On Thu, 04 Mar 2004, 01:28 GMT+01 (01:28 local time) Ruud H.G. van Tol
wrote:
The W32/Bagle(_dot_)j(_at_)MM can have a passworded zip-file attached,
I guess there are a few in your list:
20040302_200403030209(_dot_)VAA03980(_at_)anet(_dot_)at_message(_dot_)zip
20040302_hejmiqejkuvfnnyqqbi(_at_)anet(_dot_)at_Readme(_dot_)zip
20040303_mixsqqnswvhvkovqvoi(_at_)anet(_dot_)at_Information(_dot_)zip
20040303_xublskqkpvwsldvgjmf(_at_)anet(_dot_)at_Information(_dot_)zip
I have now downloaded all the 46 viruses my "Softlabs AntiVirus"
filter has automatically extracted from all incoming mails within one
day and scanned them with a AV scanner on my workstation (I haven't
yet installed such a program on my mail server), of course with the
very latest virus definitions.
The results are quiet interesting. The 46 viruses are 11 zipped ones
(I call them ZIP.*.virus types) and the rest (35 files) direct
executables (which I call EXE.*.virus types). The AV scanner detected
all the EXE ones:
Netsky.B ......... 2 (one .com and one .scr)
Netsky.C ......... 1 (one .com)
Netsky.D ......... 27 (all .pif)
Bagle.J .......... 5 (all .pif)
----------------------------------------------------
total: 35 EXE types
From the 11 ZIPs, the virus scanner I have used only detected 8
viruses, while letting 3 undetected, reported as "clean" (!):
Netsky.B ......... 6 (3 .pif, 2 .exe and 1 .com)
Netsky.C ......... 2 (1 .exe and 1 .com)
FALSE NEGATIVE ... 3 (all password protected .exe)
----------------------------------------------------
total: 11 ZIP types
The original names of the 3 ZIP viruses catched by Softlabs AntiVirus
but not detected by the local virus scanner are 'Information.zip' or
'Readme.zip':
[root(_at_)ns viruses]# ls -l *.zip | egrep -i "information|readme"
-rw------- 1 roal anet 12420 Mar 2 20:43
20040302_hejmiqejkuvfnnyqqbi(_at_)anet(_dot_)at_Readme(_dot_)zip
-rw------- 1 roal anet 12420 Mar 3 02:08
20040303_mixsqqnswvhvkovqvoi(_at_)anet(_dot_)at_Information(_dot_)zip
-rw------- 1 roal anet 12424 Mar 3 00:43
20040303_xublskqkpvwsldvgjmf(_at_)anet(_dot_)at_Information(_dot_)zip
They all have a password protected .exe inside, so they are most
likely from those Bagle.J stuff you have mentioned. So, you have been
right (except
20040302_200403030209(_dot_)VAA03980(_at_)anet(_dot_)at_message(_dot_)zip which
is actually a Netsky.B).
And, I'm really happy knowing my tool catched them all!! :-))
best,
rob.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail