One of the servers I manage is getting hit with lots of messages being
caught with banned exe within zip.
They are coming from different IPs
John T
eServices For You
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
I am seeing it also. I already submitted it to Mcafee...
My desktop AV (Trend) is detecting it as a Bagle variant...
Don
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 9:59 AM
Subject: [Declude.Virus]
John,
What do the filenames appear to be - any pattern either filename, subject,
body content etc?
Darrell
John Tolmachoff (Lists) writes:
One of the servers I manage is getting hit with lots of messages being
caught with banned exe within zip.
They are coming from different IPs
I have seen the following attachments...
1.zip
5.zip
6.zip
7.zip
8.zip
price_new.zip
be_not_jealous.zip
price_new_16_04_05.zip
So far...
Don
- Original Message -
From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 10:22 AM
Various named zip files. The D*.smd file is 26KB in length. No subject line.
Varing IP addresses and apparent forged from address. Blank HTML body.
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Darrell ([EMAIL PROTECTED])
I've gotten a few:
26KB files named 1.zip, 7.zip and work.zip so far
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Tuesday, May 31, 2005 11:22 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] New virus
I personally would not go with 2 different brands
of drives since the 2 different brands would be slightly different in design and
could vary in performance and in my opinion could cause issues with array
stability. On the other hand I have had drives in Raid1 Fail, but I have
never had
I just received an EXTRA.DAT file from Mcafee...to detect this..
I also submitted it to F-Prot
I will try attaching the EXTRA.DAT file to this email
Don
- Original Message -
From: Marc Catuogno [EMAIL PROTECTED]
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005
Yes, a new Bagle and MyTob are out.
See:
http://isc.sans.org/diary.php?date=2005-05-31
http://www.viruslist.com/en/weblog
My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two that were caught by Declude Virus, but it
could be quite a few more
This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET)
after scanning the file 8.zip file.
Antivirus Version Update Result
AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR
AVG 718 05.31.2005 no virus found
Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR
On my 8.zip sample, McAfee finds W32/[EMAIL PROTECTED] so VirusTotal
probably has an older McAfee update.
VirusTotal doesn't use Trend Micro, but they don't think it warrants a
new signature. They already catch it as TROJ_BAGLE.GEN
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
Hi,
Enclosed a notice for the MS05-16 Exploit.
For the record:
I'm actually in favor of using STRICT interpretation of vulnerabilities - no
matter how seldom one might actually occur. Whether a violation of
standards is due to an actual virus - or just a poor mass-mailer
application, I gladly
Since I am pressed for time and am presently unable to completely digest
what the vulnerability is and how to stop it, how can we configure our
Declude installs to protect/find/stop these messages?
John T
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
This is the one that Andy pointed out:
Microsoft Windows Shell Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/13132/discussion/
Microsoft Windows is prone to a vulnerability that may allow remote
attackers to execute code through the Windows Shell. The cause of the
Good point. What version of Declude introduced the 'BANCSLID ON'
feature?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, May 31, 2005 2:21 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] MS05-16 Exploit
This is the
Title: Message
Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID
vulnerability detector.
They
are entirely different animals, which happen to have CLSID at their
heart.
The
only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus
scanner up to
Title: Message
Hi Andy,
Colbeck, Andrew wrote:
Declude Virus will *not* detect abuse of MS05-16
with the Declude CLSID vulnerability detector.
They are entirely different animals, which
happen to have CLSID at their heart.
You are sure up to date with this stuff!
Title: Message
Perhaps a new feature in Declude that can be implemented during an
outbreak(before the slow AV guys create defs)which reverses the logic of
the BAN module,making it an ALLOW module.
For
instance, ban all extensions except those specifically allowed-this
creates its own
Title: Message
Putting in 2 new drives was the easy
part.
Recreating 43 websites in IIS because
the backup drive on the backup server departed for parts unknown the week
before and proceeded with the tape drive (Onstream) finally giving out a month
ago leaving my backup solution in
Title: Message
Hi,
I know that in an .EML file you can have a
TO: %ALLRECIPS% (or whoever you want) but can you also put in a CC or better
yet a BCC? I have not found anything in the 2.0.6 manual.
Thanx
Goran Jovanovic
The LAN Shoppe
a mass-mailing virus. Declude defaults to BANCSLID ON which may or may
not protect from such an attack. Some CSLID calls are entire valid and
normal for Outlook/Office generated E-mails, and I'm not totally sure
Plus the other question is does Declude look for the CSLID calls in files in
Title: Message
Not unless it has been introduced as a
feature in 2.x.
John T
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Tuesday, May 31, 2005
6:27 PM
To: Declude.Virus@declude.com
Subject:
Title: Message
Urgh. I tried CC: but that did not work. I
would be nice to be able to do this.
Thanx
Goran Jovanovic
The LAN Shoppe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John Tolmachoff (Lists)
Sent: Tuesday, May 31, 2005 10:09
PM
To:
Title: Message
I asked about this about a month ago. From
what I was told, Declude cannot determine who is on the CC or BCC list due to
where they look for that info.
Darin.
- Original Message -
From: Goran
Jovanovic
To: Declude.Virus@declude.com
Sent: Tuesday, May 31, 2005 9:27
Title: Message
Darin,
Not sure if you understood what I was
looking for. I want to take an EML file say for a banned file notification and
send it
TO: %ALLRECIPS%
And
BCC: me (or a monitor account).
This is the functionality that does not
exist.
Goran Jovanovic
Title: Message
Hi
Goran:
The
"cc:" information is part of the (spoofable) SMTP header - the "bcc:" is not
ANYWHERE.
The
only entitythat knows about the "bcc"s is the sending mail sever, it will
simply distribute the message to anyone in the bcc and cc header. To each BCC or
CC
26 matches
Mail list logo