On Wed, 1 Sep 2004, Scott Harney wrote:
> Those of you running windows, I'm hoping you don't D/l the attachment
> from this message, foto.zip. Note that the message is a forgery crafted
> to look like it's coming from Dustin, The clue is in the received headers.
> from mars.com (pn207.bydgoszcz.sdi.tpnet.pl [217.96.191.207]) by
> vkh.joeykelly.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id i81ACH
>
> Chances are, one of Dustin's contacts got infected with the virus and
> sent this message.
>
> Whatever it is, it must be new. Joey's amavis/clam server didn't catch
> it and my clamd on scottharney.com didn't catch it either.
clamscan detects it as Trojan.Dropper.Small-11 but it sneaks through clamd
(which is run by mimedefang). Someone on the md list said i need to
upgrade to clamav 0.75.1, which i will try later. In the meantime we're
blocking foto.zip and fotos.zip attachments. For any mimedefang users,
add this code to the filter() function:
if (lc($fname) =~ /^foto[s]*\.zip$/) {
md_graphdefang_log('virus-zip', "SLU: discarding unknown $fname (foto.zip) virus msg", $RelayAddr);
return action_discard();
}
ray
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___________________ Nolug mailing list nolug@nolug.orgReceived on 09/01/04
This archive was generated by hypermail 2.2.0 : 12/19/08 EST