Search Google and you'll see that many others seem to think they're viri only too.
And of the legit zips I examined on my system they don't have those sequences. Irregardless I block all executable attachments anyways at my mx. This was strictly for the ones that are bypassing my mx records and sending directly to my mailbox server. Mike ----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 5:17 PM Subject: Re: [Declude.JunkMail] MyDoom / Novarg > > >This string is in the beginning of first line of the body of infected emails > >all buts the zips > > > >T_V_q_Q_A_AMAAAAEAAAA > > > >This is in the beginning of the first line of the .zips > > > >U_E_s_D_B_AoAAAAAA > > > >Both of these strings produce virus hits on Google > > IIRC, those are just the encoded beginnings of .exe and .ZIP files -- and > could catch legitimate .exe and .zip files. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.