[Mimedefang] Password protected Bagle.F
David F. Skoll
dfs at roaringpenguin.com
Mon Mar 1 17:32:51 EST 2004
On Mon, 1 Mar 2004, Jon R. Kibler wrote:
> This appears to be the latest attempt to defeat AV scanners who
> cannot detect malware in zip files that they cannot unzip. The
> worm apparently changes the password on the fly, so that each
> file has a different password -- thus each zip file would have
> a different signature.
AFAIK, you can always list the contents of a zip file, even a
password-protected one. I guess it's time to look inside zip archives
for banned filenames. :-(
I have no idea if the zip format allows subversion of this technique.
Regards,
David.
More information about the MIMEDefang
mailing list