Hi All,

Recently .zip files infected with the ZIP.Bagle worm have been getting past
eTust. Everything else is getting caught. When I run VET vrom the cmd line
using the same switch as the EW config the log shows that the file is indeed
infected.

EW log:

5/6/2004 2:01:36 PM ID:5757 Connected hse-toronto-ppp303698.sympatico.ca
[64.231.65.218] - Canada (CA)
5/6/2004 2:01:36 PM ID:5757 Handling by server at 'localhost:9999'.
5/6/2004 2:01:36 PM ID:5757 220 mail.xxxxxxx.com - Welcome
hse-toronto-ppp303698.sympatico.ca [64.231.65.218]
5/6/2004 2:01:36 PM ID:5757 HELO pinnacle.com
5/6/2004 2:01:36 PM ID:5757 250 Welcome, 64.231.65.218 [64.231.65.218],
pleased to meet you
5/6/2004 2:01:36 PM ID:5757 RSET
5/6/2004 2:01:36 PM ID:5757 250 Reset state
5/6/2004 2:01:37 PM ID:5757 MAIL FROM:<fdxhuehjkattrrgjcsi@stelco.ca>
5/6/2004 2:01:37 PM ID:5757 250 Sender "fdxhuehjkattrrgjcsi@stelco.ca" OK...
5/6/2004 2:01:37 PM ID:5757 RCPT TO:<tbteyjdyrmpxjmegooi@xxxxxxx.com>
5/6/2004 2:01:37 PM ID:5757 250 Recipient "postmaster@xxxxxxx.com" OK...
5/6/2004 2:01:38 PM ID:5757 DATA
5/6/2004 2:01:38 PM ID:5757 354 Ready
5/6/2004 2:01:38 PM ID:5757 0: ------ Beginning Filters ------
5/6/2004 2:01:38 PM ID:5757 0: Looking for Global Default filters...
5/6/2004 2:01:38 PM ID:5757 0: Attempting to load C:Program FilesServer
Side SolutionseWallFilters[GlobalFilters]Default.mfr
5/6/2004 2:01:38 PM ID:5757 1: Filters loaded
5/6/2004 2:01:38 PM ID:5757 1: -> Processing filter 'ANTI-VIRUS'
5/6/2004 2:01:38 PM ID:5757 1: Checking condition 'message has a virus'
5/6/2004 2:01:38 PM ID:5757 2: Running eTrust EZ Antivirus
5/6/2004 2:01:38 PM ID:5757 5: Antivirus scan result: Message is clean.
5/6/2004 2:01:38 PM ID:5757 13: -> Processing filter 'DNSBL'
5/6/2004 2:01:38 PM ID:5757 13: Checking condition 'sender is listed in
'bl.csma.biz' or 'bl.spamcop.net' or 'relays.ordb.org' or
'sbl.spamhaus.org''
5/6/2004 2:01:38 PM ID:5757 14: Checking '64.231.65.218' in 'bl.csma.biz'...
5/6/2004 2:01:38 PM ID:5757 15: Checking '64.231.65.218' in
'bl.spamcop.net'...
5/6/2004 2:01:38 PM ID:5757 17: Checking '64.231.65.218' in
'relays.ordb.org'...
5/6/2004 2:01:38 PM ID:5757 18: Checking '64.231.65.218' in
'sbl.spamhaus.org'...
5/6/2004 2:01:38 PM ID:5757 23: -> Processing filter 'MASTER BANLIST'
5/6/2004 2:01:38 PM ID:5757 23: Checking condition 'sender in
'master_banlist.txt''
5/6/2004 2:01:38 PM ID:5757 43: -> Processing filter 'GLOBAL BANLIST'
5/6/2004 2:01:38 PM ID:5757 43: Checking condition 'sender in
'global_banlist.txt''
5/6/2004 2:01:38 PM ID:5757 53: -> Processing filter 'ATTACHMENT FILTER'
5/6/2004 2:01:38 PM ID:5757 53: Checking condition 'parts headers matches
expression 'name="?[^
]+.(?i)(bat)[^w]+' or matches expression
'name="?[^
]+.(?i)(chm)[^w]+'...'
5/6/2004 2:01:38 PM ID:5757 63: -> Processing filter 'ZIP FILTER'
5/6/2004 2:01:38 PM ID:5757 63: Checking condition 'parts headers matches
expression 'name="?[^
]+.(?i)(zip)[^w]+''
5/6/2004 2:01:38 PM ID:5757 63: Matches expression
'name="?[^
]+.(?i)(zip)[^w]+'
5/6/2004 2:01:38 PM ID:5757 63: Applying action 'send 'ZIP_from.eml''
5/6/2004 2:01:38 PM ID:5757 67: Applying action 'send 'ZIP_to.eml''
5/6/2004 2:01:38 PM ID:5757 71: Applying action 'send 'ZIP_admin.eml''
5/6/2004 2:01:38 PM ID:5757 75: Applying action 'forward copy to
virustest@xxxxxxx.org'
5/6/2004 2:01:38 PM ID:5757 79: Applying action 'delete message'
5/6/2004 2:01:38 PM ID:5757 80: Applying action 'send '554 Transaction
failed: Non permitted attachment' to client'
5/6/2004 2:01:38 PM ID:5757 80: Applying action 'stop processing other
filters'
5/6/2004 2:01:38 PM ID:5757 83: ------ Ending Filters ------
5/6/2004 2:01:38 PM ID:5757 83: Message will be deleted
5/6/2004 2:01:38 PM ID:5757 83: Response to user: '554 Transaction failed:
Non permitted attachment'
5/6/2004 2:01:38 PM ID:5757 554 Transaction failed: Non permitted attachment
5/6/2004 2:01:38 PM ID:5757 Disconnected

