New virus

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 12 14:23:40 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----

The filename.rules.conf should by default be trapping *.hta files,  
even inside zip files. So it should still be caught by MailScanner,  
even without the AV engines.

On 12 Jan 2006, at 12:17, Spicer, Kevin wrote:

> Typical, that arrived around the same time I sent the message.   
> However
> my point really was not the virus itself, but the attack vector which
> isn't (I think) caught by anything other than the AV scanners.
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Craig Retief (CSFS)
> Sent: 12 January 2006 11:53
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: [MAILSCANNER] New virus
>
> ClamAV has been Updated to 1239 which includes the Virus.
>
> Notification from ClamAV follows:
>
> ClamAV database updated (2006-Jan-12 11:36 +0000): daily.cvd
> version: 1239
>
> Submission: 196768
> Sender: Anonymous
> Submission notes: Same as 197535.
> Added: No
>
> Submission: 197535
> Sender: Alex
> Added: JS.Feebs.C
> Added: Worm.Feebs.C
> Added: Worm.Feebs.C-rkit
> Virus name alias: Worm.Win32.Feebs.k (Kaspersky AVP)
>
> Submission: 197678
> Sender: Anonymous
> Submission notes: Same as 197535.
> Added: No
>
> Best regards,
> Diego d'Ambra
>
>
>
>
> See below...
>
> http://isc.sans.org/diary.php?storyid=1035
>
> Has anyone seen these?  Looks like an interesting attack vector, I  
> don't
> think these files would be blocked by any of the default rules - so we
> have to rely on AV only.
>
> For now we're blocking those domains on our web proxies and blocking
> message.zip in MailScanner
>
> -- 
> Kevin Spicer
> Unix Systems Specialist
> Millward Brown UK Limited
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> =================================================================
>
> BMRB wins two BMRA awards - http://www.bmrb.co.uk
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB Limited accepts no liability
> in relation to any personal emails, or content of any email which
> does not directly relate to our business.
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQEVAwUBQ8Zmbfw32o+k+q+hAQFz6ggAgl/hDhYJ2yhXP8kloRtQQLpdpXnb8sdK
iaCkrpF2TjKgQf/cIXmFUnBbImZGEG62yrfWi73LlsYze+qtm8w54Cz+VDBE2EvP
4l1Npk3l0aYiUmRM1PhjFm2gneaNd1OIXzTVV113sKNyfMJlnQ+/MeLHZNMPciSp
t9g+yiJfayVjmuolyvtasnEmJeDhwkTAqlyaa0oosJ2lUPhMrtng2FLx/72T8WeR
em6wDYxTUWcgQXDtACKZuYRvU6uwvUy0HiZJ/QyokUo/BLt0nPcAW1iX2A8SwHw3
IYLh51YffN3HA0VZR2LfxHUR5i3DvhVM+HBwZ7AB06vFwVrGmMe7pQ==
=4Xw7
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list