It was W32.Yaha.P. We received many of this worm either in executable or zipped executable attachments. When it was zipped, the filename was always setup.exe in the archive.

> Or possibly send me a sample?
Yes, if you'd really like it. Where to send the sample?
I would prefer avoiding another virus alert at this mailing list, like the last time when I only sent the first some bytes of a viral attachment.

> - You could quite easily create your own shell script
> "scanner" and plug into the Anomy rulesets. Such a shell
> script would simply do "unzip -l" and grep the output for
> file names such as "blah.com" or "blah.exe". If such a
> filename is detected the scanner would return an exit code
> which Anomy had been configured to interpret as "infected"
> and treat accordingly (e.g. by defanging the attachment or
> quranatining it).