Jump to content

Netsky.P worms making it in SC email inbox


Recommended Posts

Something appears to be wrong with SpamCop's virus filters since the outages the other day, because in the last 24 hours, I've received three Netsky.P (aka W32.Netsky.P[at]mm) worms in one of my SC email addresses (it's actually a "cesmail.net" address, same thing). This worm is not very new...it first appeared back in March, and when I tried to POP any of the messages, my NortonAV jumps into action and deletes them.

I guess I'll send a message to support, but thought that others might want to know that the virus protection seems not to be fully functional.

(and the Subject line on this should have read "...making it into SC...")

dt

Link to comment
Share on other sites

To repeat what Wazoo has said many times before, the virus filters that are used by SpamCop and by everyone else in the world are reactionary. New viruses are being created every day with the number one purpose of finding ways to get arround virus scanners. SpamCop tries hard to keep the filters as current as possible but they will never be able to filter out the most resent varriants. Something you could do as a test would be to forward one of the virus messages that is a few days old to your self and see if it gets delivered or deleted. You may want to wait before doing this to see if anybody else knows why this may not be safe to do. That would be a way of testing the system.

If your virus program has identifed the virus, please post the virus name and creation date and the virus program you are using. It may help to identify something that needs fixing.

Also note, if I am correct the virus filtering occurs when the message is first received / rejected by SpamCop so the message may be much "newer" than you think since the date used must be the date recieved by SpamCop, not when you received it.

Also double check your whitelist, if the message source is listed there it might be causing a different processing method.

The help that we can provide is in direct proportion to the information that you provide. No information - no help; lots of information - you get the point.

But to answer your outer question, I cant remember the last time I got a virus infested message, so it seems to still be working for me.

Also, please refer to the first post in this thread. The system crash may have created other hidden problems that will have to be worked out. So again, more information please.

Link to comment
Share on other sites

Yes, I'm also experiencing the same problem. Since yesterday, I've been receiving hundreds of virus emails from my SpamCop account. What's the problem?

I thought something's wrong with my SpamCop settings but when I checked everything's correct. In my search for help, I found this forum and am glad that I'm not alone.

Do you know how to email SpamCop Support? They don't seem to list their email anywhere on the web site? I'd like to forward a sample of these viruses there.

Link to comment
Share on other sites

support e-mail addresses are all over the place .. but this isn't one of those items that JT needs ... If you're going to forward your virus anywhere, you'd want to send it to the anti-virus folks ... pick your company

scumsucker somewhere pulls together some nasty code

scumsucker plants it somewhere, say as an attachment to a post in a porn newsgroup

idiot newbie hits that newsgroup, clicking on everything, wanting to get it all

idiot newbie's computer is infected, starts kicking out e-mail

more idiot newbies receive e-mail, click on the attachment to see what the first idiot sent

another infected computer starts sending out e-mail

eventually, e-mail received by someone clued, or someone clued also hit the newsgroup, submitted virus to anti-spam folks

anti-spam folks analyze it, give it a name, figure out how to recognise it, maybe defang it, maybe erase its effects on infected systems

anti-spam folks then add this data into their database of nasty stuff

anti-spam folks then make this new database available

end users (hopefully) eventually get around to checking for a new database, download and install it

end-user now "protected" against that virus

in the mean time, some scumsucker has pulled together some code ............

So basically, the premise is that there is a new variant of an alleged "old" virus out there, and you are now waiting for the analysis to be done, database to be updated, that updated database to be made available, which will then be picked up and installed by the anti-virus application running on the SpamCop server

Link to comment
Share on other sites

..making it in(to) SC...

...and I thought worms were hermaphrodite..Anyways...I have experienced an increase in viruses/MIME exploits, trojans and worms myself. Thankfully most of them get defanged before forwarding to SC, on the original server.

Unfortunately these bozos are determined to find ways to defeat any protection, including spoofing trusted ISPs in the header and the like. All you can do is keep your virus definitions up to date and don't rely on a single virus protection software. I have had a good experience with Bitdefender (check here!), it is free and so far it has detected things Norton AV has missed, including damaged NAV files which make NAV virtually inoperable and I presume are carried by certain viruses... After a thorough check you may have to reinstall NAV, and that's a bummer unless you first download the uninstall patches..

After having my computer hacked into and destroyed early this month I had to reinstall NAV several times...I still can't get rid of some NAV damaged files..

Link to comment
Share on other sites

Wazoo. thanks for the quick reply.

Sorry, but I don't see any email address of SpamCop on the web site. Is it support[at]spamcop.net? I've been using SpamCop since last year and never needed to contact support till now.

