Avast does not detect MYTOB.CF Worm

[afragnicht]

Hello,

I am experiencing the fact that avast Professional does not detect mytob.cf Worm. Avast works in Proxy Mode. The worm is detected by the antivir Mailgate Proxy which works on our second Mailgateway.

Here are some Headers and a Part of the message Body:
Sender and recipient are faked (as ususal).

================== snip ============================
From: promotion5@amazon.de
To: matt@yyyy-zzzz.de
Subject: Status
Date: Thu, 5 May 2005 21:54:46 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_0013_FDA93145.A0ADBDAE"
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: <0MKqIe-1DTmQo1ExZ-0006Il@mxeu3.kundenserver.de>
X-RBL-Warning: warn.bl.kundenserver.de says:
X-UIDL: AP\!!CHP"!#(C"!4Kc"!
Status: U
X-Antivirus: avast! (VPS 0518-3, 04.05.2005), Inbound message
X-Antivirus-Status: Clean

This is a multi-part message in MIME format.

------=_NextPart_000_0013_FDA93145.A0ADBDAE
Content-Type: text/plain;
   charset="Windows-1252"
Content-Transfer-Encoding: 7bit

&¦%3müâ<4YZíÆá&#152;5&#154;#v¼¢ ¡|ûøný4¢z%wLt;ñ<]mñÍ~ñ®z/Do&#134; ÍMýþ¸&#139;þ)_äâmøÍb£&#139;&#159;(??,&#152;±Mö&#145;_¡ÔAb28/0;/ÛNýèØ*&#148;ìC1±LìR«Y&#130;¿KºD§Þ`]&#140;^ÃjKH&#152;¯Eè~6ò£¾Ç|\Ä-vwpÍ7îÕÃð&#153;,&#159;¢aH²£ù¹äߧ&#136;J¹!n&#135;/'mûc&#149;1觐)Ï8i­nø&#153;&#152;îÚ&#148;
Õð¦©ûȏg7.}f4WMº&#147;<Ô/.r&#156;ÀqókS×Ð/ë\Ä]È_Ð
ùþÓ¦ö:ZvªÌZìj~r&#152;­42S'/v¯QZ&#150;p¹îÞÅ2V&#139;1&#158;&#139;&#148;9&#139;ó.c
iÒÜØ¥NñvÃiÂÌ&#137;ðbÌ÷R¢S_òöUÈdÍÌm0õ&#158;ª2èïi¼.zw'&#146;½&}&#159;ûßm#52¬Í1Trµú&#154;ûÓ^þæ§^Lp&#150;c&#149;©æÏsðyK&#158;¶&#130;8n&#149;`<0¸&#158;&#155;ë&#137;òº*&#131;Äø&#131;äÛI&#147;òéÞxöç$ÏÛÕÌOuyûµ¼ç¨:_qÆO<Z­K&#155;&#142;h-àþ~íÏæRöB~±¤¸kà­Ä³®8ª&#153;C&#142;G&#148;Ý&#155;Êòc&f oÙü;[Ú¸-Æ«ôX&#156;paSSø¿»¦f}.)2ûí¸Á©wsx Áp&#152;ÅWaz>¬Ê³&#132;m&#155;&#155;¹Óv_ó&Íü2&#140;


------=_NextPart_000_0013_FDA93145.A0ADBDAE
Content-Type: application/octet-stream;
   name="data.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
   filename="data.zip"

UEsDBAoAAAAAANeepTL7peAozrkAAM65AABSAAAAZGF0YS50eHQgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLnNjck1a

========================== snap =====================

If you need something for analysis: I have many of them.

Greetings Andreas

[igor]

I suggest to update the virus database - the latest one is 0518-5.

[afragnicht]

On this system the database ist updated regulary because the system is nearly "always on"

We have the Version you mentionedm above. The Virus was detected b  antivir from May 1. to May 8. 2005.

At the moment there are no new attacs from this virus. - But the night will come.

look:


=================== snip ===============================
From: hexenmouse@web.de
To: afragnicht@xx-yyy.de
Subject:
Date: Sun, 8 May 2005 19:49:45 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_0000_AFEFC023.8CDD2AB7"
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: <0MKqlY-1DUpuS3sSz-0006mR@mxeu4.kundenserver.de>
X-RBL-Warning: warn.bl.kundenserver.de says:
X-UIDL: 2$@!!<W["!^h1"!!6Y"!
Status: U
X-Antivirus: avast! (VPS 0518-5, 08.05.2005), Inbound message
X-Antivirus-Status: Clean

This is a multi-part message in MIME format.

------=_NextPart_000_0000_AFEFC023.8CDD2AB7
Content-Type: text/plain;
   charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Here are your banks documents.


------=_NextPart_000_0000_AFEFC023.8CDD2AB7
Content-Type: application/octet-stream;
   name="file.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
   filename="file.zip"

UEsDBAoAAAAAADaOqDL7peAozrkAAM65AAAIAAAAZmlsZS5waWZNWktFUk5FTDMyLkRMTAAAUEUA
AEwBAgBVcGFja0J5RHdpbmfgAA8BCwEAAAACAAAAAAAA
============================= snap ===========================

[igor]

If you receive any undetected virus, send it to virus@avast.com, please.

[afragnicht]

Is there ab PGP Key for virus@avast.com, so that I can encrypt the virus?
The public keyserver says there isn't.
My system does not like to send known viruses.

[DavidR]

Just zip and password (virus will do) protect the suspect file and put the password in the body of the email.
Give a brief outline of the problem in the body of the email.