-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's not a test! It's a In The Wild virus. http://www.antivir.ru/english/inf/news.php?id=701 ============================= The worm may come to your computer as an attachment to a mail message. The icon of the executable module of the worm is that of a standard Windows application called calc.exe (calculator). The attachment size is 15, 872 bytes. The laconic message contains "Hi" in the subject field followed by the text: Test =) [sequence of random characters] - -- Test, yep. ============================= Ralf Koch wrote: | What kind of nasty test is this? - -- Boris B. Zhmurov DialogueScience, Inc. Technical department. 40 Vavilova St., Moscow, 119991, Russia Tel.: (+7-095) 137-0150, 135-6253 HTTP://www.antivir.ru FTP://ftp.antivir.ru "wget http://bb.dials.ru/bb_public_key.pgp -O - | gpg --import" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFADAKrmEQixi5w37YRAiJNAJ9NpHiyZjuwys5KJMqqmAft1zTA0gCeJbVh 8EpcZxBN4Z61YcDDPEMapMM= =pQAP -----END PGP SIGNATURE-----
On Mon, 2004-01-19 at 11:59, poeml@suse.de wrote:
******************************* WARNING ****************************** This message has been scanned by MDaemon AntiVirus and was found to contain infected attachment(s). Please review the list below.
Attachment Virus name Action taken ---------------------------------------------------------------------- dgvxokpkxv.exe ??? Removed
**********************************************************************
Test =) rdlfhqs -- Test, yep.
______________________________________________________________________
Thanks for the PRE warning. Ken -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
On Monday 19 January 2004 16:10, Kenneth Schneider wrote:
On Mon, 2004-01-19 at 11:59, poeml@suse.de wrote:
******************************* WARNING ****************************** This message has been scanned by MDaemon AntiVirus and was found to contain infected attachment(s). Please review the list below.
Attachment Virus name Action taken ---------------------------------------------------------------------- dgvxokpkxv.exe ??? Removed
**********************************************************************
Test =) rdlfhqs -- Test, yep.
______________________________________________________________________
Thanks for the PRE warning.
bliemy, youd think a security list would be virus checked! Elf
elfed lewis wrote:
On Monday 19 January 2004 16:10, Kenneth Schneider wrote:
On Mon, 2004-01-19 at 11:59, poeml@suse.de wrote:
******************************* WARNING ****************************** This message has been scanned by MDaemon AntiVirus and was found to contain infected attachment(s). Please review the list below.
bliemy, youd think a security list would be virus checked!
While that might be nice, does it really matter? (bandwidth issues aside) I mean, we're all running Linux, so what's an ms-windows .exe really going to do even if I do [stupidly] click on it? And besides, all of us here know better than to run executables sent to us that we didn't ask for. ;-) Kevin
On Monday 19 January 2004 17.32, Kevin Brannen wrote:
While that might be nice, does it really matter? (bandwidth issues aside) I mean, we're all running Linux, so what's an ms-windows .exe really going to do even if I do [stupidly] click on it? And besides, all of us here know better than to run executables sent to us that we didn't ask for. ;-)
Kevin
Filtering out Windows executables, are, in general a nice thing to do for those e-mail users that have to use Windows as desktop. For this list, one might as well just remove all attachments, not matter what. And, in addition, we reject e-mail with certain types of extensions at our own mail servers. /Sigfred
Norton AV detects it OK.
Many of us run a LINUX Router/Firewall but have MS machines behind it that
are vulnerable.
Philip
----- Original Message -----
From: "BarkerJr"
bliemy, youd think a security list would be virus checked!
Well, McAfee still doesn't detect it...
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Mon, 2004-01-19 at 11:41, BarkerJr wrote:
bliemy, youd think a security list would be virus checked!
Well, McAfee still doesn't detect it...
That's why our company switched to norton. -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
On Monday 19 January 2004 18:02, Kenneth Schneider wrote:
On Mon, 2004-01-19 at 11:41, BarkerJr wrote:
bliemy, youd think a security list would be virus checked!
Well, McAfee still doesn't detect it...
That's why our company switched to norton.
And would Norton have detected it if you don't update it. McAfee does detect it when using the latest update of 18 january. -- GertJan Email address is invalid, so don't reply directly, I'm on the list.
-----Original Message-----
From: GertJan Spoelman
On Monday 19 January 2004 18:02, Kenneth Schneider wrote:
On Mon, 2004-01-19 at 11:41, BarkerJr wrote:
bliemy, youd think a security list would be virus checked!
Well, McAfee still doesn't detect it...
That's why our company switched to norton.
And would Norton have detected it if you don't update it. McAfee does detect it when using the latest update of 18 january.
That's why they invented automatic updates. And why we use that feature on our email server. Ken Schneider
On Monday 19 January 2004 12:06, GertJan Spoelman wrote:
And would Norton have detected it if you don't update it. McAfee does detect it when using the latest update of 18 january.
