Yves Goergen wrote: > Hello, > > for a few months I'm getting lots of Polish spam to one of my e-mail > addresses, sometimes a dozen per day. I have no idea what it's telling > me, I don't understand a single word. I just recognise characteristic > characters to know the language. Some messages have a .pl domain as > sender address, others not. The sending hosts have all kinds of TLDs. > Most messages have only a very short or empty body (a few words at > maximum). Almost all messages contain a .zip attachment, often named > like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught > by clamav, but I haven't looked into any of these archives yet.
These are almost certainly viruses. Upload one or two of the .zip files to virustotal.com to check against a long list of AV scanners. Any Windows executable that I find in a .zip file attached to a random message I automatically consider very suspect at best. I don't waste time trying to find out what the executable actually does, I just add a basic hash signature to ClamAV and move on. I've nearly given up on reporting these upstream to the ClamAV maintainers as well; I've got samples closing on two years old that still aren't flagged by stock signatures. :/ -kgd
