Re: [Clamav-users] password-protected Worm.Bagle.F
About the password-encrypted zip file virusses, is there any information available on the web about this? I like to instruct my users about this new infection method. David Jansen --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
David Jansen wrote: About the password-encrypted zip file virusses, is there any information available on the web about this? Try this http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.G Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] password-protected Worm.Bagle.F
Hi, Recently (starting 15.00 +07.00 GMT) our network is infected by yet another mass-mailing worm. I already submitted this worm as submission number 1530. ClamAv hasn't detected it yet. The thing is, after I manually unpack the zip file (which contains a .scr), the .scr was recognized as Worm.Bagle.F ClamAV couldn't recognize it since the zip was password-protected. So far (I only have two different samples now) the password is the same : 31517. Since the password is the same, hopefully it won't take virus db team long to update the signature. However what IF: - there's a new virus - the virus just passes known (detected) worm, in a zip file - the zip file is password-protected, and the password always changes (random, included in email body), thus - the zip file always changes. Creating signature from zip is imposssible. - ClamAV can't extract the real content. Can clamav (or ANY AV scanner, for that matter) detects this kind of virus? Regards, Fajar A. Nugraha --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
Fajar A. Nugraha wrote: So far (I only have two different samples now) the password is the same : 31517. Update : I just got another sample with different password (submission number 1534). Should I start blocking .zip files too? Regards, Fajar A. Nugraha --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
Perhaps a silly question... if the .ZIP attachment is passworded, how are the target users supposed to be opening them and getting infected? Has the password been included in the email in which the .ZIP was attached? Fajar A. Nugraha wrote: Fajar A. Nugraha wrote: So far (I only have two different samples now) the password is the same : 31517. Update : I just got another sample with different password (submission number 1534). Should I start blocking .zip files too? Regards, Fajar A. Nugraha --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
Mon, 01 Mar 2004 at 09:06 GMT Fajar A. Nugraha [EMAIL PROTECTED] wrote Since the password is the same, hopefully it won't take virus db team long to update the signature. However what IF: - there's a new virus - the virus just passes known (detected) worm, in a zip file - the zip file is password-protected, and the password always changes (random, included in email body), thus - the zip file always changes. Creating signature from zip is imposssible. - ClamAV can't extract the real content. Please forgive my ignorance, I have not used windows in a long time, but if the Zip-file is password protected, how can the virus spread? How does the user trying to extract the content know the password? Especially if it is a random password for each file? Rgds. Ola Thoresen --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
On Mon, 1 Mar 2004, Ola Thoresen wrote: Mon, 01 Mar 2004 at 09:06 GMT Fajar A. Nugraha [EMAIL PROTECTED] wrote Since the password is the same, hopefully it won't take virus db team long to update the signature. However what IF: - there's a new virus - the virus just passes known (detected) worm, in a zip file - the zip file is password-protected, and the password always changes (random, included in email body), thus - the zip file always changes. Creating signature from zip is imposssible. - ClamAV can't extract the real content. Please forgive my ignorance, I have not used windows in a long time, but if the Zip-file is password protected, how can the virus spread? How does the user trying to extract the content know the password? Especially if it is a random password for each file? I'm guessing here, but one could immagine that the worm/virus generates a random password for the ZIP archive and then writes the password in the body of the mail, hoping that the recipient will extract the archive using the provided password and run the executable. /Jesper Juhl --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
On Mon, Mar 01, 2004 at 05:31:35PM +0700, Fajar A. Nugraha wrote: Bill Taroli wrote: Perhaps a silly question... if the .ZIP attachment is passworded, how are the target users supposed to be opening them and getting infected? Has the password been included in the email in which the .ZIP was attached? No, silly me. I forgot to mention that the password is included in email body. Which means that the only way it can infect you is if you use Windows, don't have any updated AV scanner, open the attachment, and intentionally type in the password. However, judging from the fact that it IS spreading in my network now, some people tend to do exactly that. Kaspersky have added the text string to their signatures (the one that tries to entice you into unpacking the zip file). That seems to be all you can do right now. In the somewhat longer run perhaps the engine needs to be able to get a list of possible passwords so it can have a go at decrypting the zip file. -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
On Mon, Mar 01, 2004 at 09:06:12PM +0100, Erik Corry wrote: On Mon, Mar 01, 2004 at 05:31:35PM +0700, Fajar A. Nugraha wrote: Bill Taroli wrote: Perhaps a silly question... if the .ZIP attachment is passworded, how are the target users supposed to be opening them and getting infected? Has the password been included in the email in which the .ZIP was attached? No, silly me. I forgot to mention that the password is included in email body. Which means that the only way it can infect you is if you use Windows, don't have any updated AV scanner, open the attachment, and intentionally type in the password. However, judging from the fact that it IS spreading in my network now, some people tend to do exactly that. Kaspersky have added the text string to their signatures (the one that tries to entice you into unpacking the zip file). That seems to be all you can do right now. In the somewhat longer run perhaps the engine needs to be able to get a list of possible passwords so it can have a go at decrypting the zip file. I do not believe this would work in the long run, as we would have a problem very similar to recognising typical spam phrases (ie. splitting the word through html code, gappy text, etc), which is obviously not trivial to solve. I think blocking encrypted zip files or (better) educating users (as they have to do much more than just clicking) are the only options. LLAP, Martin signature.asc Description: Digital signature
