A new virus has been running around today, hiding in files like price08.zip, new_price.zip, etc. We got a call from a customer asking what this [Defanged] notice was all about, at which point I looked at the logs and found a lot more instances. By the time our virus definitions were updated to recognize it (currently ClamAV identifies it as Trojan.JS.RunMe. Edit: McAfee and F-Secure identify it as a new Bagle variant – either W32/Bagle.aq@MM or Bagle.al), about 45 copies had made it through virus scanning but were caught by MIMEDefang, which found the attachment suspicious anyway.

The moral of this part of the story: relying on virus signatures isn’t enough. By the time Norton, McAfee, F-Secure, ClamAV, etc. has identified a signature and your scanner has grabbed the updated files, it’s too late. Some copies have gotten through.

The next part is kind of interesting: This virus is clearly harvesting addresses from the web or from browser caches, because we’re seeing hits to our spamtraps. The really weird part: half of those hits claim to be from our other spamtraps!

But it is kind of odd for a new outbreak to hit the day I read this article: Security expert Q&A: The virus writers are winning.

One thought on “Outbreak

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.