George Del Monte said:
That was a very clear explanation but it leads to another puzzle of a sort.
I still had four messages in my Inbox carrying virus payloads, so I
re-examined them. Two had their viruses quarantined by Norton's. Their virus
payloads had each been replaced by text files, one saying: This file:
"EM.cruzio.eml.zip" was infected with the: "W32.Sober.G@mm" virus; the
other: This file: "EM.enliven_9400.TXT.zip" was infected with the:
"W32.Sober.G@mm" virus. The other two messages had their ZIPped files
intact, no doubt carrying viruses.
I don't know much about how the AVs are tackling this 'passworded zip'
or 'zip' problem. I never thought that it was necessary to scan within zipped
files automatically anyway, I always thought that some things should be left
up to the users to do themselves. AVs insist on enabling users to be very lazy
about the way they apply "safe practices", and this is, in part, what led to this
problem.
It may be that the ones that they know about are captured and iterated
a large number of times so that the AV has a good idea of what the many
iterations look like to the scanner. Sometimes the "large number" is some
degree smaller than the number of possible iterations - and some aren't
getting detected as a result.
These were the two whose virus payloads
escaped detection by NortonAV. One of these, the 3rd one, had a simple
password in the Subject line; the other no password, but it glibly said
"+-+-+ X- Mail_Scanner: No Virus found" and, now get this, by a non-existent
Anti-virus service at my domain! Hoo boy! What a comfort that brings!
Almost as comforting as the sig lines some AVs put on scanned e-mails.
Many here have predicted that malware would do this eventually. I'm
more likely to believe the statement "No Virus Found" to be legitimate
than I would a statement such as "Certified Virus Free".
The 4th message is the puzzle: it did not include a password. I figure it
had a virus several layers deep, beyond Norton's scan limitation (if this is
a technical problem, I'm not savvy enough to discuss it), or it simply was a
ruse to send an innocuous file to disarm me and hope I'd open the next
ZIPped file carrying a knockout punch. This message also said "+-+-+
Mail-Attachment: No Virus found" presumably added by my domain. Yeah, right!
Still, if it *really is* a zipped executable, it should be scanable once
extracted, and if known to the scanner should be identifiable. Anyway,
there's no reason for anyone doing anything other than deleting such an
e-mail - it is obviously not something that they were expecting to recieve.