Password protected ZIP files and Email worms

• Next in thread: Hughes, Bruce: "Re: Password protected ZIP files and Email worms"
• Maybe reply: Hughes, Bruce: "Re: Password protected ZIP files and Email worms"
• Maybe reply: Andrew Newdigate: "Re: Password protected ZIP files and Email worms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 2 Mar 2004 15:26:49 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

With the release of Beagle.H and Beagle.I, virus writers started enclosing
the infected files within password protected ZIP files. This negated the
ability of A/V software to view the enclosed file within.

I've found that the A/V software does see the file within the ZIP archive,
but cannot process it because it does not recognize the extension. When the
archive is password protected, the file enclosed receives a "+" character at
the end of the extension (ie test.exe becomes test.exe+) Since the A/V
software doesn't recognize that kind of extension, it lets it pass thru.

I found that by adding the "+" character to file extensions that are blocked
(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
extension and perform the necessary actions on it.

I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
should work on the other A/V software programs.

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: Michael_Maloney@middlesexcc.edu
********************************************

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

• Next in thread: Hughes, Bruce: "Re: Password protected ZIP files and Email worms"
• Maybe reply: Hughes, Bruce: "Re: Password protected ZIP files and Email worms"
• Maybe reply: Andrew Newdigate: "Re: Password protected ZIP files and Email worms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Password protected ZIP files and Email worms ... I've found that the A/V software does see the file within the ZIP archive, ... but cannot process it because it does not recognize the extension. ... Anti-Virus product which automatically notifies the perceived sender of a ... are not the intended recipient, you are hereby notified that any use, ... (NT-Bugtraq) Re: Password protected ZIP files and Email worms ... protected zip file viruses: you might want to try it at work. ... > software to view the enclosed file within. ... > I've found that the A/V software does see the file within the ... > end of the extension Since ... (NT-Bugtraq)