[Declude.Virus] Declude Update
Declude Version 2.0.6 was posted to www.declude.com earlier today. Updated Release Notes and Documentation are also available. Barry --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Windows Update!
Note, I found and filtered a few of these today that used ordinary links rather than numbered ones. I'm guessing the variants are already out. _M On Monday, April 11, 2005, 6:01:24 PM, Greg wrote: GL> Here's some background info on this pest (from another list). GL> Greg Little GL> Original Message Subject: [AVS] GL> (Fwd) 'Update your windows machine' fraudulent email Date: GL> Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming GL> <[EMAIL PROTECTED]> Reply-To: Network Security Managers GL> List <[EMAIL PROTECTED]> Organization: GeoApps To: GL> [EMAIL PROTECTED] GL> --- Forwarded message follows --- GL> From:[EMAIL PROTECTED] sent: Fri, 8 Apr 2005 02:28:14 UT GL> To:[EMAIL PROTECTED]: GL> [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows GL> machine' fraudulent email GL> Send reply to:[EMAIL PROTECTED] PGP SIGNED MESSAGE- GL> Hash: SHA1 GL> === A GL> U S C E R T A L E R T GL>AL-2005.007 -- AUSCERT ALERT GL> 'Update your windows machine' fraudulent email GL>8 April 2005 GL> === GL> OVERVIEW GL> AusCERT would like to advise that a fraudulent email with a subject line of GL> 'Update your windows machine' is currently circulating, with a claimed sender GL> of [EMAIL PROTECTED] This email links to a site which fraudulently GL> presents itself as the Microsoft Windows Update web site. When clicking on GL> links on the site claiming to apply an 'Express Install' or 'Custom GL> Install', a malicious executable will attempt to run on the user's machine. GL> This executable will attempt to connect to an IRC chat server, allowing a GL> malicious user to take control of the user's machine and potentially involve GL> it in other malicious activity. GL> VULNERABILITY GL> The web site involved in this instance does not exploit any software GL> vulnerabilities. Instead, it uses a social engineering trick to entice a GL> user to run malicious code. GL> MITIGATION GL> This exploit requires user interaction - deleting these emails as they GL> arrive and not clicking on any links they contain is a safe mitigation GL> strategy. GL> Users should, as ever, remain aware of the danger of clicking on links in GL> unsolicited emails. GL> EXPLOIT DETAILS GL> The current email used to entice people to visit the malicious site looks GL> like: GL> --- GL> Subject: Update your windows machine GL> From: Windows Update <[EMAIL PROTECTED]>To: Auscert GL> <[EMAIL PROTECTED]>Welcome to Windows Update GL> Get the latest updates available for your computer's operating system, GL> software, and hardware. GL> Windows Update scans your computer and provides you with a GL> selection of updates tailored just for you. GL> Express Install : High Priority Updates for Your Computer GL> GL> This includes links to go to one of the following IP addresses: GL> 64.71.77.76 GL> 221.151.249.236 GL> Other IP addresses or domain names may be used in future variants of this GL> email. GL> If the malicious code is downloaded and run, the malware will install itself GL> on the user's system as MFC42.exe, and will configure itself to run on GL> startup. It will then attempt to connect to an IRC chat server, which GL> allows an attacker to execute commands on infected hosts. This may include GL> involving infected hosts in Distributed Denial of Service (DDOS) attacks on GL> other Internet hosts. This collection of GL> attacker-controlled machines is GL> also known as a 'botnet'. GL> This is detected by the following anti-virus products as: GL> Kapersky: Backdoor.Win32.DSNX.05.a GL> Panda:Bck/DSNX.05 GL> AusCERT has made every effort to ensure that the information contained GL> in this document is accurate. However, the decision to use the information GL> described is the responsibility of each user or organisation. The decision to GL> follow or act on information or advice contained in this security bulletin is GL> the responsibility of each user or organisation, and should be considered in GL> accordance with your organisation's site policies and procedures. AusCERT GL> takes no responsibility for consequences which may arise from following or GL> acting on information or advice contained in this security bulletin. GL> If you believe that your computer system has been compromised or attacked in GL> any way, we encourage you to let us know by completing the secure National IT GL> Incident Reporting Form at: GL> http://www.auscert.org.au/render.html?it=3192=
Re: [Declude.Virus] Windows Update!
