Just a thought :This new Mimail variant looks nasty - does anyone know if the following information is true ? and, if so, presumably we need more than just a pattern update to catch this one!
Thanks,
Andy
; The most important modification in Mimail.q are the polymorphic ; encryption keys inbuilt to fool anti-virus programs. Every time the ; infected machine is restarted Mimail.q changes the encryption key so ; that the copies of itself that Mimail sends look different every ; time. ; This means that anti-virus programs must have a decryption routine in ; order to contend with Mimail.q successfully.
The decryption routine in the virus should be constant, shouldn't it ?
Although matching on this code might lead to false positives on some cryptographic softwares.
-- Lionel Bouton - inet6 --------------------------------------------------------------------- o Siege social: 51, rue de Verdun - 92158 Suresnes / _ __ _ Acces Bureaux: 33 rue Benoit Malon - 92150 Suresnes / /\ /_ / /_ France \/ \/_ / /_/ Tel. +33 (0) 1 41 44 85 36 Inetsys S.A. Fax +33 (0) 1 46 97 20 10
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
