Hi,
Most viruses that AVG misses are "new" variants that take a day or two
before AVG finally has an updated signature (the update frequency from AVG
seems to be a bit spotty). Fortunately, my secondary scanner has hourly
updates.
However, there are some viruses (and I confirmed that indeed they are) that
AVG always misses, such as W32/Bagle.fe!pwdzip. It's the virus where a user
is sent a zip file supposedly with a "pricelist" (that's what the subject
implies, with the password in an embedded GIF.
Except for the Barracuda blacklist, the senders are usually newly infected
PCs that are not caught on the other blacklists. Now, the number of daily
viruses missed by AVG is extremely small (usually less than 10), but of
course, you only need ONE user in your LAN to get infected to start a
potential snowball effect and have days of cleanup work ahead of you that
hopefully won't include any servers. I wouldn't bet the farm on the internal
scanner!
Sample:
Received: from [192.168.168.6] [66.185.5.104] by
Mail.Webhost.HM-Software.com with ESMTP
(SMTPD-10.02) id AB1B0490; Fri, 05 Dec 2008 17:28:43 -0500
Date: Fri, 05 Dec 2008 16:28:45 -0600
To: "Rhanks" <[EMAIL PROTECTED]>
From: "Smadden" <[EMAIL PROTECTED]>
Subject: price 05-Dec-2008
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------nicuhltsamfpsjkasldg"
X-Declude-Note: Message failed WEIGHTFILTER test (line 12, weight 4)
X-Declude-RefID:
X-Declude: Version 4.4.20; Code 0xe from ia-5-104.iowa.prairieinet.net
[66.185.5.104]
X-Declude: Triggered [6] BARRACUDA, WEIGHTFILTER
X-Countries: UNITED STATES->destination
X-Declude-Virus: Detected the W32/Bagle.fe!pwdzip [from IP 66.185.5.104
(ia-5-104.iowa.prairieinet.net)].
----------nicuhltsamfpsjkasldg
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
It Is Protected
<br>Passwrd: <img src="cid:powrjastto.gif"><br>
<br>
</body></html>
----------nicuhltsamfpsjkasldg
Content-Type: image/gif; name="powrjastto.gif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="powrjastto.gif"
Content-ID: <powrjastto.gif>
[content suppressed ]
----------nicuhltsamfpsjkasldg
Content-Type: application/octet-stream; name="price05-Dec-2008.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="price05-Dec-2008.zip"
[content suppressed ]
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
