> Sorry for the confusion. Sandbox is part of Norman's AV > product, and not a > separate product.
Ah, OK. I'll take a look at that then. > Also I never scanned the cab file yesterday I just posted a > report from a > earlier infection I had. I did this just to illustrate the > type of info you > get when it finds something suspicious. OK. I guess there's no way to update a ClamAV submission with new information. > from http://www.linemovie.com/link/user2/update/winmsg2k_1.exe > It may also attempt to get the same file from > http://www.linkno1.com/link/update/winmsg2k_1.exe > I tried to get this file from both servers, but it was not there. Poking around a bit at www.linemovie.com and looking at the source for the index page (retrieved via wget and viewed with vi), let me to http://www.abcroot.com/line/user1/update/winmsg2k_1.exe , which also seems to have a full copy of whatever this thing is. (Although the winmsg2k*.exe files retrieved from both sites are different. Possibly just a difference between the 'user1' and 'user2'.) > As I said, I only used 'strings' so although the info here is > correct, some > of my conclusions may not be. I would however suggest you check your > registry and do a search for the mentioned files including > winmsg2k_1.exe. Patrick, thanks again for doing all that you have. I'm pretty sure my system is safe, since I've only been looking at this stuff from my linux mail gateway. :) I am however concerned about any folks in my network that may have allowed the original email to get their machine infected because they don't make use of the spamassassin tags (which has been tagging the email as spam all along), and also have the preview pane enabled. Doing a google search on the clsid 65431623-C69F-410E-A392-6360366CAC19 leads me to believe that this virus/worm/whatever has been out there since the end of March-- there are google usenet hits for Mar 31, 2004 . For anybody else who is inclined to take a look at this as well-- www.linemovie.com seems to be some kind of central distribution point for desktops that are trying to infect themselves. On a hunch, I ran wget against several similar urls, and each url hands out different (but similar) files. http://www.linemovie.com/line/user1/msxml20.cab http://www.linemovie.com/line/user3/msxml20.cab http://www.linemovie.com/line/user4/msxml20.cab http://www.linemovie.com/line/user5/msxml20.cab http://www.linemovie.com/line/user6/msxml20.cab http://www.linemovie.com/link/user6/msxml20.cab -ron I am now more than ever very interested in putting web proxies in front of all internet connections, and having clamav w/mod_proxy scan all incoming web content-- at least this way when I recognize a risk faster than the commercial scanners do I can create my own signatures. ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
