[Mimedefang] Password protected Bagle.F

Jon R. Kibler Jon.Kibler at aset.com
Mon Mar 1 13:25:38 EST 2004


According to a thread on the ClamAV users lists, the worm 
"Bagle.F" is now spreading via password protected zip files. 
The text body of the email message contains the password.

This appears to be the latest attempt to defeat AV scanners who
cannot detect malware in zip files that they cannot unzip. The
worm apparently changes the password on the fly, so that each
file has a different password -- thus each zip file would have
a different signature.

In most organizations, it is not practical to block all zip 
files. Replacing zip files with URLs is clearly sometimes an 
option. But I wonder is there a more generic solution... some
way to block (or replace with URL) only password protected
zip files? There has to be a decent solution to this problem!

TIA for everyone's thoughts.

JK
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the MIMEDefang mailing list