[Dshield] Delayed Attachment Delivery?

Paul Marsh pmarsh at nmefdn.org
Tue Mar 2 21:31:08 GMT 2004


 I just received this from NTBugTraq, maybe this is a solution?

With the release of Beagle.H and Beagle.I, virus writers started
enclosing the infected files within password protected ZIP files.  This
negated the ability of A/V software to view the enclosed file within.

I've found that the A/V software does see the file within the ZIP
archive, but cannot process it because it does not recognize the
extension.  When the archive is password protected, the file enclosed
receives a "+" character at the end of the extension (ie test.exe
becomes test.exe+)  Since the A/V software doesn't recognize that kind
of extension, it lets it pass thru.

I found that by adding the "+" character to file extensions that are
blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now
recognize that file extension and perform the necessary actions on it.

I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
should work on the other A/V software programs.

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: Michael_Maloney at middlesexcc.edu
********************************************

> -----Original Message-----
> From: Graham Dodd [mailto:g.dodd at falk-ross.de] 
> Sent: Tuesday, March 02, 2004 10:05 AM
> To: General DShield Discussion List
> Subject: AW: [Dshield] Delayed Attachment Delivery?
> 
> I am currently fighting this exact problem, one of the latest 
> batch of "nastiness" passes through our mail server running 2 
> AV scanners.
> 
> Simple fix - block all .zip attachments
> 
> Does it make business sense - try doing business with these 
> virii / worms running riot through the internal network.
> 
> How to get around the problem - send the attachment as 
> "filename.abc" and enclose in the email the actual filename 
> and the actual senders details.
> Hey, how many people should really be getting all these attachments.
> 
> I know it's not a perfect solution, but it works and there is 
> no more "oops, I just clicked on this attachment and ..."
> 
> 
> Back to the fire!!
> 
> 
> Graham
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~
> Graham K. Dodd
> Director of Operation
> Falk & Ross GmbH
> Tel. +49(6301)717-0
> Fax. +49(6301)717-270
> 
> > -----Ursprungliche Nachricht-----
> > Von: list-bounces at dshield.org [mailto:list-bounces at dshield.org]Im
> > Auftrag von Christophe Rome
> > Gesendet: Dienstag, 2. Marz 2004 15:14
> > An: list at dshield.org
> > Betreff: Re: [Dshield] Delayed Attachment Delivery?
> >
> >
> >
> > Shawn Cox <shawn.cox at pcca.com> wrote:From: "Shawn Cox"
> >
> > To: "General DShield Discussion List"
> >
> > Subject: Re: [Dshield] Delayed Attachment Delivery?
> > Date: Mon, 1 Mar 2004 09:53:18 -0600
> >
> > > You can scan all day recursively through a .zip file but if you 
> > > haven't gotten a virus signature from your vendor you are 
> just going 
> > > to pass the virus right through your gateway.
> >
> > Exactly!
> >
> > Not long ago we were pretty safe stopping all attachments 
> except .zip 
> > at the mail gateway. We asked all senders to include only 
> zip files. 
> > Our end-users in NT wouldn't be able to directly open the .zip 
> > attachments by double-clicking. They had to manually open them by 
> > using winzip. They would know what they were doing. But 
> today, while 
> > running these XP clients, opening .zip attachments happens 
> by simple 
> > mouse-click.
> >
> > What's the next step? Delaying 'suspicious'
> > attachments doesn't seem smart businesswise. Do we really need to 
> > block all attachments coming in through e-mail and find 
> another way to 
> > get these important files reach our end-users?
> >
> > Any suggestions?
> >
> > Christophe.
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Search - Find what youre looking for faster 
> > http://search.yahoo.com
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> >
> > __________ NOD32 1.644 (20040302) Information __________
> >
> > This message was checked by NOD32 Antivirus System.
> > http://www.nod32.com
> >
> >
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list