From clamav-users-bounces@lists.clamav.net  Thu Apr 26 01:01:58 2007
Return-Path: <clamav-users-bounces@lists.clamav.net>
X-Original-To: list@tad.clamav.net
Delivered-To: list@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 1uv4DIP798zx; Thu, 26 Apr 2007 01:01:58 +0200 (CEST)
Received: from tad.clamav.net (localhost.localdomain [127.0.0.1])
	by tad.clamav.net (Postfix) with ESMTP id 2DF7516C070;
	Thu, 26 Apr 2007 01:01:49 +0200 (CEST)
X-Original-To: clamav-users@tad.clamav.net
Delivered-To: clamav-users@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id o4nprmOSJ4Lu for <clamav-users@tad.clamav.net>;
	Thu, 26 Apr 2007 01:01:45 +0200 (CEST)
Received: from mail.hardrock.org (bama.hardrock.org [68.146.16.251])
	by tad.clamav.net (Postfix) with ESMTP id 64728324006
	for <clamav-users@lists.clamav.net>;
	Thu, 26 Apr 2007 01:01:45 +0200 (CEST)
Received: by mail.hardrock.org (Postfix, from userid 151)
	id EC15C5F60F; Wed, 25 Apr 2007 17:01:43 -0600 (MDT)
Date: Wed, 25 Apr 2007 17:01:43 -0600 (MDT)
From: James Bourne <jbourne@hardrock.org>
To: ClamAV users ML <clamav-users@lists.clamav.net>
In-Reply-To: <462FC711.4080806@precompiled.de>
Message-ID: <Pine.LNX.4.64.0704251657400.6748@bama.hardrock.org>
References: <BAY18-F18FBF9B2570D4B5E130D2ED6490@phx.gbl>
	<462FC711.4080806@precompiled.de>
MIME-Version: 1.0
Subject: Re: [Clamav-users] new password protected .rar virus
X-BeenThere: clamav-users@lists.clamav.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
List-Id: ClamAV users ML <clamav-users.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-users@lists.clamav.net>
List-Help: <mailto:clamav-users-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: clamav-users-bounces@lists.clamav.net
Errors-To: clamav-users-bounces@lists.clamav.net

On Wed, 25 Apr 2007, Christoph Cordes wrote:

> Gary V schrieb:
>> I received an email with a password protected .rar file that claims to
>> contain an .exe file that I should run in ordrer to protect me from an
>> undetected worm. I submitted it and it was recognized as
...

> The file inside the archive is already detected. The rar archive is a
> bit manipulated. The samples i checked so far can't be unpacked with
> winrar for example, also the linux version of rar has certain problems

This was similar for us but the rar file could be opened with winrar 3.62. 
Of course it is passworded and was passed through the mail server but
secondary anti-virus software on the clients caught it.

Regards
James

-- 
James Bourne                  | Email:            jbourne@hardrock.org
UNIX Systems Administration   | WWW:           http://www.hardrock.org
Custom UNIX Programming       | Linux:  The choice of a GNU generation
----------------------------------------------------------------------
  "All you need's an occasional kick in the philosophy." Frank Herbert
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html