Avert Labs Dat Release Notification: 4789 Emergency Dat Files Release

Discussion in 'Virus Information' started by David H. Lipman, Jun 21, 2006.

  1. The 4789 DAT files have been released early due to the prevalence of multiple W32/Bagle
    variants observed today.

    Full details on the threats have been posted to the McAfee Avert Labs Threat Center:
    W32/Bagle.fb@mm - http://vil.nai.com/vil/content/v_139997.htm
    W32/Bagle.dldr - http://vil.nai.com/vil/content/v_129512.htm

    The various 4789 daily DAT file packages can be found at
    http://www.mcafee.com/apps/downloads/security_updates/dat.asp

    Best Regards,

    McAfee Avert Labs - Come visit our Blog - http://www.avertlabs.com/research/blog/
     
    David H. Lipman, Jun 21, 2006
    #1
    1. Advertisements

  2. David H. Lipman

    Art Guest

    I received two of these email attackments today. I was struck by the
    lack of social engineering. The message contained only a five digit
    numeric password. Duh! Why anyone would unzip the files and run the
    EXE with the long weird name is beyond me.

    Uploading the EXE to both Jotti and VT showed that twelve of the
    products were not alerting, and five were producing inexact alerts
    of various kinds. Sophos, Avast and NAV were among the twelve
    not alerting at all when I uploaded this morning .. just to mention
    a few of the better known products not alerting.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 21, 2006
    #2
    1. Advertisements

  3. From: "Art" <>

    |
    | I received two of these email attackments today. I was struck by the
    | lack of social engineering. The message contained only a five digit
    | numeric password. Duh! Why anyone would unzip the files and run the
    | EXE with the long weird name is beyond me.
    |
    | Uploading the EXE to both Jotti and VT showed that twelve of the
    | products were not alerting, and five were producing inexact alerts
    | of various kinds. Sophos, Avast and NAV were among the twelve
    | not alerting at all when I uploaded this morning .. just to mention
    | a few of the better known products not alerting.
    |
    | Art
    | http://home.epix.net/~artnpeg

    Thanx Art. I did not get any of these emails nor have I received samples form the usual
    sources.

    Could you please post a Virus Total report.
     
    David H. Lipman, Jun 21, 2006
    #3
  4. David H. Lipman

    Art Guest

    Sorry, I wasn't interested in archiving that or keeping the
    attackments. I can tell you from memory that KAV and NOD32
    alerted exactly (not heuristic-like alerts). I could also name
    all 12 of the products that didn't alert plus the 5 that gave
    inexact alerts since I jotted them down on scratch paper.
    The 12 were: AVAST, Fortinet, Una, VirusBuster, etrust-InoculateIT,
    Ewido, Ikarus, Microsoft, Sophos, Symantec, TheHacker, and
    UNA.

    The five that gave inexact alerts included Panda, CAT-QuickHeal,
    Authentium, VBA32 and F-Prot.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 21, 2006
    #4
  5. From: "Art" <>

    | On Wed, 21 Jun 2006 17:44:23 -0400, "David H. Lipman"
    |
    | Sorry, I wasn't interested in archiving that or keeping the
    | attackments. I can tell you from memory that KAV and NOD32
    | alerted exactly (not heuristic-like alerts). I could also name
    | all 12 of the products that didn't alert plus the 5 that gave
    | inexact alerts since I jotted them down on scratch paper.
    | The 12 were: AVAST, Fortinet, Una, VirusBuster, etrust-InoculateIT,
    | Ewido, Ikarus, Microsoft, Sophos, Symantec, TheHacker, and
    | UNA.
    |
    | The five that gave inexact alerts included Panda, CAT-QuickHeal,
    | Authentium, VBA32 and F-Prot.
    |
    | Art
    | http://home.epix.net/~artnpeg

    OK -- Thanx Art !
     
    David H. Lipman, Jun 21, 2006
    #5
  6. David H. Lipman

    Leythos Guest

    Symantec Mail Security picked them out of emails and deleted them 7
    times today. I was starting to worry that Symantec was not detecting
    anything any more.
     
    Leythos, Jun 22, 2006
    #6
  7. From: "Leythos" <>

    |
    | Symantec Mail Security picked them out of emails and deleted them 7
    | times today. I was starting to worry that Symantec was not detecting
    | anything any more.
    |

    In "our environment" ZIP files aren't allowed so it is a moot point on our MAN.
     
    David H. Lipman, Jun 22, 2006
    #7
  8. David H. Lipman

    Leythos Guest

    yea, I have one customer that requires Zips and we also permit them in
    our shops - but they can't be passworded and they are only permitted
    from certain customers.

    At the medical locations all Zip files are removed by the SMTP Proxy
    service of the firewall before they make it to SAV or the server.
     
    Leythos, Jun 22, 2006
    #8
  9. From: "Leythos" <>

    |>> Symantec Mail Security picked them out of emails and deleted them 7
    |>> times today. I was starting to worry that Symantec was not detecting
    |>> anything any more.
    |>>|
    | yea, I have one customer that requires Zips and we also permit them in
    | our shops - but they can't be passworded and they are only permitted
    | from certain customers.
    |
    | At the medical locations all Zip files are removed by the SMTP Proxy
    | service of the firewall before they make it to SAV or the server.
    |

    For a while we were allowed to rename .ZIP files to .XXX to pass the filter. Now the
    content filters look at the binary conntent of the attachment and know that they are really
    ZIP files and still are blocked. :-(
     
    David H. Lipman, Jun 22, 2006
    #9
  10. David H. Lipman

    Leythos Guest

    Yea, while the firewall doesn't catch renamed files, some of the better
    content inspectors do - GFI checks everything and doesn't trust the
    extension. SMS doesn't check a renamed Zip, but I have the firewall set
    to only allow specific approved attachment types.
     
    Leythos, Jun 22, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.