VET (eTrust) Log

eTrust EZ Antivirus Version 6.1.7.0
Started scanning: 5:25:53 PM, 5/6/2004
Major dat file v4008
Minor dat file v5440
Macro data file May 6 2004 (VMD Ver 1.6)

Scanning file(s)...
zpptsvfb2tmfpgam.eml>text_document.zip - ZIP.Bagle worm.
zpptsvfb2tmfpgam.eml contains infected files.

Finished scanning: 5:25:53 PM, 5/6/2004
Number of files scanned: 4.
Number of archives containing infected files: 1
Number of infections: 1
Number of infected files not cleaned/deleted/renamed: 1
zpptsvfb2tmfpgam.eml>text_document.zip (ZIP.Bagle worm)

eTrust EZ Antivirus Version 6.1.7.0
Started scanning: 5:26:45 PM, 5/6/2004
Major dat file v4008
Minor dat file v5440
Macro data file May 6 2004 (VMD Ver 1.6)

Scanning file(s)...
zpptsvfb2tmfpgam.eml>text_document.zip - ZIP.Bagle worm.
zpptsvfb2tmfpgam.eml contains infected files.

Finished scanning: 5:26:45 PM, 5/6/2004
Number of files scanned: 4.
Number of archives containing infected files: 1
Number of infections: 1
Number of infected files not cleaned/deleted/renamed: 1
zpptsvfb2tmfpgam.eml>text_document.zip (ZIP.Bagle worm)

Anyone have any ideas?

Alex did you make a change recently to the regex in EZ.dat?

Any ideas would be helpfull. At this rate they are comming in at 1 msg per
minute. I have all zip file going to a diff account in the meantime.

Thanks,
James

BTW: Still running EW 1.0.152

These were being caught by EW & eTrust up to and including 2004-05-04. Now
that I think about it I do not remember making any updates since then. but
then again my short term memory isn't the best.

Thanks,
James

This is a multi-part message in MIME format.


Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 7bit

James, try attached EZ.DAT

- Alex

Thanks will give it a shot.

James

Hi Alex,

Just got a few more "ZIP.Bagle worm" infected e-mails. Same problem. For the
time being I am redirecting all .zips to a holding account but I really need
to get this fixed because we do get some real .zip files (thank god not that
often). Everything else gets caught. A head scratcher. My guess is it has
someting to do with the regex in EZ.dat but I am a touch rusty when in comes
to regular expressions. Haven't been programing for a while.

Anyone else using eTrust with EW? Anyone else have the same problem? It
caught them up to and including May 4th. The only changes were the regular
daily eTRUST virus sig updates.

Thanks,

James

VET cmd line
-------------------------------
C:PROGRA~1CAETRUST~1ETRUST~1VET32.EXE d544yomulvih2ewx.eml /nobootscan
/nomemoryscan /compressed /nosub /infect=reportonly /display=none
/logfile=log1.log

