Good idea to create some combo filter for small zip file
attachments!
What about creating an external test that will count up
small zip file attachments in a separate file and check if there are more then x
suspicious zip files between a certain timerange?
Maybe it would also be a good idea to combine this test
with some mailfrom validating test as this addresses are
forged.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Tuesday, April 19, 2005 3:33 AMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] Another new
virus
FYI, I have found that F-Prot continues to throw Virus Code 8 for
what McAfee is detecting as Bagle.gen even though 4 or so days have
past. I'm not clear on whether or not this is intentional in F-Prot or
if this is one of their hiccups where they don't respond appropriately for a
week after a new threat. It is probably necessary for F-Prot users to
use Virus Code 8 if they want to stop whatever is coming now.I also
wanted to add that the zip file viruses did finally slip through my server on
Saturday morning for a period of a few hours (when not caught by spam
blocking). I did verify that these were detectable with newer
definitions, and although low in numbers, it appears that the recent slew of
virus writers have figured out that the safest mechanism for sending infected
executables is to zip them up in a standard archive since most admins don't
block these. Every virus attachment from the recent group has been a
standard ZIP or RAR. I have also seen notes that indicate as of a week
ago, the writers have managed to produce 96 variants of Mytob, which means
several per day. These are apparently being launched into the wild by
hijacked machines used to seed, and I believe that this was the sort of
activity that I saw Saturday morning. I assume that is is being used to
replenish bot networks that might have become too old with previously
exploited machines.I'm not surprised at the zip leakage, but no one
that I have talked to wants me to start blocking these zips because it is
limiting to their use of E-mail. Instead, I am going to code up a new
test that looks for a typically virus sized zip attachment and does some
heuristics on the E-mail to see if these were generated by a client mailer or
a nondescript mass-mailing mechanism (a virus). I'm confident that I can
do this in a way that can capture most if not all zip viruses that have been
in the wild in the last year though I am concerned about the potential of
false positives and that will be the biggest problem in figuring out how to do
this.MattJohn Tolmachoff (Lists) wrote:
Looks like another outbreak in progress.
File appears to be your_text . zip without the spaces.
Appears to be another MyTob.
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Colbeck, Andrew
Sent: Friday, April 15, 2005 3:14 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Another new virus
I've seen one sample in the last few minutes. It arrives as jokes.zip,
and
www.virustotal.com describes the enclosed 123456.exe as:
This is a report processed by VirusTotal on 04/16/2005 at 00:11:32 (CET)
after
scanning the file "123456.exe" file.
Antivirus Version Update Result
AntiVir 6.30.0.7 04.15.2005 no virus found
AVG 718 04.15.2005 no virus found
BitDefender 7.0 04.15.2005 BehavesLike:Win32.SiteHijack
ClamAV devel-20050307 04.15.2005 Worm.Bagle.BB
DrWeb 4.32b 04.15.2005 Win32.HLLM.Beagle.37888
eTrust-Iris 7.1.194.0 04.15.2005 Win32/Glieder.T!Trojan
eTrust-Vet 11.7.0.0 04.15.2005 no virus found
Fortinet 2.51 04.15.2005 no virus found
F-Prot 3.16b 04.15.2005 no virus found
Ikarus 2.32 04.15.2005 Email-Worm.Win32.Bagle.pac
Kaspersky 4.0.2.24 04.16.2005 Email-Worm.Win32.Bagle.pac
McAfee 4470 04.15.2005 W32/[EMAIL PROTECTED]
NOD32v2 1.1064 04.15.2005 Win32/TrojanDownloader.Small.ZL
Norman 5.70.10 04.14.2005 W32/Downloader
Panda 8.02.00 04.15.2005 W32/Bagle.CA.worm
Sybari 7.5.1314 04.15.2005 Troj/BagleDl-N
Symantec 8.0 04.15.2005 Trojan.Tooso.F
VBA32 3.10.3 04.15.2005 Email-Worm.Win32.Bagle.pac
VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees
about the availability and continuity of this service. Although the
detection rate
afforded by the use of multiple antivirus engines is far superior to that
offered by just
one product, these results DO NOT guarantee the harmlessness of a file.
Currently,
there is not any solution that offers a 100% effectiveness rate for
detecting viruses
and malware. Go to: Home Contact En espaƱol
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail
[EMAIL PROTECTED]
Andrew
