Actually, I think this might be a new variant. I submitted it to Mcafee last night and they sent back an extra.dat file to me. The filename is different than the one in their write-up. Also the ones we were seeing were caught by the banned extension until I copied over the extra.dat file.
Ahh just went to Mcafee again... --Update Mar 10, 2004-- A new variant has been spammed to a large number of email addresses with subject similar to: This your photo? The file usb_d2.exe has been re-packed using UPX and attached as a ZIP file. This new variant will be detected by the 4336 DATS Also the file I saw were p_usb.exe in a .zip file. Don ----- Original Message ----- From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 2:23 AM Subject: [Declude.Virus] Proxy-Cidra > This morning I've seen several Proxy-Cidra Trojans hold on our server. The > discovery date of this trojan is 12/27/2003 and so every AV engine should be > able to detect it. > > http://vil.nai.com/vil/content/v_100939.htm > > All infected messages I've seen are comming from different IPs. > > Markus > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.