What antivirus application that SpamCop uses? ClamAV or Dr. Web maybe?

dra007, I've found my NAV2004 to be a great antivirus, but it also needs a good firewall software along (I use ZoneAlarm Pro). Without a good firewall, your computer is highly vulnerable. That Windows XP built-in firewall is a joke :D

Link to comment
Share on other sites

/snip

dra007, I've found my NAV2004 to be a great antivirus, but it also needs a good firewall software along (I use ZoneAlarm Pro). Without a good firewall, your computer is highly vulnerable. That Windows XP built-in firewall is a joke :D

15220[/snapback]

Tell me about it, I am still working on configuring mine, the dam thing gives me a trojan warning everytime a program tries to get on the net, still haven't figured that one out...

Link to comment
Share on other sites

What firewall are you using? :D

I highly recommend ZoneAlarm Pro. It's very easy to configure (semi automatic I must say) and it doesn't take too long to configure. I used Kerio before and when I switched to ZoneAlarm Pro, I found it to be much better and easier to use.

Just configure the programs which you allow to access the Internet and if you find some warnings about weird IPs trying to access your system, just deny those (ZoneAlarm Pro will usually auto-block them though).

Link to comment
Share on other sites

Since apparently my question got missed in all my other verbage (I should have colored it red) I am going to repost it by itself

Something you could do as a test would be to forward one of the virus messages that is a few days old to your self and see if it gets delivered or deleted.

Is there any reason that I do not know about that would make this a bad idea?

Link to comment
Share on other sites

To repeat what Wazoo has said many times before,  the virus filters that are used by SpamCop and by everyone else in the world are reactionary.  New viruses are being created every day with the number one purpose of finding ways to get arround virus scanners. SpamCop tries hard to keep the filters as current as possible but they will never be able to filter out the most resent varriants. 

But these messages are all infected with a Netsky worm that made its first appearence in March, as I explained when I started this discussion. I realize that "dbiel" was answering "efindoutthetruth," but this is MY thread, and my original observation/question is getting a bit sidetracked....the SC AV filters appear to have broken during the outages.

If your virus program has identifed the virus, please post the virus name and creation date and the virus program you are using.  It may help to identify something that needs fixing.

Uh...I *did* that, in my original message, so "efindoutthetruth" didn't really need to provide further information...there's clearly a problem!

Also double check your whitelist, if the message source is listed there it might be causing a different processing method.

No, that's not how things work...the virus protection is applied before any whitelisting...I contend that since the big SC server outages on Friday, that the AV protection is simply broken.

I emailed the Support address yesterday but have not heard back, and have received multiple new infected messages today. Ellen, "Admin" -- anyone "official" out there???

dt

Link to comment
Share on other sites

Also double check your whitelist, if the message source is listed there it might be causing a different processing method.
No, that's not how things work...the virus protection is applied before any whitelisting...I contend that since the big SC server outages on Friday, that the AV protection is simply broken.
I realize that, but since as you claim there is something broken, how can be be so certain that it is how it is working right now? The more information that is provided, the easier it is to find and fix the problem.

If your virus program has identifed the virus, please post the virus name and creation date and the virus program you are using.  It may help to identify something that needs fixing.
Uh...I *did* that, in my original message, so "efindoutthetruth" didn't really need to provide further information...there's clearly a problem!

Not really
I've received three Netsky.P (aka W32.Netsky.P[at]mm)
Is Netsky.P a new varriant of W32.Netsky.P[at]mm?

I could not find any listing of "Netsky.P" see the following quote from Symantec

As of March 22, 2004, due to an increase in submission rate, Symantec Security Response has upgraded W32.Netsky.P[at]mm (also known as W32.Netsky.Q[at]mm) to a Category 3 level threat from a Category 2 threat.
Cut and paste the exact response from your virus scanner.

Finally, you only listed one virus (it is a moot point as to how many copies of it you got). If it were really broken, I would have expected you to be seeing all kinds of different viruses

Link to comment
Share on other sites

Is Netsky.P a new varriant of W32.Netsky.P[at]mm?

I could not find any listing of "Netsky.P"  see the following quote from Symantec

They're one and the same. Those of us who use NortonAV get in the habit of referring to viruses only using Symantec's subjective names, but the other competing AV sources use different names. Here are the ones for this worm:

W32.Netsky.Q[at]mm [symantec], W32/Netsky.p[at]MM [McAfee], Win32.Netsky.P [Computer Associates], NetSky.P [F-Secure], W32/Netsky.P.worm [Panda], W32/Netsky-P [sophos], WORM_NETSKY.P [Trend]

This unanimity of naming on this one is rare, in that they're all designating this variant with the letter "P" -- in most recent worms, they all use different letters..."alphabet soup." So, if you go back and look at the beginning of this thread, you'll see that I used the most generic name for it (the one from F-Secure), but I also gave the proper Symantec name, in that I wrote that I'm using Norton. In any case, this is an old worm that surely shouldn't be getting through SC's AV filters.

Cut and paste the exact response from your virus scanner.

