foto.zip

[Empeethree]

we have started getting a few of these today, symantec isnt flagging them as a virus, so I wonder if it is a new strain of an old one.

--------------------------------------
Trying is the first step to failure
Homer Simpson
--------------------------------------

 

[brisully]

I am receiving these too. I just shut off *.zip at the firewall.....

 

[cmeagan656]

I googled foto.zip and the only reference I could find was here

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39535

Cheers.

 

[cmeagan656]

Has anyone found out anything more about this? I can find a few references to fotos.zip at Google but nothing really pertinent. It definitely appears to be something new.

I've just seen a couple of emails with fotos.zip (which contains the files calc.exe and foto.htm) as an attachment. They got past our exchange virus scanner (InoculateIT) but fortunately one got rerouted to postmaster (me) by our spam filter and the other to a user who never opens anything he's not expecting without having me check the spam filter logs. As soon as I saw fotos.zip was an attachment I blocked it at the spam filter.

Unfortunately, because of the business we're in I can't just have all emails containing zip attachments dropped by the spam filter. I've got a multi-layered approach -

1. Block as many level 1 extensions as possible at the spam filter as well as attachments which are known to be virii. These get dropped before they even hit Exchange.

2. Block the rest of the level 1 extensions at our exchange virus scanner. This way the intended recipient gets a message that someone is trying to send them a specific attachment but it is being blocked. If it is a legit attachment they can provide me with the name of the attachment and I can exempt it so that it can get through.

Cheers.

 

[SPV]

Seems to be W32/Bagle.dll.dr in Mcafee's virus information library (

http://vil.nai.com/vil/content/v_127119.htm).

The original discovery date was 18th Aug but they updated the description on 31st Aug to cover a new variant which uses foto.zip. Apparently it contains two infected files:
- foto.html carries the JS/IllWill trojan,
- foto1.exe contains W32/Bagle.dll.dr itself.

Unfortunately they don't give any alias names for these viruses so I don't know what Symantec might call them.

 

[cmeagan656]

Symantec is calling it W32.Beagle.AQ@mm. The attachment I'm seeing is fotos.zip not foto.zip but I've blocked both at our spam filter.

Looks like the AV companies were asleep at the wheel on this one. CA wasn't flagging them as a virus either until the updated signatures were released around midnight PDT last night. That makes it at least 10 hours after I first saw this post before there was detection available.

Cheers.

 

[VictorySabre]

Trend Micro had their detection signatures out by afternoon on the 31st and McAfee already detected the components under a generic Bagle.dll.dr detection several weeks ago.

 

[jbrackett]

McAfee DAT file 4382, dated 7/28/2004, is the minimum necessary for McAfee users, according to

http://vil.nai.com/vil/content/v_127119.htm.

General information in this article:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003551,00.html

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[bfralia]

I'm surprised so many people are just now seeing this. I've seen it in e-mail attachments for some time now and McAfee has been detecting it.