Here is one of the messages causing such "Unknown virus" warnings
======================================================================
Received: from CAD22.com [217.199.28.13] by mail.zcom.it
(SMTPD32-8.13) id A261113D008C; Fri, 29 Oct 2004 11:50:25 +0200
Date: Fri, 29 Oct 2004 11:53:40 +0100
To: "Watschinger" <[EMAIL PROTECTED]>
From: "R.p.rustikal" <[EMAIL PROTECTED]>
Subject: Re:
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------gstnxjmuytvkywgecqkl"
X-Declude-Sender: [EMAIL PROTECTED] [217.199.28.13]
X-Spam-Tests-Failed: None [0]
X-Country-Chain:
X-Note: Sent from [EMAIL PROTECTED] - ([217.199.28.13]) incoming.
X-Note: Sent to [EMAIL PROTECTED]
X-Declude-Virus: Detected .
----------gstnxjmuytvkywgecqkl
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
:))
<br>
</body></html>
----------gstnxjmuytvkywgecqkl
Content-Type: application/octet-stream; name="Price.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Price.exe"
======================================================================
Seems to be a new Bagle variant but this is all very strange.
Markus
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Franco Celli
> Sent: Friday, October 29, 2004 11:39 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.Virus] Unknown virus warnings
>
> Hi Markus,
> I have no idea, but our server is registering a peak of
> incoming messages, with above-normal banned cpl extension
> attachments in virus folder.
>
> ---------------
> Franco Celli
> [EMAIL PROTECTED]
>
>
> ----- Original Message -----
> From: "Markus Gufler" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, October 29, 2004 10:32 AM
> Subject: [Declude.Virus] Unknown virus warnings
>
>
> > Hi all,
> >
> > Today I can see a large number of non delivery reports
> comming back to our
> > server containing the original virus warning (recip.eml)
> >
> > This is the begin of our recip.eml file:
> > ===============================================
> > SKIPIFSENDER [Forged]
> > SKIPIFVIRUSNAMEHAS Vulnerability
> > SKIPIFVIRUSNAMEHAS MyDoom
> > SKIPIFVIRUSNAMEHAS Netsky
> > SKIPIFVIRUSNAMEHAS Bagle
> > SKIPIFVIRUSNAMEHAS Unknown Virus
> > ONLYSENDIFREMOTESENDER
> > To: %ALLRECIPS%
> > From: [EMAIL PROTECTED]
> >
> > ...
> >
> > ===============================================
> >
> >
> > All returning NDR's are warnings about a "Unknown Virus" so I can't
> > understand why they are send out because the according
> SKIPIFVIRUSNAMEHAS
> > line is there as we haven't changed any content of this
> file in the last 3
> > weeks.
> >
> > NDR'S are comming back from all around the world.
> >
> > Any ideas?
> >
> > Markus
> >
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus". The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > [Quipo ISP - Questa E-mail e' stata controllata dal
> programma Declude
> Virus]
> > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus]
> >
> >
>
> ---
> [Quipo ISP - Questa E-mail e' stata controllata dal programma
> Declude Virus]
> [Quipo ISP - This E-mail was scanned for viruses by Declude Virus]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com.
>
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
