[Avcheck] Virus notify
Michael Tokarev
mjt@tls.msk.ru
Wed, 29 May 2002 17:03:37 +0400
Now this is just funny. After my last email, avcheck-admin@list.corpit.ru
was flooded by virus notification messages.
The problematic text that triggered all those emails was:
> /^<ifXame src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please
> /^<FOXT>/ REJECT No viruses wanted here
(iframe changed to ifXame and FONT changed to FOXT).
Here are some "notifications" I've got:
===========================================================================
Subject: Virus infection detected!!!
Date: Wed May 29 17:48:00 2002
From: PostMaster@geonet.ge
To: avcheck-admin@list.corpit.ru
This is the auto-generated warning message from Virus Detection Software
of GeoNet L.T.D. The original message has been blocked on server because of
VIRUS INFECTION (see details below). If you have any questions/suggestions
please send them to PostMaster@geonet.ge
Details of infected message
---------------------------
Sender: avcheck-admin@list.corpit.ru
Recipient: wrath@geo.net.ge
suspicion: Exploit.IFrame.FileDownload
===========================================================================
Subject: SENDER ! Virus found in message from you !
Date: Wed, 29 May 2002 19:45:20 +0700 (NOVST)
From: mail_filter@artlife.tomsknet.ru
To: avcheck-admin@list.corpit.ru
You sent to user serge@artlife.tomsknet.ru message with VIRUS .
======================================
KAV Report:
======================================
suspicion: Exploit.IFrame.FileDownload
======================================
Bye !
===========================================================================
Subject: Virus alert !!!
Date: Wed May 29 16:52:39 2002
From: kavdaemon@relay.avp.ru
To: avcheck-admin@list.corpit.ru
Dear Sirs,
***
IMPORTANT: This message has been generated by Kaspersky Lab's
express virus-check system. In case you have any further
questions, please send them directly to the company's
technical support service at support@kaspersky.com.
***
Thank you very much for your interest in Kaspersky Lab
anti-virus technology.
Kaspersky Lab has successfully received your recent e-mail message to buklanov@kaspersky.com. With much regret, we must inform you that the message contains a computer virus. A comprehensive analysis of the progra
======================================
suspicion: Exploit.IFrame.FileDownload
======================================
You can get more information about this virus for FREE from the Kaspersky Virus Encyclopedia that can be found at www.viruslist.com.
Kaspersky Lab is happy to express its goodwill by assisting you in neutralizing this virus. We invite you to take advantage of our products and services in order to protect your computer system
We are also happy to offer you a FREE demonstration version of Kaspersky Anti-Virus Personal available at http://www.kaspersky.com/download.html?tgroup=2&pgroup=10&id=25&obj_id=124203
It will allow you to perform an initial extensive anti-virus scan of your PC. To remove viruses from your PC, you should purchase and install a fully-functional version of Kaspersky Anti-Virus.
We look forward to our continued cooperation.
Best of Luck,
Kaspersky Lab
............................................
and so on... ;)
Now I'm curious: why all those notifications. There are two
points. First, my email was NOT infected, obviously, and such
suspicions are silly at least. I hope AVP/Kaspersky folks will
react accordingly. And second, why to send notifications in
this case, when a message was received from a mailinglist? This
may be a good question. Avcheck's `infected' handler will not
inform sender if infected email was sent from a mailinglist, in
almost all cases (there is some "mailinglist detection" code in
place).
/mjt