There're so many different copies of damaged Sobig.F that a new signature will only detect a portion of them.
Some mail-scanners strip the offending portion of the e-mail and send the rest through. In Sobig.F' case the only thing left is an almost empty e-mail with a subject and some text in the body. These messages are not virus but more like SPAM. Creating a signature that detects some part of the executable will not stop these. I vote for letting ClamAV detect virus and other scanning routines should handle the removal of these damaged or unwanted e-mails. But this is only my opinion - I'll have no problem in creating a signature that stops a large part of the damaged Sobig.F. Best regards, Diego d'Ambra > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: 26. august 2003 05:13 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] [EMAIL PROTECTED] Undetected by > current signature > > > Jay, > > This one doesn't seem to match either. I am literally > getting hundreds of these every day. Thanks for the details. > > Mike > Quoting Jay Swackhamer <[EMAIL PROTECTED]>: > > > On Monday, August 25, 2003 8:57 PM, Butch Evans wrote: > > > I am not sure if this is the same one, but my uvscan has detected > > > what it calls "Sobig.f.dam" and this is missed by clamav. I will > > > try to get a sample of the file, but do not have one at this time. > > > > I submitted a new Sobig-f signature a couple days ago that detects > > complete and damaged SoBig-F's -- this is especially common > with mail > > bounces, which Sobig generates *a lot* of. I haven't received any > > feedback on it, so here it is: > > > > > W32/Sobig.F=272156774070d0772fb22d86ea94b6d91b688e6da16fcc6bd7111305c9 > > af > > 66c62b159448b0753c821a4b4d51 > > > > > > > > -- > > Jay Swackhamer <[EMAIL PROTECTED]> > > Nebularis Inc <http://www.nebularis.com> > > Tel: 1-613-843-9358 Fax: 1-613-825-5960 > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: VM Ware > > With VMware you can run multiple operating systems on a single > > machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual > > machines at the same time. Free trial click > > here:http://www.vmware.com/wl/offer/358/0 > > _______________________________________________ > > Clamav-users mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/clamav-users > > > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > > > ------------------------------------------------------- > This SF.net email is sponsored by: VM Ware > With VMware you can run multiple operating systems on a > single machine. WITHOUT REBOOTING! Mix Linux / Windows / > Novell virtual machines at the same time. Free trial click > here:http://www.vmware.com/wl/offer/358/0 > _______________________________________________ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
