Jump to content

Win32/Bagle.gen.zip worm not identified by Spamcop


Recommended Posts

An email with Win32/Bagle.gen.zip worm (the virus with an attached zip, that tells you the password to open, you know) was kept in Heldmail but not blocked as virus.

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6
X-spam-Level: 
X-spam-Status: hits=0.6 tests=FROM_HAS_MIXED_NUMS,NO_REAL_NAME version=2.63
X-SpamCop-Checked: 192.168.1.101 212.187.118.241 
X-SpamCop-Disposition: Blocked sbl.spamhaus.org

Then, I let it pass through (Forward and NOT whitelist) as a test, and popped it on my system, and the infected email was automatically identified as such by NOD32 / IMON :)

Link to comment
Share on other sites

Well, as I posted over in one of the "SpamCop does not send virus" Topics, thee hasn't been an update posted that thet virus scanning tool have had their engines updated for this last batch of crud ... and in yet another thread, there's mention of the mutations that these have been making, somethime 3 or 4 major shifts a day. I can only point out that anti-virus tools are reactionary, offering protection only after the virus has been identified and catalogued, so there is a that time lag between the appearance and the tools for identification and removel ... (yes, I know I'm talking general case here) .. but should also note that the code running on an e-mail server isn't quite the same as something run on an individual system, so there's also this that has to be added into the time lag ..

Link to comment
Share on other sites

An email with Win32/Bagle.gen.zip worm (the virus with an attached zip, that tells you the password to open, you know) was kept in Heldmail but not blocked as virus.

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6
X-spam-Level: 
X-spam-Status: hits=0.6 tests=FROM_HAS_MIXED_NUMS,NO_REAL_NAME version=2.63
X-SpamCop-Checked: 192.168.1.101 212.187.118.241 
X-SpamCop-Disposition: Blocked sbl.spamhaus.org

Then, I let it pass through (Forward and NOT whitelist) as a test, and popped it on my system, and the infected email was automatically identified as such by NOD32 / IMON  :)

I've been told by our AV vendor that they were not blocking that virus originally, but that they are now. They had to do a major update to be able to handle it, I think. Anyway, as of a couple days ago, we should be blocking those.

JT

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...