Password protected viruses?

  • Thread starter Thread starter Tim Downie
  • Start date Start date
T

Tim Downie

Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)

AVG with the latest updates doesn't detect anything and the Kaspersky online
scan facility confirms a password protected file (qlgxxc.exe). It *doesn't*
identify it as a virus though but I'll eat my hat if it's not.

Is this password protection a new ruse to make a zipped file autorun?

I've sent a copy to AVG. Anyone else I should submit it to? Anyone want a
copy? ;-)

Tim
 
I also got password protected zip files late last night. Norton didnt
detect it as a virus or a blocked attachment. The file inside the zip is
a .exe+. I think since the "+" is at the end of the file, norton doesnt
know what to do with it. I have sent SARC a copy of these messages. I
hope they can do something about it. Until I hear from them, I am
blocking .zip at the gateway.

I even tried to add *.exe+ to be blocked and it still gets past Norton.

Nurv
 
Tim said:
Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)

AVG with the latest updates doesn't detect anything and the Kaspersky online
scan facility confirms a password protected file (qlgxxc.exe). It *doesn't*
identify it as a virus though but I'll eat my hat if it's not.
Click to expand...

you're probably right...
Is this password protection a new ruse to make a zipped file autorun?
Click to expand...

no, it's a way to get the viruses past the email scanners... if the
scanner can't read the file then it can't determine if there's a virus
present or not...
 
Erm,
I even tried to add *.exe+ to be blocked and it still gets past Norton.
Click to expand...

Well, I have always understood the '+' is simply suffixed to the displayed
name in the GUI to show that its password protected file, nothing more...

..\/.artin
 
Tim Downie said:
Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)

[snip]

I've sent a copy to AVG. Anyone else I should submit it to? Anyone want a
copy? ;-)

Tim

--
Remove the obvious to reply by email.
Please support rheumatoid arthritis research!
Visit http://www.justgiving.com/pfp/speyside or
http://www.justgiving.com/speyside if you're a UK tax payer.
Click to expand...

Most likely one of the Bagle.F/G/H/I ++
They're starting to Password the zips because AV scanners won't/can't read
them past the password.
I've probably got which ever one it is already, but sure, I could use more
in case of a gap in my collection.
If you could save the entire mail to disk as [whatever].eml and attach that
to a mail to me, that would be nicest. I like to keep the original
containers, not just the virus, but if you're uncomfortable saving this to
disk [I don't blame you] just Forward it.
Feel free to Mail of Forward anything else that you find suspect as well.
I'll even get back to you as to what it is.
Easy on the Swen.A [144kb and 155-156kb] though, I've got about 400 I've got
to throw out already. ;-)

Thanx,
Jack the Bear
(e-mail address removed)
 
Jack the Bear said:
Tim Downie said:
Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)

[snip]

I've sent a copy to AVG. Anyone else I should submit it to? Anyone
Click to expand...
want
a
copy? ;-)

Tim

--
Remove the obvious to reply by email.
Please support rheumatoid arthritis research!
Visit http://www.justgiving.com/pfp/speyside or
http://www.justgiving.com/speyside if you're a UK tax payer.
Click to expand...

Most likely one of the Bagle.F/G/H/I ++
They're starting to Password the zips because AV scanners won't/can't read
them past the password.
I've probably got which ever one it is already, but sure, I could use more
in case of a gap in my collection.
If you could save the entire mail to disk as [whatever].eml and attach that
to a mail to me, that would be nicest. I like to keep the original
containers, not just the virus, but if you're uncomfortable saving this to
disk [I don't blame you] just Forward it.
Feel free to Mail of Forward anything else that you find suspect as well.
I'll even get back to you as to what it is.
Easy on the Swen.A [144kb and 155-156kb] though, I've got about 400 I've got
to throw out already. ;-)

Thanx,
Jack the Bear
(e-mail address removed)
Click to expand...

Is there some way to filter or mark a password protected file with Eudora or
Mailwasher? I can't think of any reason I would ever need to see such an
attachment.

Ma
 
Ma No said:
Jack the Bear said:
Tim Downie said:
Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)

[snip]

I've sent a copy to AVG. Anyone else I should submit it to? Anyone
Click to expand...
want
a
copy? ;-)

Tim

--
Remove the obvious to reply by email.
Please support rheumatoid arthritis research!
Visit http://www.justgiving.com/pfp/speyside or
http://www.justgiving.com/speyside if you're a UK tax payer.
Click to expand...

Most likely one of the Bagle.F/G/H/I ++
They're starting to Password the zips because AV scanners won't/can't read
them past the password.
I've probably got which ever one it is already, but sure, I could use more
in case of a gap in my collection.
If you could save the entire mail to disk as [whatever].eml and attach that
to a mail to me, that would be nicest. I like to keep the original
containers, not just the virus, but if you're uncomfortable saving this to
disk [I don't blame you] just Forward it.
Feel free to Mail of Forward anything else that you find suspect as well.
I'll even get back to you as to what it is.
Easy on the Swen.A [144kb and 155-156kb] though, I've got about 400 I've got
to throw out already. ;-)

Thanx,
Jack the Bear
(e-mail address removed)
Click to expand...

