Have been getting veeeeery suspicious eMails from the same entry-point onto the internet (but with spoofed headers) and with a double-extension attachment. Neither NAV nor AVG (uptodate defs) could detect the attachment as a virus after it had been saved to disk.

I uploaded the file to Kapersky (http://www.kaspersky.com/remoteviruschk.html) and the result came back as:- Bugbear:a (aka I-Worm.Tanatos).

The question is: should I send this to Grisoft and so on? or is the reason they are not detected at this stage because of UPX-packing and that they would be detected/quarantined as soon as they were "activated"; ie unpacked??

To put it plainly...NAV's unpack abilities suck and AVG's aren't much better, but they will grab them when executed.

He He: that's what I thought. But it still takes a great act of faith, to knowingly attempt to execute such a file even if you know your AV is up and running!! :D

Yes....and I do it all the time (mostly on my test setup). But every once in a while I forget and do it on my main machine, so far AVG hasn't let me down.

A couple of days back I received an e-mail with a copy of Bugbear in the attachment.
I didn’t know that but I was suspicious and wanted to scan it in a write-protected floppy.
I tried to save the attachment to a floppy but AVG displayed a warning that it had detected Bugbear and refused to transfer it.
When I deleted the e-mail AVG reported that it had been quarantined in the “Virus Vault”.

NICE!

Yep, I was pretty sure it was a virus but wanted to discover which one. Finding the upload form for Kapersky was really useful in this respect.

;)

Bugbear's not too bad to clean-up but others are not so nice, so being able to identify it before "playing" with it is therefore important.