EW
------------------------------
.... snip
5/7/2004 10:51:32 AM ID:6730 1: Attempting to load C:Program FilesServer
Side SolutionseWallFilters[GlobalFilters]Default.mfr
5/7/2004 10:51:32 AM ID:6730 2: Filters loaded
5/7/2004 10:51:32 AM ID:6730 2: -> Processing filter 'ANTI-VIRUS'
5/7/2004 10:51:32 AM ID:6730 2: Checking condition 'message has a virus'
5/7/2004 10:51:32 AM ID:6730 2: Running eTrust EZ Antivirus
5/7/2004 10:51:32 AM ID:6730 5: Antivirus scan result: Message is clean.
5/7/2004 10:51:32 AM ID:6730 14: -> Processing filter 'DNSBL'
5/7/2004 10:51:32 AM ID:6730 14: Checking condition 'sender is listed in
'bl.csma.biz' or 'bl.spamcop.net' or 'relays.ordb.org' or
'sbl.spamhaus.org''
5/7/2004 10:51:32 AM ID:6730 85: Checking '64.231.65.218' in
'bl.csma.biz'...
5/7/2004 10:51:32 AM ID:6730 87: Checking '64.231.65.218' in
'bl.spamcop.net'...
5/7/2004 10:51:32 AM ID:6730 88: Checking '64.231.65.218' in
'relays.ordb.org'...
5/7/2004 10:51:32 AM ID:6730 90: Checking '64.231.65.218' in
'sbl.spamhaus.org'...
5/7/2004 10:51:32 AM ID:6730 100: -> Processing filter 'MASTER BANLIST'
5/7/2004 10:51:32 AM ID:6730 100: Checking condition 'sender in
'master_banlist.txt''
5/7/2004 10:51:32 AM ID:6730 120: -> Processing filter 'GLOBAL BANLIST'
5/7/2004 10:51:32 AM ID:6730 120: Checking condition 'sender in
'global_banlist.txt''
5/7/2004 10:51:32 AM ID:6730 130: -> Processing filter 'ATTACHMENT FILTER'
5/7/2004 10:51:32 AM ID:6730 131: Checking condition 'parts headers matches
expression 'name="?[^
]+.(?i)(bat)[^w]+' or matches expression
'name="?[^
]+.(?i)(chm)[^w]+'...'
5/7/2004 10:51:32 AM ID:6730 140: -> Processing filter 'ZIP FILTER'
5/7/2004 10:51:32 AM ID:6730 141: Checking condition 'parts headers matches
expression 'name="?[^
]+.(?i)(zip)[^w]+''
5/7/2004 10:51:32 AM ID:6730 141: Matches expression
'name="?[^
]+.(?i)(zip)[^w]+'
5/7/2004 10:51:32 AM ID:6730 141: Applying action 'send 'ZIP_from.eml''
5/7/2004 10:51:32 AM ID:6730 145: Applying action 'send 'ZIP_to.eml''
5/7/2004 10:51:32 AM ID:6730 149: Applying action 'send 'ZIP_admin.eml''
5/7/2004 10:51:32 AM ID:6730 154: Applying action 'forward copy to
virustest@xxxxxxxx.org'
5/7/2004 10:51:32 AM ID:6730 158: Applying action 'delete message'
5/7/2004 10:51:32 AM ID:6730 159: Applying action 'send '554 Transaction
failed: Non permitted attachment' to client'
5/7/2004 10:51:32 AM ID:6730 160: Applying action 'stop processing other
filters'
5/7/2004 10:51:32 AM ID:6730 161: ------ Ending Filters ------
5/7/2004 10:51:32 AM ID:6730 161: Message will be deleted
5/7/2004 10:51:32 AM ID:6730 161: Response to user: '554 Transaction failed:
Non permitted attachment'
5/7/2004 10:51:32 AM ID:6730 554 Transaction failed: Non permitted
attachment
.... snip

VET LOG
------------------------------------
eTrust EZ Antivirus Version 6.1.7.0
Started scanning: 11:01:38 AM, 5/7/2004
Major dat file v4008
Minor dat file v5443
Macro data file May 7 2004 (VMD Ver 1.6)

Scanning file(s)...
d544yomulvih2ewx.eml>Info.zip - ZIP.Bagle worm.
d544yomulvih2ewx.eml contains infected files.

Finished scanning: 11:01:38 AM, 5/7/2004
Number of files scanned: 4.
Number of archives containing infected files: 1
Number of infections: 1
Number of infected files not cleaned/deleted/renamed: 1
d544yomulvih2ewx.eml>Info.zip (ZIP.Bagle worm)

You might try unchecking "Do Not Check Outgoing Messages" under Options. It
may be skipping some messages thinking they are outgoing messages.

Jared Schmidt
www.cobrics.com

Please create empty folder C:AVReports
and send me two reports: one for clean file and one "bagled"

- Alex

OK... I am also redirecting viruses to the holding account as well. I will
also try and compare the reports generated for some other virus. Funny thing
is I have been getting hammer big time since netsky and bagle but nothing in
the last hour. Feel like I am watching paint dry.

James

I have always scanned incomming and outgoing messages because i do not want
our users to be part of the problem. I go so far as to block outgoing port
25 so they can't bypass the scans (and to prevent virus SMTP engines from
sending directly).

To be safe I double checked and it was not checked.

James