Actually, I think this might be a new variant. I submitted it to Mcafee last
night and they sent back an extra.dat file to me. The filename is different
than the one in their write-up. Also the ones we were seeing were caught by
the banned extension until I copied over the extra.dat file.
Ahh just went to Mcafee again...
--Update Mar 10, 2004--
A new variant has been spammed to a large number of email addresses with
subject similar to:
This your photo?
The file usb_d2.exe has been re-packed using UPX and attached as a ZIP file.
This new variant will be detected by the 4336 DATS
Also the file I saw were p_usb.exe in a .zip file.
Don
----- Original Message -----
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 2:23 AM
Subject: [Declude.Virus] Proxy-Cidra
> This morning I've seen several Proxy-Cidra Trojans hold on our server. The
> discovery date of this trojan is 12/27/2003 and so every AV engine should
be
> able to detect it.
>
> http://vil.nai.com/vil/content/v_100939.htm
>
> All infected messages I've seen are comming from different IPs.
>
> Markus
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
