On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:
-----Original Message----- From: [EMAIL PROTECTED]
Another variant against the Netsky virus. It's is packed with UPX. It spreads with the password protected zip file, which gets bypassed through all most all the AV scanners with latest signature updates because No AV can decrypt it without the password. (though password is in the message content), we humans tend to open it after reading the message.
McAfee now detects the password protected zip files. (There are other things you can look for besides trying to decrypt the contents of the zip filel Also, zip passwords are weak and easily broken anyway.)
BTW, there is a war going on right now between three virus groups, so you will continue to see new variants of Bagle, Netsky and Mydoom for the foreseeable future. Should be a very interesting month.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Someone on the ntbugtrack list mentioned earlier another possible solution for A/V gateways: checking for the extension of known-to-be-infected files, and appending the "+" sign at the end (e.g. .exe+). I have tried this on my first layer Norton Gateway, as well as my second tier email A/V - the TrendMicro one (and variations of such - e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ... anybody else having attempted something similar (the reason for the "+" is the obvious extension name change inside the ZIP, if there is a password protected file) ?
Stef
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
