[Mimedefang] rar files -- was W32/Bagle.p at MM spreading as rar

Paul Whittney pwhittney at net.bacconsulting.com
Thu Mar 18 11:42:20 EST 2004 

The only one I've used, and I had some issues with it if I remember,
is:
http://www.rarlab.com/

I believe there is a license required after 40 day use.

just some thoughts follow, no code, sorry...

Alternatively
*) capture all rar files, run md5sum on them, and see if a pattern
emerges (I'm a believer of unpack only if you really need to)

*) look into teaching File::Scan that a file is of type RAR, and then
some other code to teach it about .exe's in there

(took my pgp public key, and rar'ed it)
$ xxd example.rar
0000000: 5261 7221 1a07 00cf 9073 0000 0d00 0000  Rar!.....s......
0000010: 0000 0000 d438 7420 8036 004b 0500 00b6  .....8t .6.K....
0000020: 0600 0002 9e2d 73fc 819e 7030 1d33 1600  .....-s...p0.3..
0000030: 8000 0000 7077 6869 7474 6e65 7941 5462  ....pwhittneyATb
0000040: 6163 2e6e 6574 2e61 7363 09d5 100c d951  ac.net.asc.....Q
...

And for the zip file for comparison...
$ xxd example.zip
0000000: 504b 0304 1400 0000 0800 819e 7030 9e2d  PK..........p0.-
0000010: 73fc 2805 0000 b606 0000 1600 0000 7077  s.(...........pw
0000020: 6869 7474 6e65 7941 5462 6163 2e6e 6574  hittneyATbac.net
0000030: 2e61 7363 7d95 c7ae eb58 0e45 e7fa 8a3b  .asc}....X.E...;
...

-Paul Whittney

On Thu, Mar 18, 2004 at 07:50:55AM -0800, Chris Masters wrote:
> Slightly OT!
> 
> I've been doing some research into having a look
> inside the rar much like the way a lot of people on
> here scan inside zips for banned file types.
> 
> It seems rar isn't supported on Linux that well.
> Winrar have a Linux executable. Redhat don't provide
> an rpm.
> 
> The Archive::Rar perl module seems to wrap the Winrar
> exe.
> 
> Anybody got any more info on this?
> 
> Anybody scannin inside rars?
> 
> Cheers, Chris
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list