On Tue, 27 Jan 2004 at 10:49:45 +0000, Andy Fiddaman wrote: > > This new Mimail variant looks nasty - does anyone know if the following > information is true ? and, if so, presumably we need more than just a > pattern update to catch this one! > > Thanks, > > Andy > > ; The most important modification in Mimail.q are the polymorphic > ; encryption keys inbuilt to fool anti-virus programs. Every time the > ; infected machine is restarted Mimail.q changes the encryption key so > ; that the copies of itself that Mimail sends look different every > ; time. > ; This means that anti-virus programs must have a decryption routine in > ; order to contend with Mimail.q successfully. >
Our signature of Worm.Mimail.Q _is_ a "polymorphic" one. Of course it may happen that it's not optimal. If there are samples not detected by Clamav, we'll see. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users