[Mimedefang] Password protected Bagle.F
Dirk Mueller
dmuell at gmx.net
Mon Mar 1 20:05:41 EST 2004
On Monday 01 March 2004 19:25, Jon R. Kibler wrote:
> file has a different password -- thus each zip file would have
> a different signature.
Thats true, but it has some defects that makes detection easy:
a) last line of mail ends in "password : xxxxx"
b) the zip file contains only one file which ends in ".exe"
c) the file is only "stored", not "compressed". its unusual since
any manually generated file is usually also compressed.
d) the filesize and the CRC-32 of the file can be retrieved without
extracting, and they allow identifying the content without knowing the
password.
as you can see you can detect it with almost no false-positives.
Dirk
More information about the MIMEDefang
mailing list