Here's some background info on this pest (from another list). Greg Little Original Message Subject: [AVS] (Fwd) 'Update your windows machine' fraudulent email Date: Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming <[EMAIL PROTECTED]> Reply-To: Network Security Managers List <[EMAIL PROTECTED]> Organization: GeoApps To: [EMAIL PROTECTED] --- Forwarded message follows --- From: [EMAIL PROTECTED] Date sent: Fri, 8 Apr 2005 02:28:14 UT To: [EMAIL PROTECTED] Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows machine' fraudulent email Send reply to: [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === A U S C E R T A L E R T AL-2005.007 -- AUSCERT ALERT 'Update your windows machine' fraudulent email 8 April 2005 === OVERVIEW AusCERT would like to advise that a fraudulent email with a subject line of 'Update your windows machine' is currently circulating, with a claimed sender of [EMAIL PROTECTED]. This email links to a site which fraudulently presents itself as the Microsoft Windows Update web site. When clicking on links on the site claiming to apply an 'Express Install' or 'Custom Install', a malicious executable will attempt to run on the user's machine. This executable will attempt to connect to an IRC chat server, allowing a malicious user to take control of the user's machine and potentially involve it in other malicious activity. VULNERABILITY The web site involved in this instance does not exploit any software vulnerabilities. Instead, it uses a social engineering trick to entice a user to run malicious code. MITIGATION This exploit requires user interaction - deleting these emails as they arrive and not clicking on any links they contain is a safe mitigation strategy. Users should, as ever, remain aware of the danger of clicking on links in unsolicited emails. EXPLOIT DETAILS The current email used to entice people to visit the malicious site looks like: --- Subject: Update your windows machine From: Windows Update <[EMAIL PROTECTED]> To: Auscert <[EMAIL PROTECTED]> Welcome to Windows Update Get the latest updates available for your computer's operating system, software, and hardware. Windows Update scans your computer and provides you with a selection of updates tailored just for you. Express Install : High Priority Updates for Your Computer This includes links to go to one of the following IP addresses: 64.71.77.76 221.151.249.236 Other IP addresses or domain names may be used in future variants of this email. If the malicious code is downloaded and run, the malware will install itself on the user's system as MFC42.exe, and will configure itself to run on startup. It will then attempt to connect to an IRC chat server, which allows an attacker to execute commands on infected hosts. This may include involving infected hosts in Distributed Denial of Service (DDOS) attacks on other Internet hosts. This collection of attacker-controlled machines is also known as a 'botnet'. This is detected by the following anti-virus products as: Kapersky: Backdoor.Win32.DSNX.05.a Panda:Bck/DSNX.05 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 === Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: [EMAIL PROTECTED] Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after ho
Re: [Declude.Virus] F-Prot 3.16b
It's not all that new, we have been running it since early March without issue. Bill - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Monday, April 11, 2005 12:36 PM Subject: [Declude.Virus] F-Prot 3.16b Hi, Anyone know anything about the new version that just came out? Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot 3.16b
Title: Message http://www.f-prot.com/download/release_notes_archive/Release-Notes-Windows-3.16b.txt -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Monday, April 11, 2005 12:36 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] F-Prot 3.16b Hi, Anyone know anything about the new version that just came out? Goran Jovanovic The LAN Shoppe <>
[Declude.Virus] F-Prot 3.16b
Hi, Anyone know anything about the new version that just came out? Goran Jovanovic The LAN Shoppe <>
Re: [Declude.Virus] Update Your PayPal Account Information
And better yet, how did it get to the list without a sender e-mail address? Is the null host address "<>" really subscribed to the list?: X-Declude-Sender: <> [82.79.90.27] Bill - Original Message - From: io To: declude.virus Sent: Sunday, April 10, 2005 5:54 PM Subject: [Declude.Virus] Update Your PayPal Account Information As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account: Recent account activity has made it necessary for us to collect additional verification information. Case ID Number: PP-071-363-053 For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us". We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. If you are the rightful holder of the account you must click the link below and then complete all steps from the following page as we try to verify your identity. http://weboffice.tlri.gov.tw/.paypal/protect.php Sincerely, PayPal Account Review Department --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Update Your PayPal Account Information
Ok, who's the wise guy? And how did the message get through with a weight of 171? - Original Message - From: io To: declude.virus Sent: Sunday, April 10, 2005 8:54 PM Subject: [Declude.Virus] Update Your PayPal Account Information As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account: Recent account activity has made it necessary for us to collect additional verification information. Case ID Number: PP-071-363-053 For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us". We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. If you are the rightful holder of the account you must click the link below and then complete all steps from the following page as we try to verify your identity. http://weboffice.tlri.gov.tw/.paypal/protect.php Sincerely, PayPal Account Review Department --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Windows Update!
Title: Message Hi Goran: We have a set of Whitelist filters. As a matter of format: [Whitelist.Vendor.Microsoft] [Whitelist.List.Something] Then I have a combo filter that simply does: TESTSFAILED WHITELIST CONTAINS [Whitelist. This way I can do combo tests depending on the category and sub-category and do other things if needed. Hope that helps. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Sunday, April 10, 2005 8:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! Kami, What do you do in Global.cfg when an e-mail “fails” the MS Filter? Subtract a bunch of points? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 6:41 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM 1 ENDSWITH @microsoft.comMAILFROM 1 ENDSWITH .microsoft.comMAILFROM 1 ENDSWITH .arvatousa.net REVDNS 1 ENDSWITH .microsoft.comREVDNS 1 ENDSWITH .zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Sunday, April 10, 2005 6:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 12:38 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami <>
