[Dshield] The truth about scanning password-protected .zip files

Matthew Harrell mhar at plex.com
Mon Mar 8 15:28:59 GMT 2004


Our Symantec AntiVirus for SMTP Gateways has also been detecting them.


-----------------
Matt Harrell
Plexus Systems
mhar at plex.com 

----- On 3/8/2004 9:26 AM, Brian Dessent <brian at dessent.net> wrote: 
>Christophe Rome wrote:
> 
> > With the mass distribution of the bagle.f and bagle.j
> > worms one would like to know for sure if his/her
> > virusscanner can actually find a virus in a
> > password-protected zip file. Is this technically
> > possible? Have there been any official statements from
> > AV-vendors about this?
> 
> ClamAV has detected them for some time now.  I have dozens of lines like
> the following in my reject logs:
> 
> Wed Mar  3 04:15:38 2004 ->
> /var/spool/exim4/scan/1AyNnE-0006M1-5D/1AyNnE-0006M1-5D.eml:
> Worm.Bagle.F-zippwd FOUND
> Wed Mar  3 04:15:45 2004 ->
> /var/spool/exim4/scan/1AyNnL-0006M3-Ky/1AyNnL-0006M3-Ky.eml:
> Worm.Bagle.F-zippwd FOUND
> Wed Mar  3 04:15:47 2004 ->
> /var/spool/exim4/scan/1AyNnN-0006M6-SR/1AyNnN-0006M6-SR.eml:
> Worm.Bagle.F-zippwd FOUND
> Wed Mar  3 04:15:50 2004 ->
> /var/spool/exim4/scan/1AyNnQ-0006M8-3j/1AyNnQ-0006M8-3j.eml:
> Worm.Bagle.F-zippwd FOUND
> Wed Mar  3 04:17:39 2004 ->
> /var/spool/exim4/scan/1AyNpB-0006MX-4F/1AyNpB-0006MX-4F.eml:
> Worm.Bagle.F-zippwd FOUND
> Wed Mar  3 04:17:41 2004 ->
> /var/spool/exim4/scan/1AyNpD-0006MZ-Er/1AyNpD-0006MZ-Er.eml:
> Worm.Bagle.F-zippwd FOUND
> Wed Mar  3 04:17:43 2004 ->
> /var/spool/exim4/scan/1AyNpF-0006Mb-NT/1AyNpF-0006Mb-NT.eml:
> Worm.Bagle.F-zippwd FOUND
> 
> I think it detects them by the base64 encoded zip header.
> 
> Brian
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
> 
> 


More information about the list mailing list