[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: stefmit at comcast.net (Stef)
Subject: Backdoor not recognized by Kaspersky
On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:
>> -----Original Message-----
>> From: full-disclosure-admin@...ts.netsys.com
>>
>> Another variant against the Netsky virus. It's is packed with
>> UPX. It spreads with the password protected zip file, which
>> gets bypassed through all most all the AV scanners with
>> latest signature updates because No AV can decrypt it without
>> the password. (though password is in the message content), we
>> humans tend to open it after reading the message.
>>
> McAfee now detects the password protected zip files. (There are other
> things you can look for besides trying to decrypt the contents of the
> zip filel Also, zip passwords are weak and easily broken anyway.)
>
> BTW, there is a war going on right now between three virus groups, so
> you will continue to see new variants of Bagle, Netsky and Mydoom for
> the foreseeable future. Should be a very interesting month.
>
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
Someone on the ntbugtrack list mentioned earlier another possible
solution for A/V gateways: checking for the extension of
known-to-be-infected files, and appending the "+" sign at the end (e.g.
.exe+). I have tried this on my first layer Norton Gateway, as well as
my second tier email A/V - the TrendMicro one (and variations of such -
e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ...
anybody else having attempted something similar (the reason for the "+"
is the obvious extension name change inside the ZIP, if there is a
password protected file) ?
Stef
Powered by blists - more mailing lists