[Dshield] Password protected Bagle.F
brian at dessent.net
Tue Mar 2 00:36:31 GMT 2004
John Hardin wrote:
> On Mon, 2004-03-01 at 09:53, Jon R. Kibler wrote:
> > According to a thread on the ClamAV users lists, Bagle.F is now
> > spreading via password protected zip file. The text body of the
> > email contains the password.
> Fortunately password-protecting a ZIP file does NOT encrypt the
> zipfile's index - you can still see (and scan for) the archived
> filenames without having the password.
And, since the password is given in the message body it's just a matter
of updating your AV signature/identification code to be able to regex
out the password and send it to the unzip engine. In other words the
malware still has a most definite signature that can be programmatically
tested -- the ZIP attachment needn't be a black box if the password is
given in the body in one of a moderate number of variations of text.
More information about the list