[Esd-l] RE: How is a password protected zip file handled?

Smart,Dan SmartD at VMCMAIL.com
Tue Mar 2 15:27:09 PST 2004


Do I need to add the + sign to my zip_poisoned list?

See following Email:
============================================================================
====
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM] On Behalf Of Michael_Maloney
Sent: Tuesday, March 02, 2004 3:27 PM
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: Password protected ZIP files and Email worms


With the release of Beagle.H and Beagle.I, virus writers started enclosing
the infected files within password protected ZIP files.  This negated the
ability of A/V software to view the enclosed file within.

I've found that the A/V software does see the file within the ZIP archive,
but cannot process it because it does not recognize the extension.  When the
archive is password protected, the file enclosed receives a "+" character at
the end of the extension (ie test.exe becomes test.exe+)  Since the A/V
software doesn't recognize that kind of extension, it lets it pass thru.

I found that by adding the "+" character to file extensions that are blocked
(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
extension and perform the necessary actions on it.

I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
should work on the other A/V software programs.

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: Michael_Maloney at middlesexcc.edu
****************************************** 

| -----Original Message-----
| From: John D. Hardin [mailto:jhardin at impsec.org] 
| Sent: Tuesday, March 02, 2004 3:29 PM
| To: Smart,Dan
| Cc: Email Security Discussion list
| Subject: Re: How is a password protected zip file handled?
| 
| On Tue, 2 Mar 2004, Smart,Dan wrote:
| 
| >  The new beagle.h sends an encrypted zip file, and gives 
| the password 
| > in the body of the message.  What does 1.141 do when it sees such a 
| > file?
| 
| It scans the index of the ZIP file, which (fortunately) is 
| NOT affected by password protection. The ZIP index remains 
| in-the-clear even though you need a password to extract the contents.
| 
| --
|  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
|  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
|  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
| --------------------------------------------------------------
| ---------
|   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
|   does quite what I want. I wish Christopher Robin was here."
| 				-- Peter da Silva in a.s.r
| --------------------------------------------------------------
| ---------
|    32 days until the Slovakian Presidential Election
| 


More information about the esd-l mailing list