Christopher X. Candreva wrote:
Just a general heads-up, until it's added to the virusdb. We've received several of this in the past hour.I've seen this today too.
The payload is an .rar attachment with a random, numberic file name. The .rar file always contains an executable dddd.exe Otherwise the e-mail is blank. From address is the To: username part on some other domain. We actually received bounces here with the full payload, before receiving any directly.
I've put in a quick and dirty procmail rule that is shunting all numeric .rar files, until a sig comes out.
And yes, I've submitted samples -- first of a bounce, then of a directly recevied message.
========================================================== Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
bagle-rar variant probably... I submitted a sample, it was already detected... you don't have scanrar commented out in your config do ya?
-Troy
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
