I have downloaded a copy of the virus and inspected it. The file is a
functional encrypted RAR with an EXE inside of the same file name. I
also researched why Declude might not be catching this and I believe
that I know why.
Declude will properly detect an executable within a RAR file and the
fact that the file is encrypted. I verified this with my own test on a
file that I encrypted. The problem however is the fact that you can
also encrypt the file name within a RAR and not just the file. The
virus that was being spammed encrypted both the file name and the file,
so Declude likely got hung up on trying to extract the name from the RAR.
Note to Dave. This took me all of 30 minutes to figure out.
Unfortunately there is somewhat of a conundrum here as you will need to
introduce new functionality in order to handle this appropriately.
While I don't expect that RAR files will be commonly used for viruses
due to the rarity of the client, it is definitely necessary to allow
users to block encrypted RAR's when the file names are not extractable.
I have a recommendation for how to handle this which would be quite
consistent with current behavior and possibly help with unexpected
conditions with ZIP's too:
For both encrypted ZIP's and encrypted RAR's where the file names
can't be extracted, assume that it contains an EXE. This will allow
for those that want to block all encrypted files and those that only
want to block them when there is an executable inside to maintain
proper levels of protection.
Let me know if you would like some more feedback or information.
Thanks,
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
