New virus intercepted

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Thu Aug 18 13:58:16 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Denis Beauchemin wrote:

> Hello All,
>
> Last night we received many hundreds EXE files infected by 
> Backdoor.Win32.Dumador.dk, according to Kaspersky.  No other virus 
> scanner I have detected anything suspicious: McAfee, Bitdefender and 
> ClamAV all said there was nothing wrong in the files.
>
> All files seem to be the same length (26112 bytes) and came from many 
> different IPs.  They all have strange names (looks like random 
> characters) ending in .exe.
>
> I'm glad I don't let EXE/BAT/PIF/... files through!
>
> Denis
>
Overall we blocked 512 EXE on one of our external servers yesterday and 
no more than 3 came from the same IP.  On the other external server, we 
blocked 525 EXE and no more than 4 came from the same IP...

Funny thing: we received them from midnight to 1:35 and then nothing 
until 17:36 (5:36PM).  It stopped at about 19:36 (7:36PM) to not be seen 
again...

Still nothing detected by McAfee, Bitdefender or ClamAV...

Denis
PS: We've been told that McAfee will detect it with the extra.dat so I 
am about to download it.  It would be nice it mcafee-autoupdate -e 
worked as advertised...
usage: /usr/lib/MailScanner/mcafee-autoupdate [-dfrtv] [-Rnnn] [-Innn] 
[proxy] [prefix]
  -d      delete old files
  -e      get extra.dat
  -f      force update
  -r      show README
  -t      timestamp output
  -v      verbose
  -R      number of retries
  -I      retry interval
  proxy   URL of FTP/HTTP proxy server
  prefix  uvscan installation directory

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, "S/MIME Cryptographic Signature"  ]
    [ Application/X-PKCS7-SIGNATURE  4.4KB. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list