procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: virus classification: W32/Bagle

2004-03-03 16:58:48
from [Robert Allerstorfer] [Permanent Link] 
On Wed, 03 Mar 2004, 11:47 GMT+01 (11:47 local time) Ruud H.G. van Tol
wrote:


The W32/Bagle(_dot_)j(_at_)MM can have a passworded zip-file attached,
which means that the attachment is volatile.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101071


thanks for the note. I have yet not seen such a virus. Which does not
mean that there a not many viruses sent to my incoming mail server -
fortunately, having them all quarantened before they could reach my
mailbox, letting "Softlabs AntiVirus" doing all the work. I have
updated this tool to version 0.3 and released today (on 03/03). Now,
with EXTRACT_VIRUSES set to "on", all viruses will be extract out from
the messages and stored in a "viruses" directory. Mine already
contains:

ls ~roal/mail/TRASH/viruses
20040302_200403030209(_dot_)VAA03980(_at_)anet(_dot_)at_message(_dot_)zip       
   20040303_200403031415(_dot_)JAA08249(_at_)anet(_dot_)at_misc(_dot_)com
20040302_200403030418(_dot_)XAA04477(_at_)anet(_dot_)at_all_document(_dot_)pif  
   
20040303_200403031437(_dot_)JAA08349(_at_)anet(_dot_)at_your_picture(_dot_)pif
20040302_200403030421(_dot_)XAA04504(_at_)anet(_dot_)at_your_document(_dot_)pif 
   20040303_200403031444(_dot_)JAA08452(_at_)anet(_dot_)at_yours(_dot_)pif
20040302_hejmiqejkuvfnnyqqbi(_at_)anet(_dot_)at_Readme(_dot_)zip             
20040303_200403031606(_dot_)LAA08879(_at_)anet(_dot_)at_document_excel(_dot_)pif
200403031957(_dot_)OAA10599(_at_)anet(_dot_)at_document_excel(_dot_)pif         
   20040303_200403031623(_dot_)LAA09055(_at_)anet(_dot_)at_mp3music(_dot_)pif
20040303_200403030649(_dot_)BAA05106(_at_)anet(_dot_)at_your_archive(_dot_)pif  
   20040303_200403031650(_dot_)LAA09292(_at_)anet(_dot_)at_part2(_dot_)zip
20040303_200403030651(_dot_)BAA05133(_at_)anet(_dot_)at_your_file(_dot_)pif     
   20040303_200403031824(_dot_)NAA10026(_at_)anet(_dot_)at_your_file(_dot_)pif
20040303_200403030726(_dot_)CAA05349(_at_)anet(_dot_)at_your_website(_dot_)pif  
   20040303_200403031838(_dot_)NAA10135(_at_)anet(_dot_)at_your_letter(_dot_)pif
20040303_200403030732(_dot_)CAA05409(_at_)anet(_dot_)at_your_letter(_dot_)pif   
   
20040303_200403031914(_dot_)OAA10300(_at_)anet(_dot_)at_privacy_myaunt(_dot_)zip
20040303_200403030741(_dot_)CAA05481(_at_)anet(_dot_)at_message_details(_dot_)pif
  
20040303_200403032010(_dot_)PAA10710(_at_)anet(_dot_)at_your_document(_dot_)pif
20040303_200403030823(_dot_)DAA05627(_at_)anet(_dot_)at_your_document(_dot_)pif 
   20040303_200403032028(_dot_)PAA10827(_at_)anet(_dot_)at_my_details(_dot_)pif
20040303_200403030903(_dot_)EAA06003(_at_)anet(_dot_)at_your_document(_dot_)pif 
   
20040303_200403032036(_dot_)PAA10867(_at_)anet(_dot_)at_your_archive(_dot_)pif
20040303_200403030904(_dot_)EAA06025(_at_)anet(_dot_)at_document(_dot_)pif      
   
20040303_200403032055(_dot_)PAA10966(_at_)anet(_dot_)at_product(_dot_)htm(_dot_)com
20040303_200403030937(_dot_)EAA06306(_at_)anet(_dot_)at_message_details(_dot_)pif
  
20040303_E1AySKq-0000Pc-00(_at_)mail(_dot_)hasch(_dot_)co(_dot_)at_topseller(_dot_)zip
20040303_200403030947(_dot_)EAA06389(_at_)anet(_dot_)at_nomoney(_dot_)zip       
   