But that is NOT the latest update. There is a 19 jan update. Still, norton was first... -- _____________________________________ John Andersen
Test =) rdlfhqs -- Test, yep.
What's up with this? Is there a poeml@suse.de? Is there no attachement filtering @ suse? Header: "X-MIME-Notice: attachments may have been removed from this message" Philippe --- As default rule all attached mails go to trash :-)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Vogel wrote: | What's up with this? | Is there a poeml@suse.de? No, it's a fake. - -- Boris B. Zhmurov DialogueScience, Inc. Technical department. 40 Vavilova St., Moscow, 119991, Russia Tel.: (+7-095) 137-0150, 135-6253 HTTP://www.antivir.ru FTP://ftp.antivir.ru "wget http://bb.dials.ru/bb_public_key.pgp -O - | gpg --import" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFADAmkmEQixi5w37YRAjQKAJ4nC4ByASmL2FFM+ulw/XcJ2j2ceACcCYye wA8tU3tOjXn0Oq7Fy+FvOdM= =1L2v -----END PGP SIGNATURE-----
Philippe Vogel wrote:
Test =) rdlfhqs -- Test, yep.
What's up with this? Is there a poeml@suse.de?
Yes, it is - somewhere in the Security Team, but, if the message has poeml@suse.de as sender,doesn't mean that either he is infected or that he sent that infected message. This is the main spreading method used by the internet worms - collects email addresses and spread using those email addresses as senders. So, don't blame poeml :)
Is there no attachement filtering @ suse? Header: "X-MIME-Notice: attachments may have been removed from this message"
Philippe
---
As default rule all attached mails go to trash :-)
-- Alin DOBRE Technical Support Engineer - RAV Division mailto:alin.dobre@ravantivirus.com Tel./Fax: +40-21-321.78.03 Hotline: +40-21-321.78.59; http://www.ravantivirus.com Worry less! RAV is watching. --------------------------- This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake please let us know by reply and then delete it from your system; you should not copy the message or disclose its contents to anyone.
Philippe Vogel wrote:
Test =) rdlfhqs -- Test, yep.
What's up with this? Is there a poeml@suse.de?
Yes, it is - somewhere in the Security Team, but, if the message has poeml@suse.de as sender,doesn't mean that either he is infected or that he sent that infected message. This is the main spreading method used by the internet worms - collects email addresses and spread using those email addresses as senders. So, don't blame poeml :)
No, poeml (apache1/2) will in fact not use m$ products :-) In the headers of the original mail you cannot see the recipient, because it's been forwarded to the list. Philippe
Philippe Vogel wrote:
Test =) rdlfhqs -- Test, yep.
What's up with this? Is there a poeml@suse.de?
Yes, it is - somewhere in the Security Team, but, if the message has poeml@suse.de as sender,doesn't mean that either he is infected or that he sent that infected message. This is the main spreading method used by the internet worms - collects email addresses and spread using those email addresses as senders. So, don't blame poeml :)
No, poeml (apache1/2) will in fact not use m$ products :-) In the headers of the original mail you cannot see the recipient, because it's been forwarded to the list.
Philippe
This virus was picked up by F-Prot, Trend and ClamAV on my system. It was the Worm_Bagle virus which spoofs the sender address. "So don't blame poem1 :)" is correct! Gerry
Am Montag, 19. Januar 2004 20:47 schrieb Gerry Doris:
This virus was picked up by F-Prot, Trend and ClamAV on my system. It was the Worm_Bagle virus which spoofs the sender address. "So don't blame poem1 :)" is correct!
When did you update F-Prot? With the patterns of F-Prot and Antivir about 24hrs ago, the worm was not recognized, but now it is. Al
The worm was picked up by my system with antivir. My system updates the antivir files around 4AM (CST -600). On Mon, 19 Jan 2004, Al Bogner wrote:
Am Montag, 19. Januar 2004 20:47 schrieb Gerry Doris:
This virus was picked up by F-Prot, Trend and ClamAV on my system. It was the Worm_Bagle virus which spoofs the sender address. "So don't blame poem1 :)" is correct!
When did you update F-Prot? With the patterns of F-Prot and Antivir about 24hrs ago, the worm was not recognized, but now it is.
Al
On Monday 19 January 2004 21:39, Al Bogner wrote:
When did you update F-Prot? With the patterns of F-Prot and Antivir about 24hrs ago, the worm was not recognized, but now it is.
amvis(d-new) with extension scanning turned on for another of the possible "hide something for the user trick" ie double extensions and *.exe filters out all current mail virii. BB, Arjen
Arjen,
I'm interested in possibly running Amavis on one of the two current or 2/3
planned boxes in our company.
