Re: Potential New Virus

From: Alex Shipp <ashipp(at)messagelabs.com>
Date: Fri Nov 08 2002 - 23:50:57 EST

>Whether it is a Trojan or not depends somewhat on what it is
>presented as doing.

Indeed. This one was presented as being a free video, but in fact was a dropper for an ad clicker.

>Hmmmmm -- the diversity of source IPs suggests something else dodgy
>may be going on too...

Yes - a classic spammer pattern exploiting open relays.

>Where did you get TROJ/Topmine.A from? None of the 20-odd scanners I
>checked with detected it as that...

Our heuristic virus scanner stops malware with a name along the lines of 'Generic malware'. If we start seeing a lot of something new, we assign it a temporary name, because this makes it easier to see what is going on.

In this case, I chose the name topmine because they were being emailed from vika@topmodel.com and the filename used was minenew.exe.pif.

However, other AV companies are free to choose their own name, which is why the 20-odd other scanners did not agree.

In the fullness of time, we usually rename to use whatever name the Wildlist (http://www.wildlist.org/) decides on, or if it does not appear in the wildlist, whatever name is used by the majority of other AV companies.

Alex

---

Alex Shipp
Senior Anti-Virus Technologist
MessageLabs

---

This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com

---

Received on Tue Nov 12 11:47:08 2002