Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognized by Kaspersky
From: Stef <stefmit () comcast net>
Date: Wed, 3 Mar 2004 13:12:36 -0600

On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:

-----Original Message-----
From: full-disclosure-admin () lists netsys com

Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it without
the password. (though password is in the message content), we
humans tend to open it after reading the message.

McAfee now detects the password protected zip files.  (There are other
things you can look for besides trying to decrypt the contents of the
zip filel  Also, zip passwords are weak and easily broken anyway.)

BTW, there is a war going on right now between three virus groups, so
you will continue to see new variants of Bagle, Netsky and Mydoom for
the foreseeable future.  Should be a very interesting month.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

Someone on the ntbugtrack list mentioned earlier another possible solution for A/V gateways: checking for the extension of known-to-be-infected files, and appending the "+" sign at the end (e.g. .exe+). I have tried this on my first layer Norton Gateway, as well as my second tier email A/V - the TrendMicro one (and variations of such - e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ... anybody else having attempted something similar (the reason for the "+" is the obvious extension name change inside the ZIP, if there is a password protected file) ?


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]