I have downloaded a copy of the virus and inspected it. The file is a
functional encrypted RAR with an EXE inside of the same file name. I
also researched why Declude might not be catching this and I believe
that I know why.
Declude will properly detect an executable within a RAR file and th
Symantec is being short-sighted. This is the same spammer sending this
virus that was responsible for the seeded outbreak around New Year's.
He starts his attacks at a moment's notice and ends them just as
quickly. He can change his text faster than Symantec will ever be able
to keep up with
Basically that is what ClamAV is doing. It detects it as a phishing spam.
Original Message
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Thursday, April 26, 2007 6:11 PM
> To: declude.virus@declude.com
> Subject: RE: [Declude.Virus] new virus with .rar attachment
>
> G
Gary, you beat them by a day with your own assessment, but Symantec
blogged about this virus twice today:
http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam
_attack_rared_trojan.html
An interesting point is that they have blocked 1.2 million messages by
tackling the text of