OK, here you go:

"The email attachment document.txt .exe within data.zip is infected with the W32.Netsky.P[at]mm virus."

Finally, you only listed one virus (it is a mute point as to how many copies of it you got).

(a "mute point" is one that can't speak...a "moot point" is one that's of no consequence)

If it were really broken, I would have expected you to be seeing all kinds of different viruses

It's hard to say what else would be coming through. The address actually receiving the worms (that then get forwarded to this particular SC email account) isn't very "public" and so before we started using SC to filter it, we didn't receive many worms. But this is the best point you've made, and yes, if the AV function were totally kaput, then all kinds of worms would be getting through to SC email customers, so it might only be partially nonfunctional.

dt

Link to comment
Share on other sites

Here are some of the virus messages from SpamCop that got detected by my Norton AntiVirus 2004:

Norton AntiVirus removed the attachment: msg.htm.zlq.

The W32.Netsky.B[at]mm threat was detected in the attachment.

Norton AntiVirus removed the attachment: document_4351.zlo.

The W32.Netsky.D[at]mm threat was detected in the attachment.

Norton AntiVirus removed the attachment: message_part2.zlo.

The W32.Netsky.K[at]mm threat was detected in the attachment.

The anti-virus filtering in SpamCop seems broken. Could you please fix this out as soon as possible? Thanks!

Link to comment
Share on other sites

I guess that I will add one to the list as well

++++++++++++++++++++++++++++++++++++++

VIRUS BLOCKER MESSAGE STATUS

++++++++++++++++++++++++++++++++++++++

+ Virus successfully cleaned out of attachment(s):

No attachments are in this category.

+ Attachment(s) deleted due to virus:

1. Security File.exe: Backdoor.Beasty.I

+++++++++++++++++++

Powered by Symantec

+++++++++++++++++++

Link to comment
Share on other sites

(a "mute point" is one that can't speak...a "moot point" is one that's of no consequence)

Well! that sent this Englishman scurrying to his dictionary. On this side of the pond 'moot' means arguable or debatable. Tolkein used it in its original sense when Treebeard called the Entmoot. US online dictionary says tanspondians have been using it (incorrectly) to mean 'of no importance since the mid C19th.

Ah well, back to spam-fighting ;)

Link to comment
Share on other sites

On this side of the pond 'moot' means arguable or debatable.

When looked up at

http://dictionary.reference.com/search?q=moot

your definition is indeed listed as number 1 in the word's adjective form. However, when used as an adjective in US English, it's commonly meant as the "2. b." adjective definition, " Of no practical importance; irrelevant" which seems to have been the usage here.

Tolkein used it in its original sense when Treebeard called the Entmoot.

Ah, but that's a noun usage (definition #2), " An ancient English meeting, especially a representative meeting of the freemen of a shire."

US online dictionary says tanspondians have been using it (incorrectly) to mean 'of no importance since the mid C19th.

Yes, our English is certainly a bit different than the Queen's. :D

dt

Link to comment
Share on other sites

"2. b." adjective definition, " Of no practical importance; irrelevant" which seems to have been the usage here.

Yes, I tried bartleby.com which says the (US) experts consider it acceptable by a majority oy of 6:4. I have to say that it came as a complete shock to me, though. Neither Oxford nor Chambers has this usage in the UK editions on my shelf!

Ah, but that's a noun usage (definition #2), " An ancient English meeting, especially a representative meeting of the freemen of a shire."

I think I'm right in saying that 'meet' came from the same root. The adjective almost derives from the noun. A moot point was an agenda point, something to be discussed at the moot(ing!)

Perhaps we'd better get this back on topic? :D

Link to comment
Share on other sites

Perhaps we'd better get this back on topic?  :D

Actually, this topic is stalled, awaiting for official SC support response. The phenomenon I reported (wormy emails making it past SC AV protection) has also been reported over in the old Usenet group for SC email, so it is happening to multiple people, and all since the "Friday the 13th" SC email server crashes.

dt

Link to comment
Share on other sites

unhappy thoughts and I'm sure many apologies are included .. but this just in from JT;

During the email emergency a couple days ago, I re-arranged how the

incoming mail was queued up. Unfortunately, the AV inadvertantly got

de-activated. It's back up and running now.

Jeff

Link to comment
Share on other sites

Finally, an answer that makes sense...the moot is mute... Reminds me of the time I was visiting across the pond having to explain on more than one occasion the meaning of words, and facing nothing but total disbelieve!! Funny how languages evolve sometimes!

Link to comment
Share on other sites

unhappy thoughts and I'm sure many apologies are included .. but this just in from JT;

Well...I wrote to the "support" address on Saturday and I haven't been graced with a response. I'm sure I was one of the first to report this problem, so this rather indirect admission that I was entirely correct in my analysis of the situation is welcome, but...

dt

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...