[Mimedefang] Password protected Bagle.F
Lucas Albers
albersl at cs.montana.edu
Mon Mar 1 18:27:31 EST 2004
Two ideas:
block password protected files:
see my patch for this for uvsvan:
http://lists.roaringpenguin.com/pipermail/mimedefang/2003-December/018560.html
block zip files with particular name:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019508.html
block zip files with particular extension items in them exe in this case:
block exe inside zips:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019511.html
bagle.F mcafee information:
http://vil.nai.com/vil/content/v_101062.htm
David F. Skoll said:
> On Mon, 1 Mar 2004, Jon R. Kibler wrote:
>
>> This appears to be the latest attempt to defeat AV scanners who cannot
detect malware in zip files that they cannot unzip. The
>> worm apparently changes the password on the fly, so that each
>> file has a different password -- thus each zip file would have
>> a different signature.
>
> AFAIK, you can always list the contents of a zip file, even a
> password-protected one. I guess it's time to look inside zip archives
for banned filenames. :-(
>
> I have no idea if the zip format allows subversion of this technique.
>
> Regards,
>
> David.
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list