[Esd-l] RE: How is a password protected zip file handled?

Brett Glass brett at lariat.org
Tue Mar 2 15:35:41 PST 2004

It might be a good idea for John to make the optional "+"
implicit, rather than requiring the user to add it to every 


At 04:27 PM 3/2/2004, Smart,Dan wrote:
>Do I need to add the + sign to my zip_poisoned list?
>See following Email:
>From: Windows NTBugtraq Mailing List
>[mailto:NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM] On Behalf Of Michael_Maloney
>Sent: Tuesday, March 02, 2004 3:27 PM
>Subject: Password protected ZIP files and Email worms
>With the release of Beagle.H and Beagle.I, virus writers started enclosing
>the infected files within password protected ZIP files.  This negated the
>ability of A/V software to view the enclosed file within.
>I've found that the A/V software does see the file within the ZIP archive,
>but cannot process it because it does not recognize the extension.  When the
>archive is password protected, the file enclosed receives a "+" character at
>the end of the extension (ie test.exe becomes test.exe+)  Since the A/V
>software doesn't recognize that kind of extension, it lets it pass thru.
>I found that by adding the "+" character to file extensions that are blocked
>(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
>extension and perform the necessary actions on it.
>I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
>should work on the other A/V software programs.
>Mike Maloney
>Sr. System Engineer
>Middlesex County College
>2600 Woodbridge Avenue
>Edison, NJ 08818
>Phone: 732-906-7754
>Cell: 908-217-2086
>Fax: 732-906-4266
>Email: Michael_Maloney at middlesexcc.edu
>| -----Original Message-----
>| From: John D. Hardin [mailto:jhardin at impsec.org] 
>| Sent: Tuesday, March 02, 2004 3:29 PM
>| To: Smart,Dan
>| Cc: Email Security Discussion list
>| Subject: Re: How is a password protected zip file handled?
>| On Tue, 2 Mar 2004, Smart,Dan wrote:
>| >  The new beagle.h sends an encrypted zip file, and gives 
>| the password 
>| > in the body of the message.  What does 1.141 do when it sees such a 
>| > file?
>| It scans the index of the ZIP file, which (fortunately) is 
>| NOT affected by password protection. The ZIP index remains 
>| in-the-clear even though you need a password to extract the contents.
>| --
>|  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>|  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>|  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>| --------------------------------------------------------------
>| ---------
>|   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>|   does quite what I want. I wish Christopher Robin was here."
>|                               -- Peter da Silva in a.s.r
>| --------------------------------------------------------------
>| ---------
>|    32 days until the Slovakian Presidential Election
>Esd-l mailing list
>Esd-l at spconnect.com

More information about the esd-l mailing list