~Rick 

> 
> > F-Prot calls it w32/[EMAIL PROTECTED]
> 
> You mean "Bagle" and not "Bagel"  ?!
> 

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] New virus Tanx

2004-02-17 Thread Butch Andrews 
My error . F-Prot is the comapny that has the new update.
-Butch

*** REPLY SEPARATOR  ***

On 2/17/2004 at 9:32 AM Butch Andrews wrote:

>Declude has just released an update for this same virus that they identify
>as W32/[EMAIL PROTECTED]
>-Butch
>
>*** REPLY SEPARATOR  ***
>
>On 2/17/2004 at 10:01 AM R. Scott Perry wrote:
>
>>FYI, there is a new virus that was discovered several hours ago, and
>>we've 
>>already seen several copies come in here.  Details are at 
>>http://www.sophos.com/virusinfo/analyses/w32tanxa.html .
>>
>>-Scott
>>---
>>Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
>>since 2000.
>>Declude Virus: Catches known viruses and is the leader in mailserver 
>>vulnerability detection.
>>Find out what you've been missing: Ask for a free 30-day evaluation.
>>
>>---
>>[This E-mail was scanned for viruses by Declude Virus
>>(http://www.declude.com)]
>>
>>---
>>This E-mail came from the Declude.Virus mailing list.  To
>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>>type "unsubscribe Declude.Virus".The archives can be found
>>at http://www.mail-archive.com.
>
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.Virus mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Markus Gufler 

> F-Prot calls it w32/[EMAIL PROTECTED]

You mean "Bagle" and not "Bagel"  ?!

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] New virus Tanx

2004-02-17 Thread Butch Andrews 
Declude has just released an update for this same virus that they identify
as W32/[EMAIL PROTECTED]
-Butch

*** REPLY SEPARATOR  ***

On 2/17/2004 at 10:01 AM R. Scott Perry wrote:

>FYI, there is a new virus that was discovered several hours ago, and
>we've 
>already seen several copies come in here.  Details are at 
>http://www.sophos.com/virusinfo/analyses/w32tanxa.html .
>
>-Scott
>---
>Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
>since 2000.
>Declude Virus: Catches known viruses and is the leader in mailserver 
>vulnerability detection.
>Find out what you've been missing: Ask for a free 30-day evaluation.
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.Virus mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.Virus".The archives can be found
>at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] New virus Tanx

2004-02-17 Thread Don Hickey 
Mcafee's write up on it...

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101030

Don
- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 17, 2004 9:01 AM
Subject: [Declude.Virus] New virus Tanx


> FYI, there is a new virus that was discovered several hours ago, and we've
> already seen several copies come in here.  Details are at
> http://www.sophos.com/virusinfo/analyses/w32tanxa.html .
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Charles Frolick 
F-Prot calls it w32/[EMAIL PROTECTED]
http://www.f-prot.com/virusinfo/descriptions/bagle_b.html

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, February 17, 2004 9:01 AM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] New virus Tanx


FYI, there is a new virus that was discovered several hours ago, and
we've 
already seen several copies come in here.  Details are at 
http://www.sophos.com/virusinfo/analyses/w32tanxa.html .

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

Re: [Declude.Virus] New virus Tanx

2004-02-17 Thread Don Hickey 
I will second this once again, I submitted this to Mcafee and the extra.dat
file I got mentioned W32/[EMAIL PROTECTED]

I haven't received anything back from them since about 1/2 hour ago. So for
the .exe name has changed on the ones we have seen.

Here is an example from one of the messages we have received -

To: [EMAIL PROTECTED]
Subject: ID ulkkhfrbtr... thanks
From: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="552752223023604"
X-Declude-Sender: [EMAIL PROTECTED] [80.146.90.39]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: None [0]
X-Note: This E-mail was sent from  ([80.146.90.39]).
X-Note: Total spam weight of this E-mail is 0

--552752223023604
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Yours ID pysemjfq
--
Thank


--552752223023604
Content-Type: application/x-msdownload; name="abuj.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="jmbfsarpnpk.exe"
- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 17, 2004 9:01 AM
Subject: [Declude.Virus] New virus Tanx

Don


> FYI, there is a new virus that was discovered several hours ago, and we've
> already seen several copies come in here.  Details are at
> http://www.sophos.com/virusinfo/analyses/w32tanxa.html .
>
> -Scott
> ---

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] New virus Tanx

2004-02-17 Thread Markus Gufler 

Thanxs!

Some more infos on http://vil.nai.com/vil/content/v_101030.htm

Tanx (or Panda's name: YourId ) is a forging virus.

Markus



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
> Sent: Tuesday, February 17, 2004 4:01 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.Virus] New virus Tanx
> 
> FYI, there is a new virus that was discovered several hours 
> ago, and we've already seen several copies come in here.  
> Details are at 
> http://www.sophos.com/virusinfo/analyses/w32tanxa.html .
> 
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail 
> mailservers since 2000.
> Declude Virus: Catches known viruses and is the leader in 
> mailserver vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
> 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

RE: [Declude.Virus] Per Domain Extension Banning

2004-02-17 Thread Lukasz Kaminski 
I'm not sure if this would help in your situation, but prior to running
Declude Virus I had banned all questionable extensions using the IMail
rules.  It worked very well.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Monday, February 16, 2004 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Per Domain Extension Banning


>I've checked the manual and archive and can't seem to find anything on
>setting up JM Pro for per domain extension banning.  I'm getting ready
>to implement global extension banning but have some customers that
>don't want certain extensions banned.
>
>Is this possible?

No, that is not possible -- banning file extensions in a global option.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.

[Declude.Virus] New virus Tanx

2004-02-17 Thread R. Scott Perry 
FYI, there is a new virus that was discovered several hours ago, and we've 
already seen several copies come in here.  Details are at 
http://www.sophos.com/virusinfo/analyses/w32tanxa.html .

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.