Re: [Declude.Virus] New, fast-spreading virus

[Matt]

I've trapped three of these in the last half hour (we always ban SCR and 
PIF files).  I've seen three different subjects (it must be a Bagel 
variant):

Hi
Hello
MAIL DELIVERY SYSTEM
The bodies all have that one line in them that you quoted. The only 
other notable sign that I can see is a Message ID that uses YYYYMMDDhhmm 
and then three numbers, i.e.:

Message-Id: <[EMAIL PROTECTED]>

ID is also uses the wrong capitalization, but I don't think we can 
filter for that.

Matt



Andy Schmidt wrote:

Hm - just got this mail with an attached "README.ZIP" (which I didn't open):

 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
 Sent: Monday, January 26, 2004 04:32 PM
 Subject: 

 The message contains Unicode characters and has been sent as a binary
attachment.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Monday, January 26, 2004 04:34 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] New, fast-spreading virus
FYI, there is a new fast-spreading virus out there, that is too new to be 
caught by AV programs yet.

So far we have seen filenames of "body", "data", "document", "file", 
"glszfj", "message", "readme", "test", "text", "vgsu042a", and "vncexdl", 
with extensions of .pif, .scr, .zip.

It may be a wise idea to temporarily ban .pif and .scr files (and possibly 
.zip as well), if you do not already.  You can use "BANEXT PIF" and "BANEXT 
SCR" in the virus.cfg file to do this.

                                                   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.
 

--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.