[sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL

From: Tom Shaw <tshaw@xxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Fri, 23 Oct 2009 17:52:36 -0400

At 10:19 PM +0100 10/23/09, Peter wrote:

 >>Umm, something's weird - I've just handtested a couple of these suspect

FPs with clamscan, and didn't see a hit.  (We're using clamd in
production).  I might have been a little early with the FP report.


 Let me know so I can reenable.

 Tom


Did you update your sigs after Tom disabled that sig and before manually
scanning?

Tom: the URL in the sig looked suspicious enough to me that I have no
qualms blocking based on it, so +1 for re-enabling it.


Yes and it carries a real nasty zeus bot trojan also.

Tom

--
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/ local wx: http://www.oitc.com/weather

US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw@xxxxxxx
Skype: trshaw

Fish more and Live longer

References:
- [sanesecurity] winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Per Jessen
- [sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Tom Shaw
- [sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Per Jessen
- [sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Tom Shaw
- [sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Per Jessen
- [sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Tom Shaw
- [sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
  - From: Peter

[sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL

Other related posts: