[Dshield] Delayed Attachment Delivery?
pmarsh at nmefdn.org
Tue Mar 2 21:31:08 GMT 2004
I just received this from NTBugTraq, maybe this is a solution?
With the release of Beagle.H and Beagle.I, virus writers started
enclosing the infected files within password protected ZIP files. This
negated the ability of A/V software to view the enclosed file within.
I've found that the A/V software does see the file within the ZIP
archive, but cannot process it because it does not recognize the
extension. When the archive is password protected, the file enclosed
receives a "+" character at the end of the extension (ie test.exe
becomes test.exe+) Since the A/V software doesn't recognize that kind
of extension, it lets it pass thru.
I found that by adding the "+" character to file extensions that are
blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now
recognize that file extension and perform the necessary actions on it.
I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
should work on the other A/V software programs.
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Email: Michael_Maloney at middlesexcc.edu
> -----Original Message-----
> From: Graham Dodd [mailto:g.dodd at falk-ross.de]
> Sent: Tuesday, March 02, 2004 10:05 AM
> To: General DShield Discussion List
> Subject: AW: [Dshield] Delayed Attachment Delivery?
> I am currently fighting this exact problem, one of the latest
> batch of "nastiness" passes through our mail server running 2
> AV scanners.
> Simple fix - block all .zip attachments
> Does it make business sense - try doing business with these
> virii / worms running riot through the internal network.
> How to get around the problem - send the attachment as
> "filename.abc" and enclose in the email the actual filename
> and the actual senders details.
> Hey, how many people should really be getting all these attachments.
> I know it's not a perfect solution, but it works and there is
> no more "oops, I just clicked on this attachment and ..."
> Back to the fire!!
> Graham K. Dodd
> Director of Operation
> Falk & Ross GmbH
> Tel. +49(6301)717-0
> Fax. +49(6301)717-270
> > -----Ursprungliche Nachricht-----
> > Von: list-bounces at dshield.org [mailto:list-bounces at dshield.org]Im
> > Auftrag von Christophe Rome
> > Gesendet: Dienstag, 2. Marz 2004 15:14
> > An: list at dshield.org
> > Betreff: Re: [Dshield] Delayed Attachment Delivery?
> > Shawn Cox <shawn.cox at pcca.com> wrote:From: "Shawn Cox"
> > To: "General DShield Discussion List"
> > Subject: Re: [Dshield] Delayed Attachment Delivery?
> > Date: Mon, 1 Mar 2004 09:53:18 -0600
> > > You can scan all day recursively through a .zip file but if you
> > > haven't gotten a virus signature from your vendor you are
> just going
> > > to pass the virus right through your gateway.
> > Exactly!
> > Not long ago we were pretty safe stopping all attachments
> except .zip
> > at the mail gateway. We asked all senders to include only
> zip files.
> > Our end-users in NT wouldn't be able to directly open the .zip
> > attachments by double-clicking. They had to manually open them by
> > using winzip. They would know what they were doing. But
> today, while
> > running these XP clients, opening .zip attachments happens
> by simple
> > mouse-click.
> > What's the next step? Delaying 'suspicious'
> > attachments doesn't seem smart businesswise. Do we really need to
> > block all attachments coming in through e-mail and find
> another way to
> > get these important files reach our end-users?
> > Any suggestions?
> > Christophe.
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Search - Find what youre looking for faster
> > http://search.yahoo.com
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > __________ NOD32 1.644 (20040302) Information __________
> > This message was checked by NOD32 Antivirus System.
> > http://www.nod32.com
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list