Would you recommend it?
Is it relatively easy to set up?
One more question - this one's a bit strange! One of our clients currently
uses a "Fortigate" router/firewall that has a key selling point of "content
scanning". From what I can see this means that the box is basically some
kind of *NIX with the usual networking, etc., a packet filtering firewall
and a "webmin" front end. The clever thing it does is transparently to
capture inbound and outbound SMTP connections, silently forwarding them on,
a bit like a proxy server, but then when the actual DATA command comes it
pulls aside the email, scans it for viruses, then forwards on the DATA
command (and the actual email).
This may not be quite exactly how they work, it is just what I think is
happening.
The point is that SMTP servers (like their MS Exchange box) need no extra
configuration and cannot bypass the security by accident or by design - all
their inbound and outbound email traffic is invisibly scanned and
quarantined if necessary.
They cost quite a lot of money, although they aren't too unreasonably
priced. The thing is that we would like to offer cheaper options that are
more under our control rather than a closed-source OS/box.
Can Amavis or a similar package do that to your knowledge?
Thanks,
Carl
----- Original Message -----
From: "Arjen Runsink"
On Monday 19 January 2004 21:39, Al Bogner wrote:
When did you update F-Prot? With the patterns of F-Prot and Antivir about 24hrs ago, the worm was not recognized, but now it is.
amvis(d-new) with extension scanning turned on for another of the possible "hide something for the user trick" ie double extensions and *.exe filters out all current mail virii.
BB, Arjen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi,
Would you recommend it?
Yes, but first choose MTA (postfix, exim..), then amavis-version.
Is it relatively easy to set up?
Depends on mailer. For postfix I would say yes, don't know exim etc. so good.
and a "webmin" front end. The clever thing it does is transparently to capture inbound and outbound SMTP connections, silently forwarding them on, a bit like a proxy server, but then when the actual DATA command comes it pulls aside the email, scans it for viruses, then forwards on the DATA command (and the actual email).
Don't think so, guess they use a MTA which does not change any header. You can do a port redirect with iptables on port 25 on your scanning host, redirecting it into a MTA you configure to resend the stuff after scanning. Usually you will find some headers of that MTA in the mails, but maybe some mailers allow to switch off these manipulations. At last you can "fix" the sources, but I've seen solution with out-of-the-box SuSE doing that stuff nicely (with headers). Ciao, Dieter
Quoting Dieter Kirchner
Depends on mailer. For postfix I would say yes, don't know exim etc. so good.
Same thing, easy, examples are included. The docs and config-file all explain the lot As you are at it, check out amaia, (see sourceforge) you will like it. This one makes admin of spam and virus quarantine easy for admin and user.
Don't think so, guess they use a MTA which does not change any header. You can do a port redirect with iptables on port 25 on your scanning host, redirecting it into a MTA you configure to resend the stuff after scanning.
Hmm, well thinking about this it is rather easy. primary MX is the proxy so that's easy. And mail is used to being relayed (aka proxied) so maybe redirecting outgoing 25 to internal interface ip might just work. Much easier is to disallow forwarding of connections to port 25 and set internal mailers to use proxy/fw as the standard relay. BB, Arjen
Depends on mailer. For postfix I would say yes, don't know exim etc. so good.
Same thing, easy, examples are included. The docs and config-file all explain the lot
As you are at it, check out amaia, (see sourceforge) you will like it. This one makes admin of spam and virus quarantine easy for admin and user.
