On Tue, 2 Mar 2004 18:08:15 -0800 (PST)
[EMAIL PROTECTED] wrote:
>
> > It gives nothing as copies of Worm.Bagle.H (and previous variants
> > also) vary in their contents and even sizes. So checksums are
> > different.
>
> We have started to see this as well -- we only caught a few w/ the
> hard-coded crc hack. This is not perfect either and it falls in line
> with one gentleman's procmail filter. Still, this may help some
> users. We have updated our virus filter to look something like this:
>
> if ((stat($file))[7] < 100000) # filesize
> {
> if (!open(UNZIP, "-|"))
> {
> close(STDERR);
> open(STDERR, ">&STDOUT");
> exec("/usr/bin/unzip", '-t', '-P', '', $file);
> }
> while (<UNZIP>)
> {
> if (/incorrect password/)
> {
> close(UNZIP);
> print "Found the w32nsc/crypt-zip.gen virus !!!\n";
> found_virus();
> }
> }
> close(UNZIP);
> }
>
> We are /hoping/ that virus .zip's are <100k. If anyone sends a
> legitimate message which is an encrypted zip that is <100k we still
> quarantine it if the user need to have a copy and they are notified of
> the quarantine. After a few tests, it does not appear that it will
> mark unpassworded zips falsely since a zip w/o password and a zip w/ a
> password of '' appear to be equivalent.I also recived such a Mail today from an OpenBSD-Mailinglist (sorry but: Damn WindowsKiddys wich are not able to hold their fingers far away from the left mousebutton). I saw 2 things: 1. An encrypted ZIP 2. A password in the mail Now I asked myself: - Does the worm use everytime the same password or does the worm generate new passwords. - Maybe a skilled user could write a script wich lookes for a PW into the mail. If a PW is detected the user should became a warning. The archive shouldn't be decrypted. Rembrandt
pgp00000.pgp
Description: PGP signature
