Full Disclosure mailing list archives
Re: Backdoor not recognized by Kaspersky
From: Stef <stefmit () comcast net>
Date: Wed, 3 Mar 2004 13:12:36 -0600
On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:
-----Original Message----- From: full-disclosure-admin () lists netsys com Another variant against the Netsky virus. It's is packed with UPX. It spreads with the password protected zip file, which gets bypassed through all most all the AV scanners with latest signature updates because No AV can decrypt it without the password. (though password is in the message content), we humans tend to open it after reading the message.McAfee now detects the password protected zip files. (There are other things you can look for besides trying to decrypt the contents of the zip filel Also, zip passwords are weak and easily broken anyway.) BTW, there is a war going on right now between three virus groups, so you will continue to see new variants of Bagle, Netsky and Mydoom for the foreseeable future. Should be a very interesting month. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Someone on the ntbugtrack list mentioned earlier another possible solution for A/V gateways: checking for the extension of known-to-be-infected files, and appending the "+" sign at the end (e.g. .exe+). I have tried this on my first layer Norton Gateway, as well as my second tier email A/V - the TrendMicro one (and variations of such - e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ... anybody else having attempted something similar (the reason for the "+" is the obvious extension name change inside the ZIP, if there is a password protected file) ?
Stef _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Backdoor not recognized by Kaspersky, (continued)
- Message not available
- Re: Backdoor not recognized by Kaspersky Rodrigo Barbosa (Mar 04)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- Re: Backdoor not recognized by Kaspersky Alexander MacLennan (Mar 03)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- SMTP rejecting wrong HELO/EHLO domains will save the world (was: Backdoor in passworded ZIP not recognized by Kaspersky) Martin Mačok (Mar 03)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)
- Re: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- Re: Backdoor not recognized by Kaspersky Cael Abal (Mar 03)
- Re: Backdoor not recognized by Kaspersky Stef (Mar 03)
- Re: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- RE: Backdoor not recognized by Kaspersky Rob Rosenberger (Mar 03)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- Re[2]: Backdoor not recognized by Kaspersky Simbabque (Mar 03)
- RE: Backdoor not recognized by Kaspersky Mike Barushok (Mar 03)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 03)
- SMTP "authentication" (was: RE: Backdoor not recognized by Kaspersky) Nick FitzGerald (Mar 03)