From clamav-users-bounces@lists.clamav.net  Thu Apr 26 01:23:22 2007
Return-Path: <clamav-users-bounces@lists.clamav.net>
X-Original-To: list@tad.clamav.net
Delivered-To: list@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JhTB7NbHSqPb; Thu, 26 Apr 2007 01:23:22 +0200 (CEST)
Received: from tad.clamav.net (localhost.localdomain [127.0.0.1])
	by tad.clamav.net (Postfix) with ESMTP id BF766324006;
	Thu, 26 Apr 2007 01:23:20 +0200 (CEST)
X-Original-To: clamav-users@tad.clamav.net
Delivered-To: clamav-users@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hJwSGAkP1DGA for <clamav-users@tad.clamav.net>;
	Thu, 26 Apr 2007 01:23:18 +0200 (CEST)
Received: from precompiled.de (jamx.worldch.at [87.106.40.136])
	by tad.clamav.net (Postfix) with SMTP id CD34F16C05E
	for <clamav-users@lists.clamav.net>;
	Thu, 26 Apr 2007 01:23:18 +0200 (CEST)
Received: (qmail 2037 invoked by uid 89); 25 Apr 2007 23:23:18 -0000
Received: by simscan 1.2.0 ppid: 32693, pid: 12290, t: 0.1013s
	scanners: clamav: 0.90/m:42
Received: from unknown (HELO ?192.168.0.11?) (ib@precompiled.de@87.122.149.101)
	by 0 with ESMTPA; 25 Apr 2007 23:23:18 -0000
Message-ID: <462FE2BD.9040109@precompiled.de>
Date: Thu, 26 Apr 2007 01:22:37 +0200
From: Christoph Cordes <ib@precompiled.de>
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: ClamAV users ML <clamav-users@lists.clamav.net>
References: <BAY18-F18FBF9B2570D4B5E130D2ED6490@phx.gbl>	<462FC711.4080806@precompiled.de>
	<Pine.LNX.4.64.0704251657400.6748@bama.hardrock.org>
In-Reply-To: <Pine.LNX.4.64.0704251657400.6748@bama.hardrock.org>
X-Enigmail-Version: 0.95.0
Subject: Re: [Clamav-users] new password protected .rar virus
X-BeenThere: clamav-users@lists.clamav.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
List-Id: ClamAV users ML <clamav-users.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-users@lists.clamav.net>
List-Help: <mailto:clamav-users-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: clamav-users-bounces@lists.clamav.net
Errors-To: clamav-users-bounces@lists.clamav.net

James Bourne schrieb:
> On Wed, 25 Apr 2007, Christoph Cordes wrote:
> 
>> Gary V schrieb:
>>> I received an email with a password protected .rar file that claims to
>>> contain an .exe file that I should run in ordrer to protect me from an
>>> undetected worm. I submitted it and it was recognized as
> ...
> 
>> The file inside the archive is already detected. The rar archive is a
>> bit manipulated. The samples i checked so far can't be unpacked with
>> winrar for example, also the linux version of rar has certain problems
> 
> This was similar for us but the rar file could be opened with winrar 3.62. 
> Of course it is passworded and was passed through the mail server but
> secondary anti-virus software on the clients caught it.
> 

I tried the 3.62 as well and got the same error. Do you still have the
file? If so - could you send it to me? Thank you.

-- 
Best regards,
 Christoph                            mailto:ib@precompiled.de
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html