Print Page | Close Window

Virus - Trojan Downloader

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6993
Printed Date: 17 November 2017 at 2:10pm


Topic: Virus - Trojan Downloader
Posted By: segamegadave
Subject: Virus - Trojan Downloader
Date Posted: 22 November 2011 at 12:12pm
Spamfilter Version 4.2.4.843 with Norman AV (up to date)

Hi we have recently had reports of several end users recieving emails with zip files attached. These emails pose as the Postal Service or an Airline with important details attached.

The zip file attached contains what Kaspersky describes as http://www.securelist.com/en/find?words=Trojan-Downloader.Win32.Injecter.hdu

For some reason or another they are bypassing the Spamfilter and AV altogether.

Is this happening to anyone else? Is there anything we can check/do?




Replies:
Posted By: lyndonje
Date Posted: 06 December 2011 at 9:39am
Hi Roberto,

Any chance we could get a response to this? Norman AV/SpamFilter letting through potential viruses is pretty serious....?

Thanks,
Lyndon.


Posted By: LogSat
Date Posted: 06 December 2011 at 5:57pm
Without receiving specific email samples it's hard to give an accurate answer. There are many antivirus vendors out there, and new viruses are detected by various products after various time delays. Some may catch them sooner one day, and later another, depending on when their AV teams are able to identify the virus fingerprint.

If you can provide us with one or more such emails to support at logsat.com we'll be glad to take a look.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: jerbo128
Date Posted: 07 December 2011 at 11:49am
im sending one now, Norman still allowing this through as of today.  SFE quarantined this particular one. but due to an ip blacklist.
  In fact I came to the forum because I couldn't find the area in the spamfilter.ini to block attachments by ext for this very issue.  Just happened to see this post


Posted By: LogSat
Date Posted: 07 December 2011 at 9:19pm
jerbo128,

We received your email with a sample, but unfortunately the source of the email is malformed (there are no CRLF sequences to separate the individual lines) so the email is unreadable.

In the meantime, we received two other samples with infected files earlier today. One of them - AA_Ticket_#2646.zip file (identified as "W32/Suspicious_Gen2.RVKPW") is being correctly blocked by SpamFilter, although the original infected email was received 3 days ago, and at that time Norman did not have AV definitions for that virus yet.

The other sample file "Delivery_information.exe" we received was indeed infected, but is not currently being detected as malicious by Norman. We submitted the sample to them immediately so a new set of definitions should be available within 24 hours to detect it. As a side-note, some other AV vendors like Avast, Symantec and TrendMicro are also unable to detect that strain as well.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window