It seems there's at least new variant every day of Kryptik/Kazy/Zbot worms or Trojan droppers sent zipped through email. These are attached to a type of spam usually headlined something like "FedEx delivery problem".
According to Virustotal and Jotti most AVs including ClamAV are delayed in updating their sigs. For example, it might be blocked by Kaspersky but not Avast or ClamAV, or vice versa. If I had time I might try basic analysis using VirtualBox and Sysinternals, but there's strong reason to believe they are functioning malware used in spreading botnets and server compromises. I see a few copies of each with the same sig, do use the sigtool to block these locally, and report them to various places. So my question is why the antivirus community doesn't run more of its own spamtraps, or work with RBL providers to use theirs. Much of the analysis by companies like Sophos has a fair degree of automation anyway, so you would think they would also scour the network for suspicious files using simple patterns. Or maybe the malware is just good at avoiding everyone else's spamtraps? Or would it escalate the malware arms race? Just curious. -- All best wishes, Cedric Knight _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
