[Esd-l] RE: How is a password protected zip file handled?
Brett Glass
brett at lariat.org
Tue Mar 2 15:35:41 PST 2004
It might be a good idea for John to make the optional "+"
implicit, rather than requiring the user to add it to every
regex.
--Brett
At 04:27 PM 3/2/2004, Smart,Dan wrote:
>Do I need to add the + sign to my zip_poisoned list?
>
>See following Email:
>============================================================================
>====
>From: Windows NTBugtraq Mailing List
>[mailto:NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM] On Behalf Of Michael_Maloney
>Sent: Tuesday, March 02, 2004 3:27 PM
>To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
>Subject: Password protected ZIP files and Email worms
>
>
>With the release of Beagle.H and Beagle.I, virus writers started enclosing
>the infected files within password protected ZIP files. This negated the
>ability of A/V software to view the enclosed file within.
>
>I've found that the A/V software does see the file within the ZIP archive,
>but cannot process it because it does not recognize the extension. When the
>archive is password protected, the file enclosed receives a "+" character at
>the end of the extension (ie test.exe becomes test.exe+) Since the A/V
>software doesn't recognize that kind of extension, it lets it pass thru.
>
>I found that by adding the "+" character to file extensions that are blocked
>(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
>extension and perform the necessary actions on it.
>
>I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
>should work on the other A/V software programs.
>
>********************************************
>Mike Maloney
>Sr. System Engineer
>Middlesex County College
>2600 Woodbridge Avenue
>Edison, NJ 08818
>Phone: 732-906-7754
>Cell: 908-217-2086
>Fax: 732-906-4266
>Email: Michael_Maloney at middlesexcc.edu
>******************************************
>
>| -----Original Message-----
>| From: John D. Hardin [mailto:jhardin at impsec.org]
>| Sent: Tuesday, March 02, 2004 3:29 PM
>| To: Smart,Dan
>| Cc: Email Security Discussion list
>| Subject: Re: How is a password protected zip file handled?
>|
>| On Tue, 2 Mar 2004, Smart,Dan wrote:
>|
>| > The new beagle.h sends an encrypted zip file, and gives
>| the password
>| > in the body of the message. What does 1.141 do when it sees such a
>| > file?
>|
>| It scans the index of the ZIP file, which (fortunately) is
>| NOT affected by password protection. The ZIP index remains
>| in-the-clear even though you need a password to extract the contents.
>|
>| --
>| John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
>| jhardin at impsec.org pgpk -a jhardin at impsec.org
>| key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>| --------------------------------------------------------------
>| ---------
>| "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>| does quite what I want. I wish Christopher Robin was here."
>| -- Peter da Silva in a.s.r
>| --------------------------------------------------------------
>| ---------
>| 32 days until the Slovakian Presidential Election
>|
>_______________________________________________
>Esd-l mailing list
>Esd-l at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list