RE: [Declude.Virus] Seemingly bad virus this morning
FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
Re: [Declude.Virus] Seemingly bad virus this morning
I can confirm that F-Prot was again missing the Bagle zips this morning, however McAfee seems to have caught every one of them with a generic Bagle definition unlike yesterday. As of 2 p.m., F-Prot was still missing these Bagles. Matt Colbeck, Andrew wrote: FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
Re: [Declude.Virus] Seemingly bad virus this morning
Oops, McAfee just slipped. Since 1:09 p.m. EST on my system we received 52 undetected zips (just over an hour). We caught these all with a custom filter. Matt Colbeck, Andrew wrote: FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
RE: [Declude.Virus] Seemingly bad virus this morning
... and F-Secure notes that they've hit a record of publishing 12 pattern updates in one day. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, September 20, 2005 11:28 AMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Oops, McAfee just slipped. Since 1:09 p.m. EST on my system we received 52 undetected zips (just over an hour). We caught these all with a custom filter.MattColbeck, Andrew wrote: FYI, Kaspersky reports that they're now up to something like 20 new variants of Bagle between Monday and Tuesday. Andrew 8)
Re: [Declude.Virus] Seemingly bad virus this morning
Arrrggg. Mr. Obvious says if you rename the win_netware_betadat.zip, wget will never find a file to compare it to and will always download the update. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 5:34 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Scott and Andrew,It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths):C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zipMattScott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mai
[Declude.Virus] Seemingly bad virus this morning
FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
I can confirm this and can also see that Declude virus + f-prot seems catching it now as unknown virus In the past 30 minutes there was several of this infected messages on our servers. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 4:52 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
Ah, and not to forget: whatever name this virus will have: it's a forging worm. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 4:52 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called 1.cpl (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word price. Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary= BODYENDNOTCONTAINSattachment; filename= BODYENDNOTCONTAINS.zip Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? As save as the world can be ;-) Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Great catch Matt. Mine's gone too since August 2 Thank you Declude for multiple virus scanner option. Try: http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip From: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/890f45b2e1cfdec9/61f1bcbcc4e71848?lnk=stq=dailydatrnum=1hl=en#61f1bcbcc4e71848 - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Here's the Mcafee page: http://vil.mcafeesecurity.com/vil/virus-4d.asp - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 2:26 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htmI was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Seemingly bad virus this morning
Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERSENDNOTCONTAINSboundary=" BODYENDNOTCONTAINSattachment; filename=" BODYENDNOTCONTAINS.zip" Content-Transfer-Encoding BODY15CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Seemingly bad virus this morning
-Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload inside the zip? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15 a.m. this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter
RE: [Declude.Virus] Seemingly bad virus this morning
Scott, in various older versions of wget, the -N parameteras well as the --header=Accept-Encoding:gzip parameterplain old didn't work. Pick up the current version here: http://xoomer.virgilio.it/hherold/#Files andit should be fine. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, September 12, 2005 2:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morning What is the payload ins
RE: [Declude.Virus] Seemingly bad virus this morning
which is all well and good, but... It worked fine for the update.ini, but not for the .zip file.The currentstable versionofwgetdoes in download a full file every time. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 2:47 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Scott, in various older versions of wget, the -N parameteras well as the --header=Accept-Encoding:gzip parameterplain old didn't work. Pick up the current version here: http://xoomer.virgilio.it/hherold/#Files andit should be fine. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, September 12, 2005 2:28 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServic
Re: [Declude.Virus] Seemingly bad virus this morning
Scott and Andrew, It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths): C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip Matt Scott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's. I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%" IF ERRORLEVEL 1 GOTO END C:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\ :END ENDLOCAL Matt Markus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Monday, September 12, 2005 10:49 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Monday, September 12, 2005 1:35 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning Hi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. This link works - ftp.nai.com /pub/antivirus/datfiles/4.x -Nick Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (without the quotes). Some sort of malicious Control Panel applet? - Original Message - From: "John Tolmachoff (Lists)" [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Decl
RE: [Declude.Virus] Seemingly bad virus this morning
A very basic: wget -N http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip was not working when Scott (and then I) tried it. But it does now, including with the -O parameter. I'd hazard a guess that they have some kind of front-end webcache or cluster, and things weren't perfectly synched. I'm using 1.10-something. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 12, 2005 3:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morning Scott and Andrew,It does in fact work on my system. I'm using Wget 1.8.1+cvs. The beta definitions do change very frequently, so this might throw you off. Try executing a derivative of the following command twice and see what happens (remove the line break and adjust the paths):C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zipMattScott Fisher wrote: -Matt, Does the wget -N command work for you with Mcafee. I also use the -N and get the full download every time. - Original Message - From: Matt To: Declude.Virus@declude.com Sent: Monday, September 12, 2005 4:13 PM Subject: Re: [Declude.Virus] Seemingly bad virus this morning Nice script, but the executables don't change regularly, and many of us are using the command line version of McAfee that requires an unvalidated download. This also doesn't get the beta DAT's.I use a script that calls both wget and WinZip's free command line add-on (requires a registered WinZip). It is easy enough to replace that with any other command line unzipping tool. Personally I find WinZip to be perfectly reliable so I'm sticking with it. C:\Progra~1\wget\wget --limit-rate=1000k --progress=dot -t 3 -N -P C:\Progra~1\McAfee\update\ http://download.nai.com/products/mcafee-avert/beta_packages/win_netware_betadat.zip 21 | find "100%%"IF ERRORLEVEL 1 GOTO ENDC:\Progra~1\WinZip\wzunzip -ybc C:\Progra~1\McAfee\update\win_netware_betadat.zip C:\Progra~1\McAfee\:ENDENDLOCALMattMarkus Gufler wrote: attached you can find a script (I'm not the creator of this script but can't remember who's the genius) that will download the superdats and also the dailydat-files, extract all necessary virus definitiions and also engine updates, write any action to a logfile and keep the downloaded superdats so that you can't revert manualy if it would be necessary. You need some command line tools like unzip and wget and adapt the path information in the script for your needs. This script works on my server now for years and I hope it will do so also if now a lot of people will run it on their servers. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Monday, September 12, 2005 10:49 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Seemingly bad virus this morning Hmm, yes. Something along the lines of: wget ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/update.ini and then parsing out the line: FileName=dat-4579.zip or DATVersion=4579 in order to construct the filename... but it seems like re-inventing the wheel. The readme.txt talks abouta SuperDAT downloading mechanism, which sounds exactly like the F-Prot GUI downloader. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Monday, September 12, 2005 1:35 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Seemingly bad virus this morningHi Matt - Matt wrote: I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip.This link works -ftp.nai.com/pub/antivirus/datfiles/4.x-Nick Thanks,MattJohn Tolmachoff (Lists) wrote: OK, so it is cpl file, which