Symantec is being short-sighted. This is the same spammer sending this
virus that was responsible for the seeded outbreak around New Year's.
He starts his attacks at a moment's notice and ends them just as
quickly. He can change his text faster than Symantec will ever be able
to keep up with should he care to do so. He sends these through his
network of spam zombies which he typically uses to send out stock spam.
McAfee was detecting this within 2 hours of it first being seen. I saw
hundreds of these within those two hours though. Thankfully it appears
that almost all if not all were blocked as spam. Another saving grace
is the fact that it came out as an encrypted RAR which very few people
have support for.
Be absolutely certain that he will be back.
Matt
Gary Steiner wrote:
Basically that is what ClamAV is doing. It detects it as a phishing spam.
-------- Original Message --------
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
Sent: Thursday, April 26, 2007 6:11 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus with .rar attachment
Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice today:
http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
_attack_rared_trojan.html
An interesting point is that they have blocked 1.2 million messages by
tackling the text of the message as spam.
Andrew.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Gary Steiner
Sent: Wednesday, April 25, 2007 10:31 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] new virus with .rar attachment
I started getting some messages today that were picked up as
spam, but were not being identified as viruses. They looked
suspicious, having subject lines of
Virus Activity Detected!
Spyware Alert!
It containes a .gif message that tells the user to open the
.rar file and run the patch there to protect them from the
virus/spyware.
I ran it on www.virustotal.com, and the only scanner that
picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]".
http://vil.nai.com/vil/content/v_142094.htm
Since this a password protected .rar file, should we now be
blocking these?
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.