Is there some way to filter or mark a password protected file with Eudora or
Mailwasher? I can't think of any reason I would ever need to see such an
attachment.

Ma
Click to expand...

I don't know of one, but if there is, can you be ABSOLUTELY sure no one will
EVER send you a mail that they think needs to be passworded for security
reasons?
When you get these, and you don't want them, just hit the delete key. NBD.

- Jack
 
I received an e-mail just now which says it is from my ISP (Staff at NTL)
and that because of my misuse of e-mail they will cancel my account in 3
days time. I am to resign my account. There is a attachment of 12 kbs which
I have no intention of opening and they provide a password to open it.
I have spoken to NTL and they confirm it is not from them and I should
delete it unopened. Neither AVG or Adaware finds any virus.
jimac.
 
Call me crazy but if the archive is password protected how is one to
extract the virus in order to run it??

Is the password supplied in the e-mail?
 
mrp said:
Call me crazy but if the archive is password protected how is one to
extract the virus in order to run it??

Is the password supplied in the e-mail?
Click to expand...


I know it sounds crazy but yes, the password is supplied with the e-mail.

Tim
 
I know it sounds crazy but yes, the password is supplied with the e-mail.
Click to expand...

It's not at all "crazy" since you can't unzip the file without the
password. The only thing that would be crazy is to go ahead and unzip
it if you don't know what you're doing :) If you're not expecting a
legit password protected zip from a friend, accompanied by a personal
message from him that identifies him well, just delete the attackment.


Art
http://www.epix.net/~artnpeg
 
I know it sounds crazy but yes, the password is supplied with the e-mail.

Tim
Click to expand...

what is even crazier [scarier] is that there is a high number of
people who will use the password to unzip and run the file :(
 
Jack said:
If you could save the entire mail to disk as [whatever].eml and
attach that to a mail to me, that would be nicest.
Click to expand...

Oops. I've saved the attachement but not the e-mail that contained the
password so I suspect that it's going to be of little use to anyone now.
Sorry about that.

Tim
 
mrp said:
I know it sounds crazy but yes, the password is supplied with the e-mail.

Tim
Click to expand...

what is even crazier [scarier] is that there is a high number of
people who will use the password to unzip and run the file :(
Click to expand...
If a zip file is password protected then the AV cant scan the file and by
pass that file like its clean.
Companys that uses AV for mail server automatic stop every mail whit
password protected file
AV dont now the password to unpack and scan
 
Tim Downie said:
Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)

AVG with the latest updates doesn't detect anything and the Kaspersky online
scan facility confirms a password protected file (qlgxxc.exe). It *doesn't*
identify it as a virus though but I'll eat my hat if it's not.

Is this password protection a new ruse to make a zipped file autorun?

I've sent a copy to AVG. Anyone else I should submit it to? Anyone want a
copy? ;-)

Tim
Click to expand...


I also received it; but when I unzipped it (not recommended for anyone that
isn't confident that they can safely do so) and then Norton's found and
fixed it. However what has me concerned is that I have OE set to NOT allow
the saving of attachments and it DID allow me to save it Usually the
paperclip is grayed out and won't allow me to save the attachment unless I
change it back first.


--
http://home.adelphia.net/~dinosoft
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
http://www.dino-soft.org
 
Today I recieved a what is almost certainly a virus in a password protected
zip file (it arrived with an email along with a password)
Click to expand...

I recieved a copy as well (from a Florida State University ip). After
extracting the .exe file (using the password supplied in the email),
Kaspersky identifies the worm as bagel.i

Symantec calls it beagle, instead of bagle, and has info at
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

I also received a bounce from aol, for a copy sent to a message id, from the
same FSU ip. Only bounce so far. I wish AOL would reject messages at the
smtp stage, instead of sending bounces to forged address, later.

Regards, Dave Hodgins
 
It's not at all "crazy" since you can't unzip the file without the
password. The only thing that would be crazy is to go ahead and unzip
it if you don't know what you're doing :) If you're not expecting a
legit password protected zip from a friend, accompanied by a personal
message from him that identifies him well, just delete the **** attackment. ****


Art
http://www.epix.net/~artnpeg
Click to expand...

Very appropriate mis-spelling there <g>

Taff..............



www.sounds-pa.com | www.thecomputerworkshop.com
 
Sugien said:
However what has me concerned is that I have OE set to NOT allow
the saving of attachments
Click to expand...

That feature of OE only applies to what they consider to
be executable files (and probably depends on extension
only, and not actual filetype).

Try sending yourself an exefile with a .zip extension and see
if it allows you to save it.
 
Back
Top