[Mimedefang] New .zip virus?

Brent J. Nordquist b-nordquist at bethel.edu
Tue Jan 27 07:59:23 EST 2004


On Mon, 26 Jan 2004, Brent J. Nordquist <b-nordquist at bethel.edu> wrote:

> So far the ZIP ones are all between 22640 and 22798 bytes inclusive.  
> Can someone post a quick example on how to test an attachment's size?

After some archive digging here's what I arrived at, if it's useful to
anyone else.  I've tested it with the edge cases for size and it seems to
work fine.  This could be tightened further (zip will be 22640-22798, and
the others will only be 22528) but I think this is close enough for an
outbreak.  This goes in "sub filter" after the virus section:

    my $virre = qr/\.(pif|scr|exe|cmd|bat|zip)$/;
    if (re_match($entity, $virre)) {
        my $size = (stat($entity->bodyhandle->path))[7];
        if ($size >= 22528 && $size <= 22798) {
            $VirusName = 'W32/Mydoom at MM';
            md_graphdefang_log('virus', $VirusName, $RelayAddr);

            # Discard the mail!  Notify the administrator.
            action_discard();
            action_notify_administrator("A known virus ($VirusName) was discovered and deleted.\nThe relaying machine was $RelayAddr\n");

            # But quarantine the message for examination later.  Comment
            # the next line out if you don't want to bother.
            action_quarantine_entire_message("The $VirusName virus was discovered; message discarded.\n");

            return;
        }
    }

-- 
Brent J. Nordquist <b-nordquist at bethel.edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti



More information about the MIMEDefang mailing list