Re: Backdoor not recognized by Kaspersky

[Stef <stefmit () comcast net>]

On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:

> > -----Original Message-----
> > From: full-disclosure-admin () lists netsys com
> >
> > Another variant against the Netsky virus. It's is packed with
> > UPX. It spreads with the password protected zip file, which
> > gets bypassed through all most all the AV scanners with
> > latest signature updates because No AV can decrypt it without
> > the password. (though password is in the message content), we
> > humans tend to open it after reading the message.
> McAfee now detects the password protected zip files.  (There are other
> things you can look for besides trying to decrypt the contents of the
> zip filel  Also, zip passwords are weak and easily broken anyway.)
>
> BTW, there is a war going on right now between three virus groups, so
> you will continue to see new variants of Bagle, Netsky and Mydoom for
> the foreseeable future.  Should be a very interesting month.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/

Someone on the ntbugtrack list mentioned earlier another possible 
solution for A/V gateways: checking for the extension of 
known-to-be-infected files, and appending the "+" sign at the end (e.g. 
.exe+). I have tried this on my first layer Norton Gateway, as well as 
my second tier email A/V - the TrendMicro one (and variations of such - 
e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ... 
anybody else having attempted something similar (the reason for the "+" 
is the obvious extension name change inside the ZIP, if there is a 
password protected file) ?

Stef

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html