RE: [Declude.Virus] W32/Frethem-Fam
One more reason to have a banned extension policy in place. Thanks for the heads up Scott. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, June 12, 2002 5:52 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] W32/Frethem-Fam FYI, there is a new virus out, that Sophos has alerted us to, called W32/Fretham-Fam (no other AV companies that was get alerts from, including McAfee, have sent out alerts yet). This may be become widespread because of the "social engineering" aspect of it -- it pretends to have a Special Password attached, which it does -- but it supposedly needs to be decrypted with the attach file. The .EXE may run automatically in Outlook when the E-mail is viewed (not sure which OE vulnerability it uses). There are several variants of it already. More details can be found at http://www.sophos.com/virusinfo/analyses/w32frethemfam.html . The attached files are decrypt-password.exe and password.txt, and it has a subject of "Re: Your password!". -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
>FYI, there is a new virus out, that Sophos has alerted us to I received the same Sophos alert this morning. I just ran Spam Review and selected the Virus option and what do you know, one of these was there waiting for me--it was actually sent to my e-mail address. But thanks to Declude's BANEXT option, it was held due to the attached exe. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] W32/Frethem-Fam
> One more reason to have a banned extension policy in place. I do now! I had avoided it as there are legitimate reasons to send certain files. But the good of the many... It got by F-Prot 3.12a/Declude 1.53 and when I did a Google search on the name, McAffee was the only response and it was dated the 7th. I find this interesting! What kind of notification is sent if it is a BANEXT rejection if any? Is there a text file I need to create for it? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications360-457-9023 Nationwide access with neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
I was notified today by Computer Associates eNews same info as already posted. http://support.ca.com/techbases/ilnt/virusalert2.html Dustin -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] W32/Frethem-Fam FYI, there is a new virus out, that Sophos has alerted us to, called W32/Fretham-Fam (no other AV companies that was get alerts from, including McAfee, have sent out alerts yet). This may be become widespread because of the "social engineering" aspect of it -- it pretends to have a Special Password attached, which it does -- but it supposedly needs to be decrypted with the attach file. The .EXE may run automatically in Outlook when the E-mail is viewed (not sure which OE vulnerability it uses). There are several variants of it already. More details can be found at http://www.sophos.com/virusinfo/analyses/w32frethemfam.html . The attached files are decrypt-password.exe and password.txt, and it has a subject of "Re: Your password!". -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] W32/Frethem-Fam
>It got by F-Prot 3.12a/Declude 1.53 and when I did a Google search on the >name, McAffee was the only response and it was dated the 7th. I find this >interesting! Very interesting, since McAfee never sent out an alert about it. However, McAfee seems to use their E-mail virus alert system mostly to advertise new products, they seem to put most of their new money into marketing. >What kind of notification is sent if it is a BANEXT rejection if any? Is >there a text file I need to create for it? It sends out the \IMail\Declude\BANnotify.eml file. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
Here is the text of the notice I use: From: postmaster@%LOCALHOST% To: %MAILFROM%,%ALLRECIPS%,postmaster@%LOCALHOST% Subject: Delivery of e-mail with an attachment has failed! Delivery Failed: %ALLRECIPS% The mail server for %LOCALHOST% does not accept E-mail with attachments that contain the %BANEXT% extension. This policy is in place for the security and safety of our clients. If you need help or have questions or comments regarding this policy, please fill out our on-line report form at: http://support.reliance.net/help.html. Original message follows: %HEADERS% Hope this helps. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sheldon Koehler Sent: Wednesday, June 12, 2002 7:17 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] W32/Frethem-Fam > One more reason to have a banned extension policy in place. I do now! I had avoided it as there are legitimate reasons to send certain files. But the good of the many... It got by F-Prot 3.12a/Declude 1.53 and when I did a Google search on the name, McAffee was the only response and it was dated the 7th. I find this interesting! What kind of notification is sent if it is a BANEXT rejection if any? Is there a text file I need to create for it? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications360-457-9023 Nationwide access with neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] W32/Frethem-Fam
>It seems to also use the MIME header exploit. This is such a common virus >virus element, maybe Declude should have an option to handle it. Let me ask you this: Do you know of any resource that gives enough detail that Declude could check for such an exploit? We have samples of viruses that use it, but without knowing the full details of the exploit, it's quite possible that future viruses could come out that take advantage of the exploit in a different way. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
I was wondering does F-Prot have daily downloadable virus updates? If not what virus software do you recommend if you want to schedule jobs to run to make sure that we have the latest updates. Or should we use 2 virus checkers. Thank you, Thomas Hall, Internet Coordinator Madison County Government -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] W32/Frethem-Fam
