Gary, you beat them by a day with your own assessment, but Symantec blogged about this virus twice today:
http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam _attack_rared_trojan.html An interesting point is that they have blocked 1.2 million messages by tackling the text of the message as spam. Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gary Steiner > Sent: Wednesday, April 25, 2007 10:31 AM > To: [email protected] > Subject: [Declude.Virus] new virus with .rar attachment > > I started getting some messages today that were picked up as > spam, but were not being identified as viruses. They looked > suspicious, having subject lines of > > Virus Activity Detected! > Spyware Alert! > > It containes a .gif message that tells the user to open the > .rar file and run the patch there to protect them from the > virus/spyware. > > I ran it on www.virustotal.com, and the only scanner that > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > http://vil.nai.com/vil/content/v_142094.htm > > Since this a password protected .rar file, should we now be > blocking these? > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
