>I caught Gibe with Declude 1.41 McAfee CLI scanner with dailydat
>update.
FYI, here's what appears to have happened.
The Gibe virus took about 24 hours from the time it was first seen until
the AV companies recognized that it was a virus and had virus definitions
for it. Once they had virus definitions, the original version was caught.
However, the AV companies are also referring to "corrupted version", that
appears to be the one that was slipping through. This is the one that
Declude v1.43 took care of. It seems that most E-mail software would
handle this the way that Declude had been handling it (causing a slightly
corrupt, non-functional file). So upgrading to Declude v1.43 would detect
it (because Declude v1.43 would produce the non-corrupt version), or having
the latest virus definitions that detect the "corrupted" version would
catch it (even with pre-v1.43 versions of Declude).
In either case, the original, non-corrupt version behaved as a standard
virus, and was caught with all scanners and all versions of Declude as soon
as the AV definitions were updated.
This explains the odd behavior, where the virus might not have been caught
when originally received, but would get caught when forwarded to someone
else (this would happen if the mail client produced the non-corrupt
version, as it would forward a copy similar to the original non-corrupt
version of Gibe), and where one virus scanner would sometimes not catch and
sometimes two would (both would catch the original virus, but only one
would detect the corrupted version).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
