HEADS UP - viruses in password protected zip files

Richard Lynch rich at MAIL.WVNET.EDU
Tue Mar 2 13:27:40 GMT 2004


Julian Field wrote:

> At 23:11 01/03/2004, you wrote:
>
>> Gene LeDuc wrote:
>>
>>> Hi Kevin,
>>>
>>> My company has always blocked passworded zips.  If the gateway can't
>>> unzip the
>>> file, it gets blocked.  It's a brain-dead gateway, so I won't embarrass
>>> myself (by association) by saying what it is.
>>>
>>> On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote:
>>>
>>>
>>>> This virus is spreading rapidly, we've seen it overnight (although
>>>> not in
>>>> its password protected form - but we had no way of spotting that so
>>>> it may
>>>> have got through).
>>>>
>>>> I'm now blocking zip files (making me not very popular this morning!).
>>>>
>>>> Time to start a discussion about ways to block password protected zip
>>>> files?
>>>>
>> Kevin,  Did you find a way to block only password protected zips?  We've
>> seen a couple of hundred Bagle.F and Bagle.H incidents today.  An update
>> from Mcafee started catching Bagle.F but not Bagle.H yet.  For now I'm
>> blocking all zips.  I'd like to just block the password protected ones
>> but haven't figured out a way to do it.  I suspect Mcafee uses a
>> simplistic approach to detecting this.  I won't go into why I think this
>> for security reasons.  I do think were rapidly heading towards
>> permanently restricted password protected zips.  If the content of any
>> type of file can't be validated then we'll have to restricted it.  So,
>> any idea how to do this?
>
>
> See 4.28.2.
> --

I know I've said it before but I'll say it again.  You are the most
responsive developer I've encountered.  Honestly!   I've dealt with all
the major vendors at one time or another and nothing comes close.  Thank
you.

--
Richard E. Lynch <rich at mail.wvnet.edu>
Systems Programming Manager
West Virginia Network (WVNET)
837 Chestnut Ridge Road
Morgantown, WV  26505
(304) 293-5192 x243



More information about the MailScanner mailing list