From: Andrew Newdigate (andrewnDATATRIBE.NET)
Date: Mon Mar 08 2004 - 03:16:04 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Simon,

Just saw this: it's a clever way of protected your network from password
protected zip file viruses: you might want to try it at work.

Cheers,
a

> With the release of Beagle.H and Beagle.I, virus writers
> started enclosing the infected files within password
> protected ZIP files. This negated the ability of A/V
> software to view the enclosed file within.
>
> I've found that the A/V software does see the file within the
> ZIP archive, but cannot process it because it does not
> recognize the extension. When the archive is password
> protected, the file enclosed receives a "+" character at the
> end of the extension (ie test.exe becomes test.exe+) Since
> the A/V software doesn't recognize that kind of extension, it
> lets it pass thru.
>
> I found that by adding the "+" character to file extensions
> that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V
> software can now recognize that file extension and perform
> the necessary actions on it.
>
> I've only tested this out on Norton Anti-Virus for Exchange
> V2.1, but it should work on the other A/V software programs.

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]