[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Re: Another round of viruses - encrypted this time]

To: luci-discuss@luci.org
Subject: [Fwd: Re: Another round of viruses - encrypted this time]
From: Todd Davis <tdavis@msfw.com>
Date: Wed, 03 Mar 2004 13:37:31 -0600
Organization: MSF&W
Organization: Linux Users of Central Illinois
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

For those running MailScanner, it now supports the detection of
encrypted zip files.  From the "News" on the MailScanner website:

3/3/2004 Released unstable version 4.28.3. I have re-written the zip
analyzing code to a large extent, and there is now a new keyword in the
"Silent Viruses" list called "Zip-Password". Adding this to your Silent
Viruses list will stop notifications about these being sent to the
(possibly fake) sender of the file. You will still need to install the
Perl modules Compress::Zlib and Archive::Zip yourself before using this
version. 

2/3/2004 Released unstable version 4.28.2. This version can detect
password-protected zip files and optionally block them. You will still
need to install the Perl module Archive::Zip yourself before using this
version. 

1/3/2004 Released unstable version 4.28.1. This version can read zip
files so you can apply filename rules in there. Note: You will have to
install the Perl module Archive::Zip yourself before this version will
run.

I guess it's time to upgrade again...

--
Todd

-----Forwarded Message-----
From: Todd Davis <tdavis@msfw.com>
To: luci-discuss@luci.org
Subject: Re: Another round of viruses - encrypted this time
Date: Wed, 03 Mar 2004 12:06:54 -0600

Unfortunately, since the virus scanner doesn't "know" the password, it
can't open the zip and ends up letting the attachment through.  

We had one come in here that said it was from our email gateway.  It
stated that there were changes in place and the user needed to follow
the attached directions.  Another user received one that appeared to
come from Yahoo support on her Yahoo account that stated that her
account was being used as a spam relay.

In both cases I manually scanned the zip file which did not show any
infections.  However, after unzipping the archive and scanning the
enclosed executable the virus was reported.

On Wed, 2004-03-03 at 11:52, Gary wrote:
> Hi Mike808,
> 
> On Wed, 3 Mar 2004 19:05:57 GMT UTC (3/3/2004, 1:05 PM -0600 UTC my time),
> mike808@users.sourceforge.net wrote:
> 
> m> I heard about another spate of new viruses, several of which are hiding
> m> themselves inside encrypted zip files.
> 
> interesting. Many virus scanners will open zip files and other attachments
> and run the scanners over these as well before allowing them in the system.
> Will be interesting to see if these are picked up.
> 
> m> Since in ordler to generate a new "signature", all they need to do is change the
> m> password, this will be quite difficult to deal with if your policy requires you
> m> to "let in" attachments.
> 
> m> For those that haven't seen them, they come through in a message like this:
> 
> >> Subject: Notify about your e-mail account utilization.
> 
> As long as the subject remains relatively the same, one could key/grep on
> part of it to quarantine.
> 
> 
> --
> Gary
> 
> TEAMWORK...means never having to take all the blame yourself.
> 
> 
> -
> To unsubscribe, send email to majordomo@luci.org with
> "unsubscribe luci-discuss" in the body.
-- 
Todd Davis (tdavis@msfw.com)
Red Hat Certified Engineer (RHCE #807101281603181)

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

Follow-Ups:
- Re: [Fwd: Re: Another round of viruses - encrypted this time]
  - From: Steven Pritchard <steve@silug.org>

Prev by Date: Re: Another round of viruses - encrypted this time
Next by Date: OT: Redirect Traffic in a Subnet
Prev by thread: Re: OT: Redirect Traffic in a Subnet
Next by thread: Re: [Fwd: Re: Another round of viruses - encrypted this time]
Index(es):
- Date
- Thread