[unisog] Zero-day viruses

Paul FM paulfm at me.umn.edu
Fri Sep 12 13:28:50 GMT 2008 

Please submit your signature to clamav so they can offer it as an optional 
add on (we use clamav and also block files with executable extensions, but it 
would be nice to block executables no matter what the extension).


Andrew Daviel wrote:
> 
> Is everyone getting them, or is it just us ?
> 
> The last few weeks, we have noticed an increase in email viruses getting past 
> our filters. There are multiple versions of what Kaspersky AVP
> identifies as Trojan-Spy.Win32.Zbot and Worm.Win32.AutoRun, with suffixes 
> running into 3 characters, which have a burst of a day or so , then die off 
> just as they make it into the pattern databases. We've had a few infections 
> getting past ClamAV and AVP on the mailserver, then past Symantec on desktops. 
> Typical subject lines:
>    Fedex Tracking N*0612214734
>    Western Union MTCN #5754647577
>    E-ticket #4226265971
>    Payment confirmation #6007128885904141404
>    Statement of fees 2008/09
> (some of these are caught by SpamAssassin as spam, but not all)
> 
> So a few days ago I decided I'd had enough, and wrote a signature to 
> match any Windows portable EXE file for ClamAV (turns out to be quite 
> easy), which leverages ClamAV's ability to examine all sorts of encoding, 
> archives and mail attachments cf. e.g. MIMEDefang. Hopefully this will 
> stem the tide somewhat - looks good so far. If anyone wants to mail a 
> legit executable, they'll have to encrypt it (as does one of our local 
> phone companies, with e-bills)
> 
> We had at least once incident of a PC rebooting when opening one of these 
> as a nonprivileged user. Not clear yet if anything nasty survived the 
> reboot; in principle it could write into the user's personal startup or 
> registry keys, even if it can't write into system files or keys.
> 
> (ClamAV is an open-source antivirus for Linux and Windows; 
> www.clamav.net. We run it with a sendmail milter to reject mail without 
> sending a DSN message)
> 

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------

More information about the unisog mailing list