Even with postfix you can do a lot. The mechanisms presented here you can use with any mailer daemon providing the same features. Here are some basic examples from one of my setups (postfix, amavis, rbl_filter, body & headerchecks). With this setup our local mailserver rejects the critical spam without the usage of spamd. Be sure you have activated the dns lookup function (this kicks header fakers). Before changing anything make backups of your configs. You can enter rbl_lists - even in the case you don't have an open relay - and all mails from well known spammers go to /dev/null. /etc/postfix/main.cf smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain smtpd_client_restrictions = reject_rbl_client relays.ordb.org After that you can implement mime_header_checks and body_checks. /etc/postfix/main.cf: mime_header_checks = regexp:/etc/postfix/mime_header_check body_checks = regexp:/etc/postfix/body_checks /etc/postfix/body_cheacks # sobig rejection # The following statement should all be on one line, # with a space before "reject" # It's two lines due to formatting constraints. /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA$/ REJECT keep your viruses # Klez rejection # The following statement should all be on one line, # with a space before "reject" # It's two lines due to formatting constraints. /^<iframe src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please /^<FONT>/ REJECT No viruses wanted here /^<IMG>/ REJECT No Images please /etc/postfix/mime_header_checks:#Mime Header Checks #Nimda /^Subject: Make Money Fast/ REJECT Nimda Protection /^To: friend@public.com/ REJECT Nimda Protection #Filetypes /^Content-Type: multipart\/related;.*type=\"multipart\/alternative\";.*boundary=\"====_ABC12 34567890DEF_====\#"*$ / REJECT Blocked File types not allowed #Spammers /^ Body content=\.*(MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn North|Broadcast|DMailer|Extractor|EMailing List Pro|Group|Fusion|News Breaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic| Splio|Sarbacane|sMailing|JMail|Broadc@st|WorkZ).*$ / REJECT Blocked File types not allowed /^Content-Type: application\/octect-stream; name=*\.bat *$/ REJECT Blocked File types not allowed /^Content-Type: audio\/x-wav; name=*\.scr *$/ REJECT Blocked File types not allowed /^Content-Type: audio\/x-midi; name=*\.bat *$/ REJECT Blocked File types not allowed /^Content-Type: application\/octect-stream"; name=*\.bat *$ / REJECT Blocked File types not allowed /^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(ad[e p]|asd|ba[st]|chm|cmd|com(?=$|")|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp |jse?|lnk|md[betw]|ms[cipt]|nws|ocx|ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|u rl|vb[esx]?|vxd|ws[cfh])\b/x / REJECT Blocked File types not allowed /filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl )\"?$/ REJECT For security reasons we reject attachments of this type /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|asd|hlp|ocx|reg|bat| c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|x l))"?\s*$/ REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3" /^x-mailer: *(CTMailer|MailKing|eMerge|Diffondi|ACE Contact Manager|CyberCreek Avalanche|Achi-Kochi Mail)/ REJECT /^x-mailer: .*(E-mail Magnet|Avalanche|Mailcast|Group Mail|AristotleMail|WorldMerge|Extractor Pro|Floodgate Pro|Emailer Platinum.* InternetMarketing|Ellipse Bulk Emailer|RamoMail|MultiMailer|Advanced Mass Sender)/ REJECT And postfix itself has some basic spam protection since 8.2.You need to activate amavis via /etc/sysconfig/amavis (USE_AMAVIS="yes"). Install any virusscanner, you might want and enter them at /etc/amavisd.conf. Here you have to enter the full path to the virus-scanners. In /etc/postfix/main.cf you must add this line: content_filter = vscan: and in /etc/postfix/master.cf you must add this lines: localhost:10025 inet n - y - - smtpd -o content_filter= vscan unix - n n - 10 pipe user=vscan argv=/usr/sbin/amavis ${sender} ${recipient} If there exists something for exim you will find examples at http://www.debian.org/. It's debians "default" mailer, some use qmail instead. You will get some informations about both on the debian pages with the search function.
Don't think so, guess they use a MTA which does not change any header. You can do a port redirect with iptables on port 25 on your scanning host, redirecting it into a MTA you configure to resend the stuff after scanning.
Hmm, well thinking about this it is rather easy. primary MX is the proxy so that's easy. And mail is used to being relayed (aka proxied) so maybe redirecting outgoing 25 to internal interface ip might just work.
Much easier is to disallow forwarding of connections to port 25 and set internal mailers to use proxy/fw as the standard relay.
First you need a mailer entry in the dns and set the priority of 1st, 2nd ... MX in the dns entries. Then you can configure one smtp as spam- & virus- filter. This "external" mailserver will be setup as smarthost for all the "internal" ones (2nd, 3rd ...). This even works with exchange or any somehow "insecure" mailserver in the internal network. I did this with david sl, exchange 2000 (for exchange you can even get a free or/rbl filter from http://martijnjongen.com/eng/). On the firewall you block incoming traffic to all internal mailservers. Depending on the transfer you might want to add the rates of the mailserver. If it gets too much mails some mails will be rejected with standard config. For postfix there are some basic infos in the /usr/share/doc/packages/postfix folder. Reguards Philippe P.S.: After all changes you made you have to restart postfix and amavis.
Here are some basic examples from one of my setups (postfix, amavis, rbl_filter, body & headerchecks).
Why rbl_filter, header check and body checks? This mechanisms don't consume much CPU compared to virus-filtering. After that mechanism the virusfilter get's his job done (with the already filtered mails) by redirecting any mails to amavisd. With this kind of setup you set a policy for your mailserver (e.g. no executable files and no system related or script based fileextensions while zip, tar ... is allowed). Philippe
participants (20)
-
Al Bogner -
Alin Dobre -
Arjen Runsink -
BarkerJr -
Boris B. Zhmurov -
Carl Peto -
Dieter Kirchner -
elfed lewis -
Gerry Doris -
GertJan Spoelman -
John Andersen -
Ken Schneider -
Kenneth Schneider
-
Kevin Brannen -
Philip B Cook -
Philippe Vogel -
poeml@suse.de -
Ralf Koch -
seth hamstead -
Sigfred Håversen