Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Virus slipping through the net - BrepiBot
  FAQ FAQ  Forum Search   Register Register  Login Login

Virus slipping through the net - BrepiBot

 Post Reply Post Reply
Author
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Topic: Virus slipping through the net - BrepiBot
    Posted: 01 February 2006 at 6:39am

Hi,

We've had a few emails come through containing viruses, the local Mcafee AV client detects the virus as W32/Brepibot.gen, but the Norman AV running on SpamFilter isn't blocking it.

In the meantime I've tried to block the attachment names using RegEx's, but I'm having a few problems. I've blocked on Attachment based on the string "article.*.zip", and if I run the RegEx test on "article_February_2455.zip" is reports "Found!". However when I email the virus with this attachment name through to my address, SpamFilter doesn't block the attachment.

Any suggestions?

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 01 February 2006 at 7:58am
Could you please forward us (at support at logsat dot com) one of the emails that slipped thru? In case our own SpamFilter blocks it, can you please also send us a copy of the email's source in a zipped file? Please password-protect the file so that the A/V won't be able to scan it and will be delivered.

We'd also need a copy of the attachment blacklist file so we can see your settings and reproduce them.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 01 February 2006 at 8:06am

lyndonje,

I believe the w32/Brepibot.gen is actually a Trojan and as such, at least doesn't "self replicate". I am not sure what aliasses this is is listed under so I have limited information on this one.  I have a contact at Norman that I can check with but is the actual attachment by that name or are you trying to filter based on the header information?  Also,  I thought this was an IRC or P2P Trojan rather than email so my info must be limited.  any additional info from you will help me report this to Norman.

I did find this on NAI's site:

Update January 30, 2006 --
There were several mass-spammings of new Brepibot variants recently

So perhaps the next Norman update will include the new variant just reported in the last 24 hours.



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Posted: 03 February 2006 at 9:13am
Having difficulty even with local AV disabled, dont think its disabling fully and won't let me ZIP. I'll keep trying though but really busy. Just thought I'd let you know I hadn't forgotten!
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 03 February 2006 at 3:24pm
lyndonje,

We received your sample this mornig, and "luckily" it was stopped by our own SpamFilter as the W32/Breplibot.X virus it contained was found. It is possible that as the virus was just released the Norman antivirus plugin did not have the virus signatures to detect it yet at that moment.

In regards to the attachment blocking, the regular expression:
article.*.zip
you used will work. We did not receive your attachment blacklist file, so are unable to verify your settings. Can you make sure, as you are using it as a RegEx, that you are enclosing it in parenthesis:

(article.*.zip)

when adding it to the blacklist? Also please note that a standard wildcard in the form:

*article*.zip

should also work in that blacklist to stop these attachments.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2006 at 3:51am
Ahh, I wasn't aware RegEx's needed to be in parenthesis.

In that case we'll put it down as though that's what the problem was.

Thanks.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.063 seconds.