New virus submission addresses
Sara
through Mcafee and Symantec, both with the latest definitions...16 so far.
Attachments like music_mp3.scr, cool_mp3.com, garry.cpl..... Does anyone
have any submission addresses to send these in for analysis?
Thanks!
Sara
tried to find anything on symantec or mcafee's web sites?
"Bill" <ble...@mailblocks.com> wrote in message
news:qi7of0lir66g77202...@4ax.com...
> It's on their websites.
Sara
we all knew as much as you do, and were so forthcoming with assistance, we
wouldn't need these newsgroups..
"Bill" <ble...@mailblocks.com> wrote in message
news:lt9of052r8ane540e...@4ax.com...
> On Mon, 19 Jul 2004 14:19:08 -0500, "Sara" <m...@privacy.net> wrote:
>
> >
> >Thanks, smartass....thought someone might have them handy. Have you ever
> >tried to find anything on symantec or mcafee's web sites?
>
>
> Yes.
Ant
Looks like another variety of Bagle. Sophos know about it:
http://www.sophos.com/virusinfo/analyses/w32bagleag.html
nu...@zilch.com
Probably what KAV calls I-Worm.Bagle.ai
I just now received one and KAV alerted.
The file name of my sample is Garry.scr
Here's KAV's splash on it:
http://www.viruslist.com/eng/alert.html?id=1887620
I see someone has already posted submission addresses. McAfee and
F-Prot didn't alert. As I post this, I suspect many scanners won't yet
alert. Be careful!
nu...@zilch.com
>There is a new virus my mail server is receiving today that is going right
>through Mcafee
McAfee with today's Beta dats alerts as W32/Bagle.ai@mm
nu...@zilch.com
>Here's KAV's splash on it:
>
>http://www.viruslist.com/eng/alert.html?id=1887620
>
>I see someone has already posted submission addresses. McAfee and
>F-Prot didn't alert.
F-Prot now alerts as W32/Bagle.AI@mm
Bob S.
"Sara" <m...@privacy.net> wrote in message
news:2m2nj4F...@uni-berlin.de...
: I've noticed that you like to deliver condescending one-liners...I guess
:
He told you were to look, what else do you need?
Netuser 58
Michael Cecil wrote:
> On Mon, 19 Jul 2004 14:12:10 -0500, "Sara" <m...@privacy.net> wrote:
>
>
> AVAST! <sup...@asw.cz>
> BitDefender <virus_su...@bitdefender.com>
> Command Software <vi...@commandcom.com>
> Computer Associates (US) <vi...@ca.com>
> Computer Associates (Vet/EZ) <ipev...@vet.com.au>
> DialogueScience (Dr. Web) <Ant...@dials.ru>
> Eset (NOD32) <sam...@nod32.com>
> F-Secure Corp. <sam...@f-secure.com>
> Frisk Software (F-PROT) <viru...@f-prot.com>
> Grisoft (AVG) <vi...@grisoft.cz>
> H+BEDV (AntiVir): <vi...@antivir.de>
> Kaspersky Labs <newv...@kaspersky.com>
> Network Associates (McAfee) <virus_r...@nai.com>
For faster response, try our WebImmune service at this link:
http://www.webimmune.net Submitting to WebImmune can also be very helpful if
you are having a problem submitting a file in a password-protected ZIP file,
especially if gateway AV software is stripping your file-sample.
For sample-related issues:
UK : Vsa...@nai.com
USA: Virus_R...@nai.com
Europe: Virus_Rese...@nai.com
Germany: Virus_Re...@nai.com
France: Virus_Re...@nai.com
> Norman (NVC) <anal...@norman.no>
> Panda Software <vi...@pandasoftware.com>
> RAV <sup...@ravantivirus.com>
> Sophos Plc. <sup...@sophos.com>
> Symantec (Norton) <avsu...@symantec.com>
> Trend Micro (PC-cillin) <virus_...@trendmicro.com>
>
nu...@zilch.com
wrote:
> For faster response, try our WebImmune service at this link:
>http://www.webimmune.net Submitting to WebImmune can also be very helpful if
>you are having a problem submitting a file in a password-protected ZIP file,
>especially if gateway AV software is stripping your file-sample.
I find that using archive compression other than zip gets through.
I've been using TAR. Of course, some vendor's virus submissions might
not be up to speed on this.
