[Mimedefang] New .zip virus?

Rick Mallett rmallett at ccs.carleton.ca
Tue Jan 27 16:37:21 EST 2004 

In a previous message Dave O'Neill suggested using Archive::Zip
instead of "unzip | wc -c" which I had proposed. It seemed like a
better idea so I rewrote my filter code as per his suggestion. To use
it you have to install the Archive::Zip Perl module and add the line
"use Archive::Zip;" to mimedefang-filter. I suppose it could go
anywhere but I added it near the top, and in "filter" I have

    # Check for possible novarg/mydoom virus

    if (lc($ext) =~ /(bat|cmd|exe|pif|scr|zip)/) {
        my $path = $entity->bodyhandle->path;
        my $size = (stat($entity->bodyhandle->path))[7];
        if (lc($ext) =~ /zip/ && $size < 30000) {
            my $zip = Archive::Zip->new();
            if ($zip->read($path) == AZ_OK) {
                my @members = $zip->members();
                foreach my $member (@members) {
                    my $file = $member->fileName();
                    next if lc($file) !~ /(bat|cmd|exe|pif|scr)/;
                    $size = $member->uncompressedSize();
                    last if $size >= 22528 && $size <= 22530;
                }
            }
        }
        if ($size >= 22528 && $size <= 22530) {
            md_graphdefang_log('virus',"Novarg/Mydoom $fname");
            return action_discard();
        } elsif ($size >= 22000 && $size <= 24000) {
            action_quarantine($entity, "Might be the Novarg/Mydoom virus");
            md_graphdefang_log('virus',"Novarg/Mydoom $fname $size");
            return action_bounce("$fname might be a virus - change the name and resend");
        }
    }


- rick

On Tue, 27 Jan 2004, Dave O'Neill wrote:

> David F. Skoll wrote:
>
> > Just check if the unzipped file has any .exe, .pif, etc. in it.  This
> > is more reliable and future-proof than testing for a specific size.
>
> Using the Archive::Zip module from CPAN could be an even better idea if
> we want to avoid the fork/exec and shell pipeline.  I think it should be
> as simple as (warning, completely untested):
>
> use Archive::Zip;
>
> my $zip = Archive::Zip->new();
> if( $zip->read($entity->bodyhandle->path) == AZ_OK ) {
>      # It's a valid zip
>      my @members = $zip->members();
>      foreach my $member (@members) {
>          my $size = $member->uncompressedSize();
>          my $file = $member->fileName();
>          # Now, test for file extension and/or bad file sizes
>      }
> }
>
> Cheers,
> Dave
> --
> Dave O'Neill <dmo at roaringpenguin.com>    Roaring Penguin Software Inc.
> +1 (613) 231-6599 ext. 104               http://www.roaringpenguin.com/
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

More information about the MIMEDefang mailing list