On Mon, Mar 01, 2004 at 09:06:12PM +0100, Erik Corry wrote: > On Mon, Mar 01, 2004 at 05:31:35PM +0700, Fajar A. Nugraha wrote: > > Bill Taroli wrote: > > > > >Perhaps a silly question... if the .ZIP attachment is passworded, how > > >are the target users supposed to be opening them and getting infected? > > >Has the password been included in the email in which the .ZIP was > > >attached? > > > > No, silly me. I forgot to mention that the password is included in email > > body. > > > > Which means that the only way it can infect you is if you use Windows, > > don't have any updated AV scanner, open the attachment, and > > intentionally type in the password. > > > > However, judging from the fact that it IS spreading in my network now, > > some people tend to do exactly that. > > Kaspersky have added the text string to their signatures (the one > that tries to entice you into unpacking the zip file). That seems > to be all you can do right now. In the somewhat longer run perhaps > the engine needs to be able to get a list of possible passwords so it > can have a go at decrypting the zip file.
I do not believe this would work in the long run, as we would have a problem very similar to recognising typical spam phrases (ie. splitting the word through html code, gappy text, etc), which is obviously not trivial to solve. I think blocking encrypted zip files or (better) educating users (as they have to do much more than just clicking) are the only options. LLAP, Martin
signature.asc
Description: Digital signature
