[Dshield] The truth about scanning password-protected .zip files

Brian Dessent brian at dessent.net
Mon Mar 8 14:02:02 GMT 2004


Christophe Rome wrote:

> With the mass distribution of the bagle.f and bagle.j
> worms one would like to know for sure if his/her
> virusscanner can actually find a virus in a
> password-protected zip file. Is this technically
> possible? Have there been any official statements from
> AV-vendors about this?

ClamAV has detected them for some time now.  I have dozens of lines like
the following in my reject logs:

Wed Mar  3 04:15:38 2004 ->
/var/spool/exim4/scan/1AyNnE-0006M1-5D/1AyNnE-0006M1-5D.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar  3 04:15:45 2004 ->
/var/spool/exim4/scan/1AyNnL-0006M3-Ky/1AyNnL-0006M3-Ky.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar  3 04:15:47 2004 ->
/var/spool/exim4/scan/1AyNnN-0006M6-SR/1AyNnN-0006M6-SR.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar  3 04:15:50 2004 ->
/var/spool/exim4/scan/1AyNnQ-0006M8-3j/1AyNnQ-0006M8-3j.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar  3 04:17:39 2004 ->
/var/spool/exim4/scan/1AyNpB-0006MX-4F/1AyNpB-0006MX-4F.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar  3 04:17:41 2004 ->
/var/spool/exim4/scan/1AyNpD-0006MZ-Er/1AyNpD-0006MZ-Er.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar  3 04:17:43 2004 ->
/var/spool/exim4/scan/1AyNpF-0006Mb-NT/1AyNpF-0006Mb-NT.eml:
Worm.Bagle.F-zippwd FOUND

I think it detects them by the base64 encoded zip header.

Brian




More information about the list mailing list