I just received a few e-mails which were detected as Worm.Bagle.F-zippwd-5 but when I extracted the files, some of them were identified as Worm.Bagle.I instead of Worm.Bagle.F. Is this a problem with the signature or a double infected file (or can you tell me how to find out for myself?) ?
I know there is no absolute way of detecting this virus because it's encrypted with a random password so a lot of people have come up with characteristics which are (hopefully) distinctive. I've noticed that all of the files within the zips that I've received are dated at around the time the e-mail was sent - would it make sense to check if the zipped file was 'recent' and use that in conjunction with other tell-tale signs as one of the indicators that this could be an infected file ? Date: Wed, 03 Mar 2004 06:04:41 -0800 Length Date Time Name ------ ---- ---- ---- 21883 03-03-04 05:46 qqewn.scr Date: Wed, 03 Mar 2004 13:15:22 +0000 Length Date Time Name ------ ---- ---- ---- 20499 03-03-04 13:05 rkdmcfxoa.exe Date: Tue, 02 Mar 2004 16:21:52 -0800 Archive: 4.zip Length Date Time Name ------ ---- ---- ---- 21948 03-02-04 16:16 vpwgbq.scr ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
