From clamav-users-bounces@lists.clamav.net Wed Apr 25 23:25:10 2007 Return-Path: X-Original-To: list@tad.clamav.net Delivered-To: list@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BlHC2zRywFnm; Wed, 25 Apr 2007 23:25:09 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id 4184116C070; Wed, 25 Apr 2007 23:24:59 +0200 (CEST) X-Original-To: clamav-users@tad.clamav.net Delivered-To: clamav-users@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSwN41BeWA79 for ; Wed, 25 Apr 2007 23:24:57 +0200 (CEST) Received: from precompiled.de (jamx.worldch.at [87.106.40.136]) by tad.clamav.net (Postfix) with SMTP id 6D51F16C06E for ; Wed, 25 Apr 2007 23:24:57 +0200 (CEST) Received: (qmail 18423 invoked by uid 89); 25 Apr 2007 21:24:57 -0000 Received: by simscan 1.2.0 ppid: 4814, pid: 12683, t: 0.1091s scanners: clamav: 0.90/m:42 Received: from unknown (HELO ?192.168.0.11?) (ib@precompiled.de@87.122.149.101) by 0 with ESMTPA; 25 Apr 2007 21:24:57 -0000 Message-ID: <462FC711.4080806@precompiled.de> Date: Wed, 25 Apr 2007 23:24:33 +0200 From: Christoph Cordes User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: ClamAV users ML References: In-Reply-To: X-Enigmail-Version: 0.95.0 Subject: Re: [Clamav-users] new password protected .rar virus X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ClamAV users ML List-Id: ClamAV users ML List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-users-bounces@lists.clamav.net Errors-To: clamav-users-bounces@lists.clamav.net Gary V schrieb: > I received an email with a password protected .rar file that claims to > contain an .exe file that I should run in ordrer to protect me from an > undetected worm. I submitted it and it was recognized as > Email.Phishing.RB-686. The only other anti virus vendor to recognize it > at this moment is McAfee (W32/Nuwar@MM!rar). Without opening the > attachment, it seems to me there is a possibility this is more serious > than a Phishing class of malware. Is this worth further evaluation? If > so, who should I send it to? > > Gary V The file inside the archive is already detected. The rar archive is a bit manipulated. The samples i checked so far can't be unpacked with winrar for example, also the linux version of rar has certain problems with it. I added this as Email.Phishing.RB to make sure the signature will be removed after some time since it's very ugly, needs a lot of performance and *maybe* could cause a false positive - i checked it with ~75.000 mails and got none, but you never know. So even if a user receives such a mail, he/she must be very creative to infect her/his system. I added the signature anyway since we received a lot of reports. Phishing is for sure not the right term to decribe it, i just used it for practical reasons. -- Best regards, Christoph mailto:ib@precompiled.de _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html