Re: [Declude.Virus] New virus with unusual deployment

[Scott Fisher]

Since these are HTML segments, my guess this is another case of where Declude Virus Pro's Prescan would need to be turned off for these to be scanned.   I am catching these segments with Prescan off with Clam and Mcafee. ----- Original Message ----- From: Greg Little To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 10:05 AM Subject: Re: [Declude.Virus] New virus with unusual deployment McAfee is catching the "virus generated" e-mails as W32/Mydoom.gen!eml http://vil.nai.com/vil/content/v_129633.htm Virus Characteristics: This is a generic detection covering email messages sent by W32/[EMAIL PROTECTED] and W32/[EMAIL PROTECTED] .  These messages do not contain an attachment. But without any real violations (virus or vulnerability) in the e-mail it will be hard for the AV companies to tell good from bad. It will be even harder to write good generic detections that catch future versions of this virus, because the virus writer can change almost everything about the e-mail and the only thing that really counts is "does the link work". I not expect Declude's checking to catch this one. I've been wondering what took the virus writers so long to use this model of distribution, Host the virus on each infected PC. It is much harder to stop at the mail server than an attachment. (And there is no central sever to be shut down.) Given enough variation in the virus generated e-mail, I not sure the AV companies will be able to catch future versions of this virus at the mail server. So far the volume is low (I have yet to get one here). http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AH&VSect=S&Period=1d But this one or another member of it's family is going to get very wide spread. Greg Little PS Anybody know how the other AV companies are doing on catching the virus generated e-mails? Rick Davidson wrote: Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? The problem with the current virus strains is that they do not contain any vulnerability at all The IFRAME vulnerability exists on the site contained in the body link --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.