Hi Michael,
At 16:55 -0800 2004-03-04, Michael Armijo wrote:
>(from the URL given) "An update just received from CalMail's antivirus
>software vendor can now detect these new worm variants..."
>
>Since the problem files were encrypted, I assume that the software can
>decrypt the zip files only because the key was supplied in the email. True?
I don't know the specific method by which Sophos -- or for that
matter, any other anti-virus vendor -- has chosen to detect the
latest variants of the W32.Beagle/Bagel worms. They may or may not
be using the password provided in the body text of the email message.
They may instead be using other markers specific to these variants.
Several such markers have been discussed on this list; others may
include attachment length and specific text used in subject lines
and/or body text.
Any or all of these markers may not be present in future variants
of this worm, or in future worms. They could try adding random files
to their archives to vary their length, for instance. And the
methods by which they attempt to transmit the accompanying passwords
may vary, as well.
>If not, we will need to advise people that encypted zip files are not
>secure.
I'm not sure what you're stating or asking here; perhaps you might
clarify. If you're asking whether Sophos, or any other anti-virus
vendor, has just come up with a technique by which they can quickly
decrypt encrypted ZIP archives, for which they lack the decryption
password, my off-the-cuff answer is "no, they have not."
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu Mar 4 17:09:39 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 04 2004 - 17:09:39 PST