bagle-i worm
Marco Obaid
marco at MUW.EDU
Tue Mar 2 18:26:19 GMT 2004
Quoting Dan Newcombe <Newcombe at MORDOR.CLAYTON.EDU>:
> Is Sophos supposed to be able to identify the password-protected zip file
> or just the virus that's in the file itself?
I believe that it attempts to scan the entire file;
MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection:
W32/Bagle.E at mm
MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle-
E:: ./i226Mcwt003303/eaaead.zip
> Just can't win - instead of setting up an ftp server for
> once-in-a-blue-moon files needed from off site, we asked people to just
> send a pw-protected ZIP file, and now those are on the evil list.
Can't you just temporarily white list their server's IP address to skip the
the virus checks? I would not attempt to whitelist their domain since these
worms are skilled at spoofing the sender's address.
Marco
More information about the MailScanner
mailing list