[Mimedefang] base64-encoded vbscript .hta file withself-extra cting embeddedvirus

[Royce Williams]

Matthew.van.Eerde at hbinc.com wrote:

>>I don't have any real expectation that Clam would be able to
>>recognize this in its JS-hta-wrapped form, now that I understand
>>it -- but I am interested in the idea that anyone can repackage an
>>existing Trojan in this way and slip by most scanners.
>>
>>-royce
>>    
>>
>
>I have to disagree with "most" here - MimeDefang's default filter includes
>hta in its list of bad extensions.
>
>  
>
I should have been more explicit -- s/scanners/virus scanners/g.  David's
comment about the uber-polymorphs certainly applies, though. :)

-royce