Re: [Declude.Virus] New virus out?

Tue, 31 May 2005 10:03:02 -0700 

This is a report processed by VirusTotal on 05/31/2005 at 17:52:48 (CET) 
after scanning the file "8.zip" file.
      Antivirus Version Update Result
      AntiVir 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR
      AVG 718 05.31.2005 no virus found
      Avira 6.30.0.15 05.31.2005 TR/Dldr.Bagle.BR
      BitDefender 7.0 05.31.2005 [EMAIL PROTECTED]
      ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen
      DrWeb 4.32b 05.31.2005 Win32.HLLM.Beagle.36352
      eTrust-Iris 7.1.194.0 05.31.2005 no virus found
      eTrust-Vet 11.9.1.0 05.31.2005 no virus found
      Fortinet 2.27.0.0 05.31.2005 W32/Mitglieder.CD.gen-tr
      Ikarus 2.32 05.31.2005 no virus found
      Kaspersky 4.0.2.24 05.31.2005 Email-Worm.Win32.Bagle.bo
      McAfee 4502 05.30.2005 no virus found
      NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus
      Norman 5.70.10 05.30.2005 W32/Downloader
      Panda 8.02.00 05.31.2005 Suspect File
      Sybari 7.5.1314 05.31.2005 Email-Worm.Win32.Bagle.bo
      Symantec 8.0 05.30.2005 Trojan.Tooso.B
      VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3


----- Original Message ----- 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, May 31, 2005 6:39 PM
Subject: RE: [Declude.Virus] New virus out?


Yes, a new Bagle and MyTob are out.

See:

http://isc.sans.org/diary.php?date=2005-05-31

http://www.viruslist.com/en/weblog

My current F-Prot *.def is detecting this as a suspicious file (return
code = 8); I've only seen two that were caught by Declude Virus, but it
could be quite a few more caught as spam.  When I run F-Prot on them
manually, they are detected as "W32/[EMAIL PROTECTED]".

That's interesting, because I thought that Mitglieder and MyTob were the
same; maybe there's only one new virus but in the form of a dropper and
a payload?  I remember something a few weeks back (maybe in the
Kaspersky diary?) that mentioned that some virus programmer had
essentially used "plug n play" code to mix and match one delivery agent
with another payload in one viral executable.



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to