RE: [Declude.Virus] New variant as of 15 minutes ago

[Colbeck, Andrew]

#New Sober.R aka CME-151 per http://cme.mitre.org ... expect German right-wing propaganda in a few days Oct-05-2005 AC BANNAME pword_change.zip BANNAME screen_photo.zip BANNAME KlassenFoto.zip BANNAME Regis.info.zip BANNAME Privat-Foto.zip BANNAME Brief.zip   banned extensions for both flavours as per:   http://www.f-secure.com/v-descs/sober_s.shtml   Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, October 06, 2005 10:55 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] New variant as of 15 minutes ago John, It was an EXE file.  Pretty much all zip viruses are these days.  I only received 8 of these in a 15 minute period and then it was over with for at least that one variant.  I am guessing that gmx.de is aware of the issue and taking steps to prevent it.  Shame on them for being exploitable as a relay (plenty of others like Yahoo and HotMail also should share some blame for lax procedures). I have one thing to add however.  This one came from gmx.net as well as gmx.de. Matt John T (Lists) wrote: Matt, what is the payload inside the zip?   John T eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, October 06, 2005 9:32 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] New variant as of 15 minutes ago   Same servers, but this time it has a Regis.info.zip attachment and the subject is "Registration Confirmation". Basically I converted to blocking any zips below 200 KB that come from these providers with some filtering and it seems to be working. Matt