I suppose it depends on just deep the sniffer signature goes... Previous viruses including Sober.* have come in waves, with variants that skirt all but the most intrusive antivirus blocking schemes.
I submitted a sample to the Norman Sandbox, which turned up different information than the McAfee, Trend Micro et al writeups. I googled the CLSIDs that turned up and didn't come up with much, but a fascinating thing was that they also hit on previous Norman Sandbox entry that Google happened to have in its cache from Sep-25-2005. Maybe the bad guys are testing their software there before release? Hmmm... So anyhow... If sniffer is *so* amazing that it could identify the CLSID within an executable within a zip file within a MIME segment of a message file, well, that would certainly be amazing, now wouldn't it? I figure the CLSID is unlikely to change as quick as the distribution method and packaging. Andrew 8) P.s. We'll see how well the shiny new Common Malware Enumeration scheme pans out. So far, the vendors' names for the malware are quite different. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Thursday, October 06, 2005 12:02 AM > To: [email protected] > Subject: RE: [sniffer] New virus... > > No need to block zips, with Declude just add "BANZIPEXTS > ON" to your > virus.cfg file since the payload is an exe within the zip and > since we are all already banning executable files, correct? > > John T > eServices For You > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > On > > Behalf Of Pete McNeil > > Sent: Wednesday, October 05, 2005 8:41 PM > > To: [email protected] > > Subject: [sniffer] New virus... > > Importance: High > > > > Hello sniffer, > > > > Hello folks... watch out for a new virus email with an attachment > > named "pword _ change . zip" - extra spaces added to skip filters > > ;-) > > > > We're adding some SNF rules to catch it. No word about it on virus > > lists or scanner services yet (that I can see). > > > > You may want to temporarily block .zip files - or at least this > > particular zip file until the new rules can be pushed out and the > > virus scanners catch up. > > > > Thanks, > > _M > > > > Pete McNeil (Madscientist) > > President, MicroNeil Research Corporation Chief SortMonster > > (www.sortmonster.com) Chief Scientist (www.armresearch.com) > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information > and > > (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For > information and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
