Re: [Declude.Virus] new virus with .rar attachment

Thu, 26 Apr 2007 22:22:38 -0700

Symantec is being short-sighted. This is the same spammer sending this virus that was responsible for the seeded outbreak around New Year's. He starts his attacks at a moment's notice and ends them just as quickly. He can change his text faster than Symantec will ever be able to keep up with should he care to do so. He sends these through his network of spam zombies which he typically uses to send out stock spam.
McAfee was detecting this within 2 hours of it first being seen. I saw hundreds of these within those two hours though. Thankfully it appears that almost all if not all were blocked as spam. Another saving grace is the fact that it came out as an encrypted RAR which very few people have support for. 

Be absolutely certain that he will be back.

Matt



Gary Steiner wrote:

Basically that is what ClamAV is doing.  It detects it as a phishing spam.


-------- Original Message --------

  

From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
Sent: Thursday, April 26, 2007 6:11 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] new virus with .rar attachment

Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice today:

http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
_attack_rared_trojan.html

An interesting point is that they have blocked 1.2 million messages by
tackling the text of the message as spam.

Andrew.

 

    

-----Original Message-----

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Gary Steiner

Sent: Wednesday, April 25, 2007 10:31 AM
To: declude.virus@declude.com
Subject: [Declude.Virus] new virus with .rar attachment


I started getting some messages today that were picked up as 
spam, but were not being identified as viruses.  They looked 
suspicious, having subject lines of


Virus Activity Detected!
Spyware Alert!


It containes a .gif message that tells the user to open the 
.rar file and run the patch there to protect them from the 
virus/spyware.



I ran it on www.virustotal.com, and the only scanner that 
picked it up was McAfee, and it identified it as "W32/[EMAIL PROTECTED]".


http://vil.nai.com/vil/content/v_142094.htm


Since this a password protected .rar file, should we now be 
blocking these?







---

This E-mail came from the Declude.Virus mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and

type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



      

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found

at http://www.mail-archive.com. 
    






---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.




  



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.





















					Reply via email to