[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

John Hardin johnh at aproposretail.com
Thu Feb 19 00:49:10 GMT 2004

On Wed, 2004-02-18 at 10:58, Erik van Straten wrote:

> I agree that more can be done regarding .pif, .com etc. attachments.
> However, there were zip files too (I expect a lot of resistance if
> we're going to drop zip files, perhaps depending on the fact if they
> contain one or more executable files, or files that just *seem*
> executable, e.g. batchfiles or other scripts, including perl, python
> etc).

True. It's an open-ended battle.

> Also, we will probably see viruses in password protected zip files
> soon.

N.B.: the ZIP *directory* is not password-protected or encrypted (at
least in my limited testing), so you can still see the names of the
files in the archive if you want to to policy filtering on
password-protected .ZIP attachments.

>  Furthermore, once admins massively start blocking attachments
> with certain file extensions, people will get used to renaming files
> they receive. It is just a matter of time until viruses are sent as
> .txt and people are asked to rename them into whatever. Some people
> are curious and clueless - we do have to live and work with them.

True. I doubt, however, that a worm that requires *that much*
interaction will spread very quickly.

> We may as well prohibit all email attachments.

Fine by me. Email is not a general-purpose file transfer protocol. :)

> We desparately need *smart* and *fast* solutions for SMTP problems.
> I've not seen a single useful solution that cannot be bypassed, and
> at the same time will not render legitimate use of SMTP problematic,
> if not totally impossible (the ultimate solution may not exist).

Alas, the most likely cure for worms and spam is replacing the SMTP

John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r
 12 days until ICQ Corp goes away - have you installed Jabber yet?

More information about the list mailing list