Print Page | Close Window

Blackmal virus

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5452
Printed Date: 27 December 2024 at 11:43am


Topic: Blackmal virus
Posted By: Guests
Subject: Blackmal virus
Date Posted: 19 January 2006 at 4:08am

Did the new Blackmal (Small.KI) hit you? How could SF help to keep it out?  I filter executables but there ones seem to be into a MIME attachment SF does not consider

http://www.norman.com/Virus/Virus_descriptions/28031/it?show=default - http://www.norman.com/Virus/Virus_descriptions/28031/it?show =default

http://vil.nai.com/vil/content/v_138027.htm - http://vil.nai.com/vil/content/v_138027.htm




Replies:
Posted By: Desperado
Date Posted: 19 January 2006 at 8:44am

Clutcher,

Exactly what are you asking?  Parsing 2 days of my SpamFilter Logs show that SpamFilter DID block the virus.

 Virus Messages  Bytes
1 mailto:Bagle.AH@mm - Bagle.AH@mm 12 1.2 %   0 b
2 mailto:Mimail.J@mm - Mimail.J@mm 4 0.4 %   0 b
3 mailto:MyDoom.AQ@mm - MyDoom.AQ@mm 1 0.1 %   0 b
4 mailto:MyDoom.I@mm - MyDoom.I@mm 5 0.5 %   0 b
5 Mytob.A 4 0.4 %   0 b
6 Mytob.I 184 18.4 %   0 b
7 mailto:Netsky.C@mm - Netsky.C@mm 2 0.2 %   0 b
8 mailto:Netsky.D@mm - Netsky.D@mm 27 2.7 %   0 b
9 mailto:Netsky.F@mm - Netsky.F@mm 1 0.1 %   0 b
10 mailto:Netsky.N@mm - Netsky.N@mm 1 0.1 %   0 b
11 mailto:Netsky.P@mm - Netsky.P@mm 195 19.5 %   0 b
12 mailto:Netsky.Q@mm - Netsky.Q@mm 14 1.4 %   0 b
13 mailto:Netsky.X@mm - Netsky.X@mm 1 0.1 %   0 b
14 mailto:Netsky.Z@mm - Netsky.Z@mm 23 2.3 %   0 b
15 Text/Small.KI 41 4.1 %   0 b
16 mailto:Text/Small.KI@mm - Text/Small.KI@mm 78 7.8 %   0 b
17 VB.IG 7 0.7 %   0 b
18 VB.IH 4 0.4 %   0 b
19 mailto:W32/Bagle.BO@mm - W32/Bagle.BO@mm 4 0.4 %   0 b
20 W32/Mytob.AA 14 1.4 %   0 b
21 W32/Mytob.AI 3 0.3 %   0 b
22 W32/Mytob.AJ 19 1.9 %   0 b
23 W32/Mytob.AK 2 0.2 %   0 b
24 W32/Mytob.AN 16 1.6 %   0 b
25 W32/Mytob.AP 9 0.9 %   0 b
26 W32/Mytob.DJ 6 0.6 %   0 b
27 W32/Mytob.ER 2 0.2 %   0 b
28 W32/Mytob.FG 2 0.2 %   0 b
29 W32/Mytob.GC 5 0.5 %   0 b
30 W32/Mytob.HC 5 0.5 %   0 b
31 W32/Mytob.KU 60 6.0 %   0 b
32 W32/Mytob.NA 4 0.4 %   0 b
33 W32/Mytob.OM 2 0.2 %   0 b
34 mailto:W32/Mytob.QE@mm - W32/Mytob.QE@mm 10 1.0 %   0 b
35 mailto:W32/Mytob.RD@mm - W32/Mytob.RD@mm 10 1.0 %   0 b
36 W32/Mytob.TO 17 1.7 %   0 b
37 mailto:W32/Mytob.TT@mm - W32/Mytob.TT@mm 4 0.4 %   0 b
38 W32/Mytob.V 7 0.7 %   0 b
39 W32/Mytob.Z 98 9.8 %   0 b
40 W32/SDBot.XGC 67 6.7 %   0 b
41 W32/Small.KI 28 2.8 %   0 b
42 mailto:Zafi.B@mm - Zafi.B@mm 1 0.1 %   0 b
  Total 999 100 %   0 b

NOTE:  Sorry about the formatting ... the tables did not translate correctly.  das



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: LogSat
Date Posted: 19 January 2006 at 10:36pm
Clutcher,

Are you using the anti-virus plugin? If not, please note that the attachment filter in SpamFilter can be fooled by some viruses. SpamFilter by itself can help to block a large number of viruses using its filters, but some will always slip thru. That is why antivirus software is really needed to ensure better protection.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Guests
Date Posted: 20 January 2006 at 3:02am

Yes, I'm using antivirus plugin that on 18th started detecting  Text/Small.KI but on 17th several .hqx attachments passed Norman and SF Inside those encoded attachment there where .scr or .pif executables.

(Just for the record, NAV on Domino started blocking them form the very start)

I'm really thinking about asking for and implementing a white list for attachments.



Posted By: LogSat
Date Posted: 20 January 2006 at 4:10pm
Unfortunately if there is no pattern yet for a virus the plugin won't be able to stop it. Sometimes one company releases signatures before others, and sometimes it's the others who release them first. There will never be a winner...

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window