Re: [Nolug] foto WARNING: VIRUS

From: -ray <ray_at_ops.selu.edu>
Date: Wed, 1 Sep 2004 09:21:30 -0500 (CDT)
Message-ID: <Pine.LNX.4.44.0409010917250.14820-100000@romulus.csd.selu.edu>

On Wed, 1 Sep 2004, Scott Harney wrote:

> Those of you running windows, I'm hoping you don't D/l the attachment
> from this message, foto.zip. Note that the message is a forgery crafted
> to look like it's coming from Dustin, The clue is in the received headers.
> from mars.com (pn207.bydgoszcz.sdi.tpnet.pl [217.96.191.207]) by
> vkh.joeykelly.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id i81ACH
>
> Chances are, one of Dustin's contacts got infected with the virus and
> sent this message.
>
> Whatever it is, it must be new. Joey's amavis/clam server didn't catch
> it and my clamd on scottharney.com didn't catch it either.

clamscan detects it as Trojan.Dropper.Small-11 but it sneaks through clamd
(which is run by mimedefang). Someone on the md list said i need to
upgrade to clamav 0.75.1, which i will try later. In the meantime we're
blocking foto.zip and fotos.zip attachments. For any mimedefang users,
add this code to the filter() function:

if (lc($fname) =~ /^foto[s]*\.zip$/) {
     md_graphdefang_log('virus-zip', "SLU: discarding unknown $fname (foto.zip) virus msg", $RelayAddr);
     return action_discard();
}

ray

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean  				       	 http://www.r-a-y.org
Systems Engineer                    Southeastern Louisiana University
IBM Certified Specialist  	      AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/01/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST