procmail
[Top] [All Lists]

Re: softlabs

2004-03-04 00:02:02
On Thu, 04 Mar 2004, 01:28 GMT+01 (01:28 local time) Ruud H.G. van Tol
wrote:

The W32/Bagle(_dot_)j(_at_)MM can have a passworded zip-file attached,

I guess there are a few in your list:

20040302_200403030209(_dot_)VAA03980(_at_)anet(_dot_)at_message(_dot_)zip
20040302_hejmiqejkuvfnnyqqbi(_at_)anet(_dot_)at_Readme(_dot_)zip
20040303_mixsqqnswvhvkovqvoi(_at_)anet(_dot_)at_Information(_dot_)zip
20040303_xublskqkpvwsldvgjmf(_at_)anet(_dot_)at_Information(_dot_)zip

I have now downloaded all the 46 viruses my "Softlabs AntiVirus"
filter has automatically extracted from all incoming mails within one
day and scanned them with a AV scanner on my workstation (I haven't
yet installed such a program on my mail server), of course with the
very latest virus definitions.

The results are quiet interesting. The 46 viruses are 11 zipped ones
(I call them ZIP.*.virus types) and the rest (35 files) direct
executables (which I call EXE.*.virus types). The AV scanner detected
all the EXE ones:

Netsky.B .........  2 (one .com and one .scr)
Netsky.C .........  1 (one .com)
Netsky.D ......... 27 (all .pif)
Bagle.J ..........  5 (all .pif)
----------------------------------------------------
total:             35 EXE types

From the 11 ZIPs, the virus scanner I have used only detected 8
viruses, while letting 3 undetected, reported as "clean" (!):

Netsky.B .........  6 (3 .pif, 2 .exe and 1 .com)
Netsky.C .........  2 (1 .exe and 1 .com)
FALSE NEGATIVE ...  3 (all password protected .exe)
----------------------------------------------------
total:             11 ZIP types

The original names of the 3 ZIP viruses catched by Softlabs AntiVirus
but not detected by the local virus scanner are 'Information.zip' or
'Readme.zip':

[root(_at_)ns viruses]# ls -l *.zip | egrep -i "information|readme"
-rw-------    1 roal     anet        12420 Mar  2 20:43 
20040302_hejmiqejkuvfnnyqqbi(_at_)anet(_dot_)at_Readme(_dot_)zip
-rw-------    1 roal     anet        12420 Mar  3 02:08 
20040303_mixsqqnswvhvkovqvoi(_at_)anet(_dot_)at_Information(_dot_)zip
-rw-------    1 roal     anet        12424 Mar  3 00:43 
20040303_xublskqkpvwsldvgjmf(_at_)anet(_dot_)at_Information(_dot_)zip

They all have a password protected .exe inside, so they are most
likely from those Bagle.J stuff you have mentioned. So, you have been
right (except 
20040302_200403030209(_dot_)VAA03980(_at_)anet(_dot_)at_message(_dot_)zip which
is actually a Netsky.B).

And, I'm really happy knowing my tool catched them all!! :-))

best,
rob.





_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>