[Dshield] Password protected Bagle.F

Brian Dessent brian at dessent.net
Tue Mar 2 00:36:31 GMT 2004


John Hardin wrote:
> 
> On Mon, 2004-03-01 at 09:53, Jon R. Kibler wrote:
> > According to a thread on the ClamAV users lists, Bagle.F is now
> > spreading via password protected zip file. The text body of the
> > email contains the password.
> 
> Fortunately password-protecting a ZIP file does NOT encrypt the
> zipfile's index - you can still see (and scan for) the archived
> filenames without having the password.

And, since the password is given in the message body it's just a matter
of updating your AV signature/identification code to be able to regex
out the password and send it to the unzip engine.  In other words the
malware still has a most definite signature that can be programmatically
tested -- the ZIP attachment needn't be a black box if the password is
given in the body in one of a moderate number of variations of text.

Brian




More information about the list mailing list