Print Page | Close Window

Virus slipping through the net - BrepiBot

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5477
Printed Date: 31 July 2025 at 2:21am


Topic: Virus slipping through the net - BrepiBot
Posted By: lyndonje
Subject: Virus slipping through the net - BrepiBot
Date Posted: 01 February 2006 at 6:39am

Hi,

We've had a few emails come through containing viruses, the local Mcafee AV client detects the virus as W32/Brepibot.gen, but the Norman AV running on SpamFilter isn't blocking it.

In the meantime I've tried to block the attachment names using RegEx's, but I'm having a few problems. I've blocked on Attachment based on the string "article.*.zip", and if I run the RegEx test on "article_February_2455.zip" is reports "Found!". However when I email the virus with this attachment name through to my address, SpamFilter doesn't block the attachment.

Any suggestions?


Replies:
Posted By: LogSat
Date Posted: 01 February 2006 at 7:58am
Could you please forward us (at support at logsat dot com) one of the emails that slipped thru? In case our own SpamFilter blocks it, can you please also send us a copy of the email's source in a zipped file? Please password-protect the file so that the A/V won't be able to scan it and will be delivered.

We'd also need a copy of the attachment blacklist file so we can see your settings and reproduce them.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Desperado
Date Posted: 01 February 2006 at 8:06am

lyndonje,

I believe the w32/Brepibot.gen is actually a Trojan and as such, at least doesn't "self replicate". I am not sure what aliasses this is is listed under so I have limited information on this one.  I have a contact at Norman that I can check with but is the actual attachment by that name or are you trying to filter based on the header information?  Also,  I thought this was an IRC or P2P Trojan rather than email so my info must be limited.  any additional info from you will help me report this to Norman.

I did find this on NAI's site:

Update January 30, 2006 --
There were several mass-spammings of new Brepibot variants recently

So perhaps the next Norman update will include the new variant just reported in the last 24 hours.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: lyndonje
Date Posted: 03 February 2006 at 9:13am
Having difficulty even with local AV disabled, dont think its disabling fully and won't let me ZIP. I'll keep trying though but really busy. Just thought I'd let you know I hadn't forgotten!

Posted By: LogSat
Date Posted: 03 February 2006 at 3:24pm
lyndonje,

We received your sample this mornig, and "luckily" it was stopped by our own SpamFilter as the W32/Breplibot.X virus it contained was found. It is possible that as the virus was just released the Norman antivirus plugin did not have the virus signatures to detect it yet at that moment.

In regards to the attachment blocking, the regular expression:
article.*.zip
you used will work. We did not receive your attachment blacklist file, so are unable to verify your settings. Can you make sure, as you are using it as a RegEx, that you are enclosing it in parenthesis:

(article.*.zip)

when adding it to the blacklist? Also please note that a standard wildcard in the form:

*article*.zip

should also work in that blacklist to stop these attachments.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: lyndonje
Date Posted: 06 February 2006 at 3:51am
Ahh, I wasn't aware RegEx's needed to be in parenthesis.

In that case we'll put it down as though that's what the problem was.

Thanks.


Print Page | Close Window