James Egan
>I find that using archive compression other than zip gets through.
>I've been using TAR. Of course, some vendor's virus submissions might
>not be up to speed on this.
tar isn't a compressor it's an archiver. tar archives are often
subsequently compressed though.
Jim.
Netuser 58
That's good to know in case I need an alternative.
I'll have to do some study on runtime packers as your response to
another of my postings brought out this issue which is new to me. NOD32
does have a checkbox to activate scanning of runtime packers in an "on
demand" scan. I just tried it today - works great.
Netuser 58
>
>
> Art
> http://www.epix.net/~artnpeg
nu...@zilch.com
wrote:
>>> For faster response, try our WebImmune service at this link:
>>>http://www.webimmune.net Submitting to WebImmune can also be very helpful if
>>>you are having a problem submitting a file in a password-protected ZIP file,
>>>especially if gateway AV software is stripping your file-sample.
>>
>>
>> I find that using archive compression other than zip gets through.
>> I've been using TAR. Of course, some vendor's virus submissions might
>> not be up to speed on this.
>
> That's good to know in case I need an alternative.
RAR and other archivers-compressors will serve as well. It's a matter
of avoiding ZIPs and pw protected ZIPs. Some gateway scanners seem to
be clobbering them. In my case, it's a problem getting ZIPs through
from the Eastern U.S.A. to Europe. Also, some ISPs are zapping them.
> I'll have to do some study on runtime packers as your response to
>another of my postings brought out this issue which is new to me. NOD32
>does have a checkbox to activate scanning of runtime packers in an "on
>demand" scan. I just tried it today - works great.
How "great" any av product is with runtime packers is a matter of
comparative testing.
Back around 1999, I tested some scanners using just a garden variety
PkLite ... an older free version. Sophos Sweep failed to handle the
packer. A virus it detected unpacked was not detected when packed.
When I contacted them, they "red facedly" admitted their problem and
fixed it.
Can you imagine the work involved if one were to get into testing av
unpacking capabilities? There are _many_ packers, and each one has
various versions. I suspect vxers are creating new and unusual runtime
packers as time goes on. It's mind boggling, actually. And they will
multiply pack and use more than one packer to further defeat scanners.
Also, the jury is out on whether or not the use of realtime scanning
makes any difference or significant difference with this problem.
What actually happens with most vendors, I think, is the usual
reactive "We'll handle it when it happens". So quite often, xyz av
product has detection for abc malware until abc is packed in a unusual
way.
Snowsquall
<nu...@zilch.com> wrote in message
> RAR and other archivers-compressors will serve as well.
One can download "Winrar" for a free 40 day trial.
http://www.download.com/3000-2250-10007677.html
or http://www.5star-shareware.com/Utilities/CompressionUtilities/winrar.html
To be on the safe side password the rar file but make sure it is rar'ed and
not zipped as Winrar can zip the file as well.
Norman L. DeForest
On Sat, 24 Jul 2004, Snowsquall wrote:
> <nu...@zilch.com> wrote in message
>
>
> > RAR and other archivers-compressors will serve as well.
>
> One can download "Winrar" for a free 40 day trial.
> http://www.download.com/3000-2250-10007677.html
> or http://www.5star-shareware.com/Utilities/CompressionUtilities/winrar.html
> To be on the safe side password the rar file but make sure it is rar'ed and
> not zipped as Winrar can zip the file as well.
[snip]
What about using LOCK.COM/UNLOCK.COM from PC Magazine's old free
utilities? Google for LOCK and UNLOCK and V4N18.ZIP (which contains the
programs and source code, 5107 bytes total, unzips to 12770 bytes in 4
files).
You should be able to include the UNLOCK part as an attachment that
accompanies the possible wormy sample file (renamed with instructions for
naming back if your system blocks *.COM files) and instructions for using
it and the password (decryption key) to use for decrypting the possible
worm sample. (Two disadvantages: 1. Requires an MS/PC-DOS machine or
MS-DOS emulator and 2. Can't handle long file names.)
--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af...@chebucto.ns.ca [=||=] (A Speech Friendly Site)
"One suspects that by now even *Nigerians* have Nigeria blacklisted ;)."
-- Jim Seymour on 419 scams, news.admin.net-abuse.email, Tue, Nov 19, 2002