Basically that is what ClamAV is doing. It detects it as a phishing spam.
-------- Original Message -------- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > Sent: Thursday, April 26, 2007 6:11 PM > To: [email protected] > Subject: RE: [Declude.Virus] new virus with .rar attachment > > Gary, you beat them by a day with your own assessment, but Symantec > blogged about this virus twice today: > > http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam > _attack_rared_trojan.html > > An interesting point is that they have blocked 1.2 million messages by > tackling the text of the message as spam. > > Andrew. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Gary Steiner > > Sent: Wednesday, April 25, 2007 10:31 AM > > To: [email protected] > > Subject: [Declude.Virus] new virus with .rar attachment > > > > I started getting some messages today that were picked up as > > spam, but were not being identified as viruses. They looked > > suspicious, having subject lines of > > > > Virus Activity Detected! > > Spyware Alert! > > > > It containes a .gif message that tells the user to open the > > .rar file and run the patch there to protect them from the > > virus/spyware. > > > > I ran it on www.virustotal.com, and the only scanner that > > picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]". > > > > http://vil.nai.com/vil/content/v_142094.htm > > > > Since this a password protected .rar file, should we now be > > blocking these? > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
