How do you detect them? would you detect a compressed executable?
Don't laugh Nihil, it just does it based on a list of file extensions, the people at my place are not usually malicious and it just stops things being automatically downloaded without their knowledge if their happens to be another unpatched IE bug.

I just tested it with AVG 7.0 (Grisoft) and it recognised it as "Trojan Horse Downloader Revop.A"
I am at home now and I have AVG here too, same result, the scary thing is that this machine does a full scan every day and it has not been picked up until today. I am wondering if the file is very slightly different to the original but close enough that most AVs pick it up, just not Sophos apparently.

http://www.bleedingsnort.com/blackho...id-acl.include
Very interesting indeed, thanks for that, simple but effective, just the way I like it

Some more links (hence the double post)
Much appreciated