[Mimedefang] New .zip virus?

Rick Mallett rmallett at ccs.carleton.ca
Tue Jan 27 12:49:58 EST 2004 

Here is a small variation on the code posted by Brent.

It uses "unzip | wc -c" to check the file size and only discards if it
is in a smaller size range (22528-22530), and bounces othersise.
Actually, the unzip'ed files are all 22528 so it could just check for
that size. This just reduces the changes of discarding a non virus
message that just happened to contain a small zip file in the
prescribed range,

    # Check for possible novarg/mydoom virus

    if (lc($ext) =~ /(bat|cmd|exe|pif|scr|zip)/) {
        my $path = $entity->bodyhandle->path;
        my $size = (stat($entity->bodyhandle->path))[7];
        if (lc($ext) =~ /zip/) {
            my $test = `/bin/unzip -p $path | wc -c`;
            $size = $test if $test =~ /^\s*\d+\s*$/;
        }
        if ($size >= 22528 && $size <= 22530) {
            md_graphdefang_log('virus',"Novarg/Mydoom $fname");
            return action_discard();
        } elsif ($size >= 22528 && $size <= 22798) {
            action_quarantine($entity, "Might be the Novarg/Mydoom virus");
            md_graphdefang_log('virus',"Novarg/Mydoom $fname $size");
            return action_bounce("$fname might be a virus - change the name and resend");
        }
    }


- rick

On Tue, 27 Jan 2004, Brent J. Nordquist wrote:

> On Mon, 26 Jan 2004, Brent J. Nordquist <b-nordquist at bethel.edu> wrote:
>
> > So far the ZIP ones are all between 22640 and 22798 bytes inclusive.
> > Can someone post a quick example on how to test an attachment's size?
>
> After some archive digging here's what I arrived at, if it's useful to
> anyone else.  I've tested it with the edge cases for size and it seems to
> work fine.  This could be tightened further (zip will be 22640-22798, and
> the others will only be 22528) but I think this is close enough for an
> outbreak.  This goes in "sub filter" after the virus section:
>
>     my $virre = qr/\.(pif|scr|exe|cmd|bat|zip)$/;
>     if (re_match($entity, $virre)) {
>         my $size = (stat($entity->bodyhandle->path))[7];
>         if ($size >= 22528 && $size <= 22798) {
>             $VirusName = 'W32/Mydoom at MM';
>             md_graphdefang_log('virus', $VirusName, $RelayAddr);
>
>             # Discard the mail!  Notify the administrator.
>             action_discard();
>             action_notify_administrator("A known virus ($VirusName) was discovered and deleted.\nThe relaying machine was $RelayAddr\n");
>
>             # But quarantine the message for examination later.  Comment
>             # the next line out if you don't want to bother.
>             action_quarantine_entire_message("The $VirusName virus was discovered; message discarded.\n");
>
>             return;
>         }
>     }
>
> --
> Brent J. Nordquist <b-nordquist at bethel.edu> N0BJN
> Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
> * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

More information about the MIMEDefang mailing list