> I was wondering does F-Prot have daily downloadable virus updates? If not > what virus software do you recommend if you want to schedule jobs to run to > make sure that we have the latest updates. Or should we use 2 virus > checkers. If you are using the DOS version, there are scripts available to check and download automatically. I use the Windows version and have it's own scheduler set to check every 6 hours for updates. They just do not have an update yet... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications360-457-9023 Nationwide access with neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
Sheldon, Does the windows updater work for you? I should say reliably? I have found it does don't seem to work at all. I do use the scripts for the server and that works. F-Prot 3.12a ~Paul~ > If you are using the DOS version, there are scripts available to check and > download automatically. I use the Windows version and have it's own > scheduler set to check every 6 hours for updates. They just do not have an > update yet... > > Sheldon --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
We are using scripts to update F-Prot. Does the windows F-Prot update run as a service or do you have to leave the server logged in for it to run? -Thomas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Ingram Sent: Wednesday, June 12, 2002 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] W32/Frethem-Fam Sheldon, Does the windows updater work for you? I should say reliably? I have found it does don't seem to work at all. I do use the scripts for the server and that works. F-Prot 3.12a ~Paul~ > If you are using the DOS version, there are scripts available to check and > download automatically. I use the Windows version and have it's own > scheduler set to check every 6 hours for updates. They just do not have an > update yet... > > Sheldon --- [This E-mail scanned for viruses by Declude Virus/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . -- [This E-mail scanned for viruses by Declude Virus] -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.Virus] W32/Frethem-Fam
> Does the windows updater work for you? I should say reliably? I have > found it does don't seem to work at all. I do use the scripts for the > server and that works. F-Prot 3.12a I have had no problems with the Windows updater at all. We purchased the site license and I have found it to be more reliable on many of our computers here. I did find one of our older P90's not updating. but when I upgraded it, it did start working just fine. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications360-457-9023 Nationwide access with neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.Virus] W32/Frethem-Fam
At 12:24 PM 6/12/2002, Thomas E. Hall wrote: I was wondering does F-Prot have daily downloadable virus updates? If not what virus software do you recommend if you want to schedule jobs to run to make sure that we have the latest updates. Or should we use 2 virus checkers. I don't remember who originally wrote this and posted it to the list, but I've been using it ever since, and it works perfectly. Updates both F-Prot program files and the virus updates, and checks for updates every 30 minutes. I've modified it a bit, so YMMV. rem Update of F-Prot update program to eliminate redundant downloads. rem Requires info-zip's unzip.exe 5.42 www.info-zip.org rem Requires gnu wget, links to Windows binaries at www.wget.org or www.cygwin.com rem Will keep the last three versions of f-prot on disk. SETLOCAL :Set Path Info SET fprotdrv=c: SET fprotdir=\program files\fsi\F-Prot SET DownloadDir=%fprotdrv%%fprotdir%\Zips :Set Unzip Command Info SET unzipcmd=UNZIP -o -u SET unziptail=-x f-prot.pif -d "%fprotdrv%%fprotdir%\Updates" :Set FTP Info SET wgetcmd=c:\winnt\wget.exe SET BaseURL=ftp://ftp.f-prot.com/pub :CheckDirectories md "%fprotdrv%%fprotdir%" md "%fprotdrv%%fprotdir%\Updates" md "%DownloadDir%" if not exist "%DownloadDir%" goto end :FTPDownload %wgetcmd% -t 2 -N -nv -P "%DownloadDir%" %BaseURL%/fp-3*.zip %BaseURL%/fp-def.zip %BaseURL%/macrdef2.zip 2>&1 | find "in 0 files" if errorlevel 1 goto UnzipFiles goto end :UnzipFiles SET T=0 for /F %%I in ('dir "%DownloadDir%\fp-3*.zip" /a-d-s /b /o:-d') do call :DoNewVersion "%DownloadDir%\%%I" %unzipcmd% "%DownloadDir%\fp-def.zip" %unziptail% %unzipcmd% "%DownloadDir%\macrdef2.zip" %unziptail% copy /y "%fprotdrv%%fprotdir%\Updates\*.def" "%fprotdrv%%fprotdir%" copy /y "%fprotdrv%%fprotdir%\Updates\*.asc" "%fprotdrv%%fprotdir%" copy /y "%fprotdrv%%fprotdir%\Updates\*.exe" "%fprotdrv%%fprotdir%" :Cleanup attrib -r "%DownloadDir%\*.zip" if exist "%fprotdrv%%fprotdir%\f-prot.pif" del "%fprotdrv%%fprotdir%\f-prot.pif" goto end :DoNewVersion SET /a T = 1+%T% if %T% EQU 1 %unzipcmd% %1 %unziptail% if %T% LEQ 3 goto :DoNewVersion_exit if exist %1 del /F %1 :DoNewVersion_exit echo %T% goto :EOF :END ENDLOCAL ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
Re: [Declude.Virus] W32/Frethem-Fam
> > Let me ask you this: Do you know of any resource that gives enough detail > > that Declude could check for such an exploit? > > > >Can't say I've looked very hard, that's what I have you for. > >Don't take this as any sort of a complaint, just thinking out loud. Some of >the others are catching at least some variations as a generic exploit, if >you could come up with something, even if not perfect, I'd probably use it. Not a problem; I just figured I'd check. It's something we definitely are considering (in fact, even before it was brought up, I had the MIME headers of one of the viruses using this exploit loaded on a machine here), but we're still in the research stage. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .