Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Malware in zipped vbs file
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Mon Mar 18, 2019 5:41 pm    Post subject: Malware in zipped vbs file Reply with quote

I received two emails today that did not trigger SpamAssassin or ClamAV on either my remote or local email servers. Each had a very similar file attached 9804-551861-303498.zip and 2708-979846-265986.zip containing 9804-551861-303498.vbs and 2708-979846-265986.vbs of 166742 and 154846 bytes, respectively with very fresh date/time stamps. I can't decode them, but I can tell with vim that the files contain little text, are different, but both appear to have 38 lines. That's the limit of my snooping ability.

ADDED: I have sent samples of the attachments to ClamAV through their web site.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6960

PostPosted: Mon Mar 18, 2019 7:55 pm    Post subject: Reply with quote

If we start a thread for each spam we get, gentoo servers will need to get host by google+amazon cloud really fast.
I don't really get what you are seeking with that thread
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6957
Location: Saint Amant, Acadiana

PostPosted: Mon Mar 18, 2019 8:15 pm    Post subject: Reply with quote

Yes, is there a question?
About 1/3 of viruses slip thru anti-virus software, it is a known fact. So if there is about 10 million viruses then if you rely on anti-virus software then you can potentially get about 3.3 million of them. You got two, anything special about them?
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
figueroa
Guru
Guru


Joined: 14 Aug 2005
Posts: 401
Location: GA-USA

PostPosted: Mon Mar 18, 2019 8:59 pm    Post subject: Reply with quote

They appear to be new style. I've gotten three just today. I watch my incoming email for such things. Average about 100 emails to me per day, my server tosses about 1/2 of them for various reasons with procmail and about 1/2 of the remaining are culled by SpamAssassin. I thought they were interesting. All have a UUID style filename of the zip attachment which contains a vbs and got low (about 2.5) SpamAssassin score.

I thought they were interesting since most of these kinds of things get a SpamAssassin score over 10 on my server.

There is no question.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5584

PostPosted: Mon Mar 18, 2019 11:52 pm    Post subject: Reply with quote

If your windows clients aren't blocking unknown executables/scripts through group policy then that's a failing of the administrator.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum