Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking Phish-BankFraud.eml.a

What signature works for blocking/shunning emails with this Trojan in it?

Cisco Employee

Re: Blocking Phish-BankFraud.eml.a

The short answer, there is no specific signature for this.

If I look at McAfee's definition of the "trojan", it's really a heuristic detection mechanism to block a large percentage of the "phishing" emails. So this isn't really a particular trojan, but rather a class of things. The messages themselves spread via email (not through some sort of OS/system vulnerability) and require user interaction.

Normally, we write signatures for vulnerabilities themselves so that a single signature catches numerous variants of a worm/trojan. Numerous worms make use of the RPC DCOM and LSASS vulnerbilities to spread - rather than seperate signatures for each and every variant, we have a couple signatures that capture all of them and help you isolate the machines that are infected and help stop the spread. There are instances where we will write virus/worm specific signatures - we partner with Trend and virus/worms that are bumped to medium or high severity levels will result in a signature from us.

CreatePlease login to create content