20040303_IQckbmPPH000001be(_at_)singms01(_dot_)HQ(_dot_)SINGULUS(_dot_)DE_your_document(_dot_)pif
20040303_200403031011(_dot_)FAA06612(_at_)anet(_dot_)at_mail2(_dot_)zip         
   20040303_klgjitoecfieqqvkeep(_at_)anet(_dot_)at_Message(_dot_)pif
20040303_200403031043(_dot_)FAA06786(_at_)anet(_dot_)at_mp3music(_dot_)pif      
   20040303_kuvlsvsynvflmdmxqxj(_at_)anet(_dot_)at_TextDocument(_dot_)pif
20040303_200403031047(_dot_)FAA06817(_at_)anet(_dot_)at_your_text(_dot_)pif     
   20040303_mixsqqnswvhvkovqvoi(_at_)anet(_dot_)at_Information(_dot_)zip
20040303_200403031057(_dot_)FAA06849(_at_)anet(_dot_)at_my_details(_dot_)pif    
   20040303_txewtwpuyuiotkoeogw(_at_)anet(_dot_)at_TextFile(_dot_)pif
20040303_200403031358(_dot_)IAA08098(_at_)anet(_dot_)at_your_document(_dot_)pif 
   20040303_unwdyymijgmtpppeyrw(_at_)anet(_dot_)at_Message(_dot_)pif
20040303_200403031400(_dot_)JAA08122(_at_)anet(_dot_)at_bill(_dot_)zip          
   20040303_xublskqkpvwsldvgjmf(_at_)anet(_dot_)at_Information(_dot_)zip
20040303_200403031413(_dot_)JAA08223(_at_)anet(_dot_)at_document_excel(_dot_)pif

These have all been coming in in one single day. Details are in the -
now separated - Configuration file - viewable at
http://www.softlabs.info/antivirus/SoftlabsAV/etc/procmailrcs/antivirus.conf

The new version is available at http://www.softlabs.info/antivirus/

ChangeLog:
____________________________________________________________________________
 v0.3   (2004 03 03)

 + Viruses will now also be found in automatically generated report  
   messages sent back from the original target mailserver, returning the 
   entire infected message embedded. 

 + Viruses will now also be found in returned messages that contain the 
   original mail directly in its body, in mbox format, including the 
   encoded virus. 

 + (optional) configuration is now done in an own Configuration file 
   ('/etc/procmailrcs/antivirus.conf'). There is no need to touch any of 
   the other distributed files. 

 + a new EXTRACT_VIRUSES variable can be set to "on", to extract all 
   viruses and store them in a "viruses" sub directory of the TRASHDIR 
   directory. This sub directory will be created automatically if it does 
   not yet exist. In addition, the full path to the extracted virus file 
   will be assigned to the VIRUSFILE variable. This may be useful if you want 
   to run an external Virus Scanner (ClamAV comes in mind) to identify which 
   viruses you are receiving. This new setting has made the old KEEP_ZIPS 
   configuaration option obsolete. 

 + all AntiVirus Include files (av_*.inc) now reside in an own sub 
   directory (/etc/procmailrcs/antivirus/) of the Main AntiVirus Run 
   Commands file. 

 + Extracting base64 encoded attachments (using mimencode) has been 
   outsourced into an own, re-usable .inc file

 + the mimencode program is now executed without invoking an extra shell 
   layer 

 + the lowercasing "sub routine" will only be called conditionally, when 
   needed, to avoid waste of resources. 

 + the WS variable now stands for the constant it is known for on the 
   procmail mailing list, being WhiteSpace of only Space and Tab 
   characters. WhiteSpace that additionally contains NewLine characters is 
   now called WSB, used to check for WhiteSpace in the middle of strings 
   living in the Body. Thanks to Ruud H.G. van Tol. 

 + the entries written into procmail's log file on detecting a Virus likely 
   EXE now span two lines, to avoid long one-liners.

greetings,
rob.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Using an include file in the main procmailrc file, Professional Software Engineering
Next by Date:  Re: softlabs, Ruud H.G. van Tol
Previous by Thread:  Re: virus classification: W32/Bagle, Ruud H.G. van Tol
Next by Thread:  Re: softlabs, Ruud H.G. van Tol
Indexes:  [Date] [Thread] [Top] [All Lists]