Re: [Declude.Virus] NAV 2003 catches beagleJ in encrypted zip?

[Matt]

Why not test the encrypted password protected ECAIR virus from Scott's test virus sender? BTW, Beagle.J appears to come with a fixed number of variations, and a combination filter in JunkMail would take 5 minutes to work up which should catch this 100% of the time.     http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] I think it's impractical to do this for every virus to come, although it is a whole lot easier to do than grabbing a password and then unlocking a file to scan within it.  I wouldn't be surprised if some AV companies aren't doing just that, i.e. if the sender is management@, administration@, staff@, noreply@, or support@ and the message contains a password protected zip file, then consider it to be a virus, or just look at the name of the password protected zip file.  There are about 10 different patterns with Beagle.J that can be tracked in combination for a positive hit.  I would imagine that not all such viruses will have highly reliable patterns, though most will. Matt marc catuogno wrote: If you want I can send it to you, it isn't important but I found it curious. All I know is it is a virus, it is reported as beagle.j by NAV, it is in a passworded .Zip file, there in nothing but the word "test" in the body of the e-mail and it is caught by the e-mail scanning as it goes out. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, March 07, 2004 4:30 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] NAV 2003 catches beagleJ in encrypted zip? Plain old NAV 2003 on my Win XP workstation that scans e-mail - sorry for not being specific. BUT the weird thing is there was no e-mail with a PW. I had saved the file from one that had gotten through and attached it to a e-mail with the only the word "test" in the body of the e-mail. I don't even have the PW to unzip it if I wanted to. I did rename the zip VIRUS.ZIP... My guess then is that it isn't really Bagle.J, but is really Bagle.F or a similar one. The only way it would be able to accurately detect it would be to use a password cracker on the .ZIP file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================