Mailing List Archive: ClamAV: users

Signature for W32.Mimail.A@mm available?

Index | Next | Previous | View Threaded

John at ensemble

Aug 4, 2003, 7:25 AM

Post #1 of 11 (1262 views)
Permalink

Signature for W32.Mimail.A@mm available?

Hi,
Looks like the above worm is making it's way around and we have
received a few copies already. Any idea when the virus db will be updated to
detect this?

Thanks,
John Birkhead

dan.mcdonald at austinenergy

Aug 4, 2003, 7:38 AM

Post #2 of 11 (1227 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

On Mon, 2003-08-04 at 09:24, John Birkhead wrote:
> Hi,
> Looks like the above worm is making it's way around and we have
> received a few copies already. Any idea when the virus db will be updated to
> detect this?

It was released on Friday - it's listed as Trojan.Dropper.C
I've picked up a few of them:
[mcdonalddj [at] s mcdonalddj]$ sudo grep -o -E 'INFECTED.+\)'
/var/log/mail/info |
sort | uniq -c
1 INFECTED (Exploit.IFrame)
1 INFECTED (Exploit.IFrame.HTML, Worm.BugBear.B)
5 INFECTED (Trojan.Dropper.C)
1 INFECTED (W32/Yaha.g.dam)
2 INFECTED (Worm.BugBear.B)

--
Daniel J McDonald, CCIE 2495, CNX
Austin Energy

support at epaxsys

Aug 4, 2003, 7:42 AM

Post #3 of 11 (1224 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

I thought they updated late last week, our versions of the DB catch it as:
Report: message.zip contains Trojan.Dropper.C

And we have caught about 30 since late last night using ClamAV. Is there
another version its not catching yet?

Uh oh...

JPP

At 07:24 AM 8/4/03 -0700, you wrote:
>Hi,
> Looks like the above worm is making it's way around and we have
>received a few copies already. Any idea when the virus db will be updated to
>detect this?
>
>
>
>Thanks,
>John Birkhead
>
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
>_______________________________________________
>Clamav-users mailing list
>Clamav-users [at] lists
>https://lists.sourceforge.net/lists/listinfo/clamav-users

tomek-clam-users at lodz

Aug 4, 2003, 7:45 AM

Post #4 of 11 (1225 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

On Mon, 04 Aug 2003 at 7:24:02 -0700, John Birkhead wrote:
> Hi,
> Looks like the above worm is making it's way around and we have
> received a few copies already. Any idea when the virus db will be updated to
> detect this?
>
> Thanks,
> John Birkhead

Are you sure that these copies were W32.Mimail.A [at] m indeed? Was you
viruses.db2 updated successfully?

The signature of Worm.Mimail.A was added to the db2 about "Sat, 2 Aug
2003 00:20:55 +0200" (with other name: Trojan.Dropper.C).

BTW, a simple workaround is _not_ accept mail from "admin [at] your_domai"
(of course replace "your_domain" with the real name of your domain and
any other domains you are hosting). This virus sends itself using such
sender address.

You can also subscribe to clamav-virusdb [at] lists
so that you'll be notified about updates of the database.

HTH
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.

John at ensemble

Aug 4, 2003, 7:47 AM

Post #5 of 11 (1228 views)
Permalink

RE: Signature for W32.Mimail.A@mm available? [In reply to]

Thanks for the clarification!

I'm a ClamAV newbie and I'm not sure how to map virus names across different
vendors. :-)

Mmmmmm. I have seen this virus reported being received in the last several
days by our mail gateway but I didn't know that this was W32.Mimail.A [at] m (as
named by Symantec).

The interesting thing is that my Symantec-protected Exchange server reported
receiving a message on Sunday evening (after the ClamAV virus update
performed on Friday) so I'm concerned that somehow the virus made it's way
through our defenses.

Thanks,
John

-----Original Message-----
From: Daniel J McDonald [mailto:dan.mcdonald [at] austinenergy]
Sent: Monday, August 04, 2003 7:38 AM
To: clamav-users [at] lists
Subject: Re: [Clamav-users] Signature for W32.Mimail.A [at] m available?

On Mon, 2003-08-04 at 09:24, John Birkhead wrote:
> Hi,
> Looks like the above worm is making it's way around and we have
> received a few copies already. Any idea when the virus db will be updated
to
> detect this?

It was released on Friday - it's listed as Trojan.Dropper.C
I've picked up a few of them:
[mcdonalddj [at] s mcdonalddj]$ sudo grep -o -E 'INFECTED.+\)'
/var/log/mail/info |
sort | uniq -c
1 INFECTED (Exploit.IFrame)
1 INFECTED (Exploit.IFrame.HTML, Worm.BugBear.B)
5 INFECTED (Trojan.Dropper.C)
1 INFECTED (W32/Yaha.g.dam)
2 INFECTED (Worm.BugBear.B)

--
Daniel J McDonald, CCIE 2495, CNX
Austin Energy

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users

Simpsonb at hillsboroughcounty

Aug 4, 2003, 7:49 AM

Post #6 of 11 (1227 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

I noticed it was added to the database on Aug 1st at 13:20 (see link below). I'm running clamav-20030320 and it's filtering out that virus ok.

http://sourceforge.net/mailarchive/forum.php?thread_id=2886216&forum_id=34654

Brett

>>> John [at] ensemble 08/04/03 10:24AM >>>
Hi,
Looks like the above worm is making it's way around and we have
received a few copies already. Any idea when the virus db will be updated to
detect this?

