Antivirus: April 2007 Archives

AVComparatives.org has a new report comparing malware testing organizations. Based on the subject "Anti-Virus Testing Websites: An Overview on Which Testing Sites can be trusted and which cannot" I was kind of expecting a comparison of the various online scanners. Instead I'm greeted by a paper with some of their testing philosophy and why they are better than everyone else.

It didn't do much for me, but I'd still suggest adding their RSS feed to your reader so you can keep up on their new studies.

I'm seeing email detected stopped by my AV.

Subjects:
Worm Activity Detected!
Worm Alert!
Virus Detected!

the attachment is a password protected zip file. The name isn't coming through cleanly because my vendor replaces special characters with codes I don't understand.
patch=2d3834.zip (2d may be code for "-" and then I think there are four random numbers in the file name).

update - sans now has a blog entry on this http://isc.sans.org/diary.html?storyid=2612

At 2:15pm today,I started receiving virus alerts indicating a new virus is being spammed using fake war news to socially engineer the recipient into opening the attachment.

SANS has a post about it here.

Characteristics I've seen:
Subjects:
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
Missle Strike : The USA kills more than 1000 Iranian citizens
Missle Strike : The USA kills more than 10000 Iranian citizens
Missle Strike : The USA kills more than 20000 Iranian citizens

Attachments:
movie.exe
Read More.exe
video.exe
Read me.exe
news.exe
Click here.exe

If your antivirus is capable, or if you've just blocked executable attachments, this is a non-event for you. Otherwise, warm up your thumb, and keep hitting reload until your antivirus vendor provides an update.