[Dshield] The truth about scanning password-protected .zip files

ED QUINN dlbntspy at yahoo.com
Mon Mar 8 17:30:17 GMT 2004


   I  ran across this article, Maybe it will be of some use.
http://news.com.com/2100-7355_3-5170007.html
Brian Dessent <brian at dessent.net> wrote:
Christophe Rome wrote:

> With the mass distribution of the bagle.f and bagle.j
> worms one would like to know for sure if his/her
> virusscanner can actually find a virus in a
> password-protected zip file. Is this technically
> possible? Have there been any official statements from
> AV-vendors about this?

ClamAV has detected them for some time now. I have dozens of lines like
the following in my reject logs:

Wed Mar 3 04:15:38 2004 ->
/var/spool/exim4/scan/1AyNnE-0006M1-5D/1AyNnE-0006M1-5D.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar 3 04:15:45 2004 ->
/var/spool/exim4/scan/1AyNnL-0006M3-Ky/1AyNnL-0006M3-Ky.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar 3 04:15:47 2004 ->
/var/spool/exim4/scan/1AyNnN-0006M6-SR/1AyNnN-0006M6-SR.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar 3 04:15:50 2004 ->
/var/spool/exim4/scan/1AyNnQ-0006M8-3j/1AyNnQ-0006M8-3j.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar 3 04:17:39 2004 ->
/var/spool/exim4/scan/1AyNpB-0006MX-4F/1AyNpB-0006MX-4F.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar 3 04:17:41 2004 ->
/var/spool/exim4/scan/1AyNpD-0006MZ-Er/1AyNpD-0006MZ-Er.eml:
Worm.Bagle.F-zippwd FOUND
Wed Mar 3 04:17:43 2004 ->
/var/spool/exim4/scan/1AyNpF-0006Mb-NT/1AyNpF-0006Mb-NT.eml:
Worm.Bagle.F-zippwd FOUND

I think it detects them by the base64 encoded zip header.

Brian

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

SEE'YA,ED


---------------------------------
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster.


More information about the list mailing list