Thanks,
John Birkhead

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users

John at ensemble

Aug 4, 2003, 7:53 AM

Post #7 of 11 (1226 views)
Permalink

RE: Signature for W32.Mimail.A@mm available? [In reply to]

Hi,
I cron a Freshclam every hour and my log reports that the update you
mention was executed. I am also seeing occasional reports of the
Trojan.Dropper.C virus being detected.

I will investigate the Symantec report I received from our Exchange server
and see if I can work out a timeline.

Thanks,
John

-----Original Message-----
From: Tomasz Papszun [mailto:tomek-clam-users [at] lodz]
Sent: Monday, August 04, 2003 7:45 AM
To: clamav-users [at] lists
Subject: Re: [Clamav-users] Signature for W32.Mimail.A [at] m available?

On Mon, 04 Aug 2003 at 7:24:02 -0700, John Birkhead wrote:
> Hi,
> Looks like the above worm is making it's way around and we have
> received a few copies already. Any idea when the virus db will be updated
to
> detect this?
>
> Thanks,
> John Birkhead

Are you sure that these copies were W32.Mimail.A [at] m indeed? Was you
viruses.db2 updated successfully?

The signature of Worm.Mimail.A was added to the db2 about "Sat, 2 Aug
2003 00:20:55 +0200" (with other name: Trojan.Dropper.C).

BTW, a simple workaround is _not_ accept mail from "admin [at] your_domai"
(of course replace "your_domain" with the real name of your domain and
any other domains you are hosting). This virus sends itself using such
sender address.

You can also subscribe to clamav-virusdb [at] lists
so that you'll be notified about updates of the database.

HTH
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Clamav-users mailing list
Clamav-users [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-users

tomek-clam-users at lodz

Aug 4, 2003, 8:08 AM

Post #8 of 11 (1228 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

On Mon, 04 Aug 2003 at 7:46:36 -0700, John Birkhead wrote:
> Thanks for the clarification!
>
> I'm a ClamAV newbie and I'm not sure how to map virus names across different
> vendors. :-)

Probably nobody is sure ;-) . As far as I can see, vendors sometimes
invent completely different names for viruses.

> Mmmmmm. I have seen this virus reported being received in the last several
> days by our mail gateway but I didn't know that this was W32.Mimail.A [at] m (as
> named by Symantec).
>
> The interesting thing is that my Symantec-protected Exchange server reported
> receiving a message on Sunday evening (after the ClamAV virus update
> performed on Friday) so I'm concerned that somehow the virus made it's way
> through our defenses.

John, if you could extract that message from the quarantine (if Symantex
quarantines viruses...) and check it with clamscan...
If you can see that the virus is _not_ detected by clamscan, you can
help Clamav by submitting it to virus [at] clamav .

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.

Kevin.Spicer at bmrb

Aug 4, 2003, 8:11 AM

Post #9 of 11 (1226 views)
Permalink

RE: Signature for W32.Mimail.A@mm available? [In reply to]

John Birkhead wrote:
> Hi,
> Looks like the above worm is making it's way around and we have
> received a few copies already. Any idea when the virus db will be
> updated to detect this?

I'm finding that it is already being detected as Trojan.Dropper.C

BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

tk at mat

Aug 4, 2003, 9:53 AM

Post #10 of 11 (1230 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

On Mon, 04 Aug 2003 08:39:30 -0600
Support ePaxsys/FRWS <support [at] epaxsys> wrote:

> I thought they updated late last week, our versions of the DB catch it as:
> Report: message.zip contains Trojan.Dropper.C
>
> And we have caught about 30 since late last night using ClamAV. Is there
> another version its not catching yet?

Yes, there is. Clamav 0.2x can't catch this worm, because it can't use the
viruses.db2 file. 0.2x is completely outdated, though.

Best regards,
Tomasz Kojm
--
oo ..... zolw [at] konarski
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl

support at epaxsys

Aug 4, 2003, 10:13 AM

Post #11 of 11 (1224 views)
Permalink

Re: Signature for W32.Mimail.A@mm available? [In reply to]

Sorry if I mislead - but we are using the latest and greatest Clam
AntiVirus 'system' version 0.60 with MailScanner and sendmail.
I 'assume' that this is up-to-date and working fine. It is catching that
virus just fine.

JPP

At 05:16 PM 8/4/03 +0200, you wrote:
>On Mon, 04 Aug 2003 08:39:30 -0600
>Support ePaxsys/FRWS <support [at] epaxsys> wrote:
>
> > I thought they updated late last week, our versions of the DB catch it as:
> > Report: message.zip contains Trojan.Dropper.C
> >
> > And we have caught about 30 since late last night using ClamAV. Is there
> > another version its not catching yet?
>
>Yes, there is. Clamav 0.2x can't catch this worm, because it can't use the
>viruses.db2 file. 0.2x is completely outdated, though.
>
>Best regards,
>Tomasz Kojm
>--
> oo ..... zolw [at] konarski
> (\/)\......... http://www.konarski.edu.pl/~zolw
> \..........._ I nie zapomnij kliknac w brzuszek...
> //\ /\\ <- C. Amboinensis www.pajacyk.pl
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
>_______________________________________________
>Clamav-users mailing list
>Clamav-users [at] lists
>https://lists.sourceforge.net/lists/listinfo/clamav-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads