Recently, my Norton Anti-Virus has begun NOT quarantining some (but not all)
virus payloads contained in a ZIPped file, leading me to wonder how this
could happen. Fortunately, I'm not the sort that indiscriminately opens
attachments from people I don't know, so the virus sender is wasting my
time. Any ideas how this could happen? Does this mean virus-creating
scumbags have found a way to avoid detection?

In article <S7%wc.52061$(E-Mail Removed)>,
(E-Mail Removed) says...
> Recently, my Norton Anti-Virus has begun NOT quarantining some (but not all)
> virus payloads contained in a ZIPped file, leading me to wonder how this
> could happen. Fortunately, I'm not the sort that indiscriminately opens
> attachments from people I don't know, so the virus sender is wasting my
> time. Any ideas how this could happen? Does this mean virus-creating
> scumbags have found a way to avoid detection?
>
>
>
One trick they used to use was to embed the files in folders within
folders within.... and most scanners have a depth limit they'll search
to in zips.
--
Per ardbeg ad annullo

"George Del Monte" <(E-Mail Removed)> wrote in message
news:S7%wc.52061$(E-Mail Removed)...
> Recently, my Norton Anti-Virus has begun NOT quarantining some (but not
all)
> virus payloads contained in a ZIPped file, leading me to wonder how this
> could happen. Fortunately, I'm not the sort that indiscriminately opens
> attachments from people I don't know, so the virus sender is wasting my
> time. Any ideas how this could happen? Does this mean virus-creating
> scumbags have found a way to avoid detection?
>
>


What makes you think Norton would detect them in the first place?

On that special day, George Del Monte, ((E-Mail Removed)) said...

> Norton Anti-Virus has begun NOT quarantining some (but not all)
> virus payloads contained in a ZIPped file, leading me to wonder how this
> could happen.

If the zipfile is password protected, Norton cannot examine it, no
matter whether the file is actually zipped, or only "passworded".


Gabriele Neukam

(E-Mail Removed)


--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.

on Mon, 7 Jun 2004 19:27:05 +0200, Gabriele Neukam
<(E-Mail Removed)> wrote :
>On that special day, George Del Monte, ((E-Mail Removed)) said...
>
>> Norton Anti-Virus has begun NOT quarantining some (but not all)
>> virus payloads contained in a ZIPped file, leading me to wonder how this
>> could happen.
>
>If the zipfile is password protected, Norton cannot examine it, no
>matter whether the file is actually zipped, or only "passworded".
>
>
>Gabriele Neukam
>
This is a feature that Kaspersky 5 personal has that I really like.
If it see's a password file it will prompt you for the password in
order to scan it....I have never had NAV 2003 to pop up such a
prompt....so I just assumed it scanned it.......very interesting
/ bLB

> What makes you think Norton would detect them in the first place?

Well, I think Norton's COULD (if conditions were right) detect them because
their (the virus) definitions ARE in my Norton database. I checked other
quarantined virus-containing files and they contained the same virus
(Sober). Another responder to my post opined that the virus was not
discovered because it was several layers deep (folders within folders within
folders), deeper than the anti-virus software searches during message
downloading. However, a "Scan my computer" done later DID find the virus
that the eMail scan failed to detect. My guess is: the scan of eMail is more
superficial than a local hard drive scan.

What do you think?

Gabrielle, then how would the virus be unleashed if the ZIPped file were
password protected? That step seems to be a counter-productive one for a
"virus distributor" if it requires a password to open the payload-containing
file. Please explain further.

"George Del Monte" <(E-Mail Removed)> wrote in message newsM7xc.90660$(E-Mail Removed)...
> Gabrielle, then how would the virus be unleashed if the ZIPped file were
> password protected?

It only requires that a user unzip (using the password supplied in the
e-mail body) and execute it, such users are not rare (enough) to be
a significant problem for a worm. It demonstrates exactly where the
weakest link lies in any computer security system. In addittion, the
file when unzipped will have escaped the security zone in which the
e-mail client resides, and landed in the "My Computer" zone which
usually has much less security. I think that this particular worm isn't
concerned with that however, and is only zipped so that simple filters
won't stop it from reaching users - many places don't allow some
filetypes as attachments (.scr, .exe, .bat, .pif ...etc...) but .zips are
allowed.

> That step seems to be a counter-productive one for a
> "virus distributor" if it requires a password to open the payload-containing
> file. Please explain further.

Basically, there is no shortage of clueless users - so even such a tactic
is worthy of consideration. The earlier versions of this worm showed,
even more, just how easily people are duped into executing malware.

That was a very clear explanation but it leads to another puzzle of a sort.
I still had four messages in my Inbox carrying virus payloads, so I
re-examined them. Two had their viruses quarantined by Norton's. Their virus
payloads had each been replaced by text files, one saying: This file:
"EM.cruzio.eml.zip" was infected with the: "W32.Sober.G@mm" virus; the
other: This file: "EM.enliven_9400.TXT.zip" was infected with the:
"W32.Sober.G@mm" virus. The other two messages had their ZIPped files
intact, no doubt carrying viruses. These were the two whose virus payloads
escaped detection by NortonAV. One of these, the 3rd one, had a simple
password in the Subject line; the other no password, but it glibly said
"+-+-+ X- Mail_Scanner: No Virus found" and, now get this, by a non-existent
Anti-virus service at my domain! Hoo boy! What a comfort that brings!

The 4th message is the puzzle: it did not include a password. I figure it
had a virus several layers deep, beyond Norton's scan limitation (if this is
a technical problem, I'm not savvy enough to discuss it), or it simply was a
ruse to send an innocuous file to disarm me and hope I'd open the next
ZIPped file carrying a knockout punch. This message also said "+-+-+
Mail-Attachment: No Virus found" presumably added by my domain. Yeah, right!

"FromTheRafters" <!(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "George Del Monte" <(E-Mail Removed)> wrote in message
newsM7xc.90660$(E-Mail Removed)...
> > Gabrielle, then how would the virus be unleashed if the ZIPped file were
> > password protected?
>

I have Norton.
I have got a few Bagles (Beagles) and Norton use to put them in the
quarantine "backup" folder and identified them as Beagle@mm!zip
But the last Beagle was not detected.
Please NOTE: *Do not try this at home* Do not do as I did *unless* you know
what you are doing.
I carefully saved the attachment of that last zip file to a floppy and then
_extracted_ (*not opened*) the zip and I had to use the password provided to
get it extracted. Norton then detected it as Beagle F. Then I fished a
Beagle@mm!zip out of quarantine backup and tried to extract it but
auto-protect sent it back to quarantine so I turned auto-protect off and
then carefully extracted it. There appeared to be a folder and was about to
*open* it (normally its OK to open folders) when I noticed the *.exe!! I
then remembered something about that trick. I then scanned it and it was
also Beagle F. Then I went back to the zipped file that had not been
detected and extracted it (with auto-protect off) and a "folder" appeared
again. I scanned the "folder" and it was detected as Beagle F. So it is a
mystery to me as well as to why earlier such attachments are stopped by
Norton and this latest one was not. That can be dangerous to those who leave
their auto-protect off and just rely on their email scanners.

<snip>

> Basically, there is no shortage of clueless users - so even such a tactic
> is worthy of consideration. The earlier versions of this worm showed,
> even more, just how easily people are duped into executing malware.
>
>