[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Chris Gauch cgauch at digicon.net
Fri Jul 1 16:52:23 EDT 2005

Les Mikesell wrote: 
> If there are 8,000 new viruses introduced in a year and it takes
> several days to identify them in the scanners, this is not at all
> unlikely. Our company submitted one to McAfee, Symantic, and Clam
> on a weekend and the update didn't include it until Tuesday for
> McAfee and Symantic, and Clam didn't add it until we resubmitted
> with one of the commercial scanner's identifiers.  That one was
> generating so much network traffic that it literally took down the
> network - our redundant Cisco's both decided to take over because
> they couldn't see each other's HSRP heartbeats.  After that experience
> I'm convinced that anything that identifies a virus should do
> everything possible to make sure it does not reach another windows
> machine.

Les, that was very well-stated.  This all relates somewhat to a point I made
earlier about seeing things from the virus writer's perspective.  A
halfway-intelligent virus writer (and we're talking about someone with at
least the IQ of a dog) knows how the SMTP system works, and if they want
widespread distribution as cheaply as possible, they're going to know the
SMTP/MTA systems to a good degree, and especially how to exploit them.  The
virus writer knows that his/her message is going to get caught rather
quickly by relays running AV scanners, so it's really the rejection, and
then the bounce, that they're depending on. 

I would encourage others to look at the FROM and TO address patterns that
viruses use in their auto-generated emails.  In almost EVERY case, the TO
address appears to be some sort of dictionary-driven process (which leads me
to believe the virus writer couldn't give a crap about who the message is
being sent TO), but the FROM address, that is almost always real (and from
someone's Outlook contacts/address book).  Now, what can you say was the
true intention of the virus writer?

- Chris  

Chris Gauch
Systems Administrator
Digicon Communications, Inc.
cgauch at digicon.net
(716) 583-1254

More information about the MIMEDefang mailing list