| A networking group dedicated to improving infrastructure, workflows, and support across the Entertainment Industry. |
Follow us: |  |  |  |
| John spreads virus! | |||
|
Posted by: Greg Whynott  Date: 08-01-2012, 12:15:PM |
*GASP!* EVIL JOHN STRIKES AGAIN! 8) our mail system blocked the digest... false positive i'm sure... -g A virus was found: MBL_284029.UNOFFICIAL Scanner detecting a virus: ClamAV-clamd  Content type: Virus Internal reference code for the message is 19923-20/snX168WaWUK1  First upstream SMTP client IP address: [216.234.60.233] mail.gargoylelogic.com According to a 'Received:' trace, the message apparently originated at:  [216.234.60.233], master.sysadmins-online.com localhost [127.0.0.1]  Return-Path: <studiosysadmins-discuss-bounces@studiosysadmins.com> From: studiosysadmins-discuss-request@studiosysadmins.com Sender: studiosysadmins-discuss-bounces@studiosysadmins.com Message-ID:  <mailman.709.1343836483.3185.studiosysadmins-discuss@studiosysadmins.com> Subject: StudioSysAdmins-Discuss Digest, Vol 35, Issue 1 The message has been quarantined as:xxxx  Notification to sender will not be mailed.  The message WAS NOT relayed to: xxxx   250 2.7.0 Ok, discarded, id=19923-20 - INFECTED: MBL_284029.UNOFFICIAL  Virus scanner output:  p057: MBL_284029.UNOFFICIAL FOUND  p018: MBL_284029.UNOFFICIAL FOUND  p020: MBL_284029.UNOFFICIAL FOUND |
||
| Re: John spreads virus! | |||
|
Posted by: John Hickson  Date: 08-01-2012, 12:15:PM |
Looking into it.. Did anyone else see that?
-John On 2012-08-01 12:11, greg whynott wrote:
|
||
| Re: John spreads virus! | |||
|
Posted by: Greg Whynott Date: 08-01-2012, 12:20:PM |
a quick search on the ID of the alleged virus turns up a lot of folks claiming false positives on it... On Wed, Aug 1, 2012 at 12:14 PM, John Hickson <John.Hickson@studiosysadmins.com> wrote:
|
||
| Re: John spreads virus! | |||
|
Posted by: Greg Ercolano  Date: 08-01-2012, 12:30:PM |
I was curious; I don't know anything about clamAV, but looking up the MBL_284029 message, according to this page: http://www.malware.com.br/cgi/submit?action=list_clamav MBL_284029 resolves to: MBL_284029=7777772e6e6972736f66742e6e65742f7574696c73 ..which appears to be an ascii string encoded as hex. Ran a little perl one liner to decode it, and see that that string resolves to: www.nirsoft.net/utils ..so that seems to be the trigger for that virus message. Did a body search for that string on the list; Seems Wayne posted a msg on 7/31 that contains a link to nirsoft in the SnapZ thread. Also, back in June, that string appears in some posts about wacoms, which may have caused a trigger then, too. On 08/01/12 09:11, greg whynott wrote: > *GASP!* EVIL JOHN STRIKES AGAIN! > our mail system blocked the digest... false positive i'm sure... > > Virus scanner output: > p057: MBL_284029.UNOFFICIAL FOUND To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe |
||
| Re: John spreads virus! | |||
|
Posted by: John Hickson Date: 08-01-2012, 12:30:PM |
What would the world be like with Greg(s) :)
Thanks guys. -John On 2012-08-01 12:26, Greg Ercolano wrote: I was curious; I don't know anything about clamAV, but looking up the MBL_284029 message, according to this page: http://www.malware.com.br/cgi/submit?action=list_clamav MBL_284029 resolves to: MBL_284029=7777772e6e6972736f66742e6e65742f7574696c73 ..which appears to be an ascii string encoded as hex. Ran a little perl one liner to decode it, and see that that string resolves to: www.nirsoft.net/utils..so that seems to be the trigger for that virus message. Did a body search for that string on the list; Seems Wayne posted a msg on 7/31 that contains a link to nirsoft in the SnapZ thread. Also, back in June, that string appears in some posts about wacoms, which may have caused a trigger then, too. On 08/01/12 09:11, greg whynott wrote:*GASP!* EVIL JOHN STRIKES AGAIN! our mail system blocked the digest... false positive i'm sure... Virus scanner output: p057: MBL_284029.UNOFFICIAL FOUNDTo unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe |
||
| Re: John spreads virus! | |||
|
Posted by: Greg Whynott Date: 08-01-2012, 12:35:PM |
show me your one liner please Greg. 8) On Wed, Aug 1, 2012 at 12:26 PM, Greg Ercolano <erco_mlist@seriss.com> wrote:     I was curious; I don't know anything about clamAV, but looking up the MBL_284029 message, |
||
| Re: John spreads virus! | |||
|
Posted by: Greg Ercolano Date: 08-01-2012, 12:40:PM |
Sure: perl -e 'print pack("H*","7777772e6e6972736f66742e6e65742f7574696c73");' On 08/01/12 09:30, greg whynott wrote: > show me your one liner please Greg. 8) To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe |
||
| Re: John spreads virus! | |||
|
Posted by: Greg Whynott Date: 08-01-2012, 13:50:PM |
Danke! On Aug 1, 2012 12:36 PM, "Greg Ercolano" <erco_mlist@seriss.com> wrote: |
||