Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice today:
http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
_attack_rared_trojan.html
An interesting point is that they have blocked 1.2 million messages by
tackling the text of
Basically that is what ClamAV is doing. It detects it as a phishing spam.
Original Message
From: Colbeck, Andrew [EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 6:11 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus with .rar attachment
Gary, you
Symantec is being short-sighted. This is the same spammer sending this
virus that was responsible for the seeded outbreak around New Year's.
He starts his attacks at a moment's notice and ends them just as
quickly. He can change his text faster than Symantec will ever be able
to keep up
I have downloaded a copy of the virus and inspected it. The file is a
functional encrypted RAR with an EXE inside of the same file name. I
also researched why Declude might not be catching this and I believe
that I know why.
Declude will properly detect an executable within a RAR file and