This is a new Bagel variant: http://vil.nai.com/vil/content/v_129588.htm I was wrong about what was detecting it first...it was F-Prot. I just figured out that my McAfee update script is no longer working. Does anyone have a newer link to the daily DAT's than http://download.nai.com/products/mcafee-avert/daily_dats/DailyDAT.zip. Thanks, Matt John Tolmachoff (Lists) wrote: OK, so it is cpl file, which we should all have in our list of banned extensions including banned if within a zip file, so we should all be safe, correct?John T eServices For You-----Original Message----- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Dan Geiser Sent: Monday, September 12, 2005 11:49 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Seemingly bad virus this morning I opened the zip file and it contained one file called "1.cpl" (withoutthequotes). Some sort of malicious Control Panel applet? ----- Original Message ----- From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <Declude.Virus@declude.com> Sent: Monday, September 12, 2005 11:55 AM Subject: RE: [Declude.Virus] Seemingly bad virus this morningWhat is the payload inside the zip? John T eServices For You-----Original Message----- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Monday, September 12, 2005 7:52 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] Seemingly bad virus this morning FYI, We found a rapidly spreading zip virus beginning at about 8:15a.m.this morning, first coming from Eastern Europe. McAfee seems to be detecting all of them now, but F-Prot as of this moment is not on our system. Every attachment name seemingly contained the word "price". Here's a quick filter that I had put together for it: HEADERS END NOTCONTAINS boundary="-------- BODY END NOTCONTAINS attachment; filename=" BODY END NOTCONTAINS .zip" Content-Transfer-Encoding BODY 15 CONTAINS price Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. |
- [Declude.Virus] Seemingly bad virus this morning Matt
- RE: [Declude.Virus] Seemingly bad virus thi... Markus Gufler
- RE: [Declude.Virus] Seemingly bad virus thi... Markus Gufler
- RE: [Declude.Virus] Seemingly bad virus thi... John Tolmachoff \(Lists\)
- Re: [Declude.Virus] Seemingly bad virus... Dan Geiser
- RE: [Declude.Virus] Seemingly bad v... John Tolmachoff \(Lists\)
- RE: [Declude.Virus] Seemingly b... Markus Gufler
- Re: [Declude.Virus] Seemingly b... Matt
- Re: [Declude.Virus] Seemin... Scott Fisher
- Re: [Declude.Virus] Mc... Matt
- RE: [Declude.Virus... David Barker
- Re: [Declude.Virus... Matt
- Re: [Declude.Virus... William Stillwell
- Re: [Declude.Virus... Matt
- RE: [Declude.Virus... Markus Gufler
- Re: [Declude.Virus] Seemin... Scott Fisher
- Re: [Declude.Virus] Seemin... Nick Hayer
- RE: [Declude.Virus] Seemingly bad virus thi... Colbeck, Andrew