Bagle and KAV

[null]

Maybe because WinZip maintains a list of included contents along with
their respective extensions?

Seems you missed Axel's response of "no" in answer to my "I suppose".
Whatever NAV is doing is apparently less prone to FPs than is KAV's
heuristic.


Art
http://www.epix.net/~artnpeg

 

[Snowsquall]

(e-mail address removed) wrote [snip]

If so,
how long did it take for NAV to actually unencrypt the password and
find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I think it has
its signature based on the data that is still in its encrypted form. -- just
my guess.

neat trick considering the password is randomly generated and therefore
the cipher text is pretty much unpredictable (another way of saying
there can't be a signature for it)...

I originally got the attachment in the form of *.bin but I changed the
extension to *.zip

Source: C:\Documents and Settings\Myname\Desktop\bin00000.bin
Description: The file C:\Documents and Settings\Myname\Desktop\bin00000.bin
is infected with the W32.Beagle.J@mm virus.

I transfered it to a floppy ten carefully extracted it.

Source: A:\iodmp.exe
Description: The file A:\iodmp.exe is infected with the W32.Beagle.J@mm
virus.

 

[Axel Pettinger]

Seems you missed Axel's response of "no" in answer to my "I suppose".
Whatever NAV is doing is apparently less prone to FPs than is KAV's
heuristic.

Well, I'd say that NAV's "W32.Beagle@mm!zip" is an exact identification
and not a heuristic one. It will therefore only detect known password
protected Bagle zip archives. I couldn't reproduce such an archive using
WinZip, PkZip and RAR. Bagle zips seem to have a different structure.
This might make it easier to identify them. Or Symantec's analysts
created tons of Bagle zips and then added detection for them ...

Regards,
Axel Pettinger