[Mimedefang] Re: Dealing with encrypted zip viruses
Frank Doepper
mimedefang at taz.de
Wed May 5 10:05:44 EDT 2004
Am 04.05.04 um 15:42 schrieb Kelson Vibber:
>At 01:43 PM 5/4/2004, David F. Skoll wrote:
>>We permit encrypted zip files if there is no .exe, .pif, etc. in them.
>>The Archive::Zip perl module can look inside zip files, and even list
>>the filenames in encrypted zips.
>
>That sounds like it ought to work. I'll check the list archives and see if
>there's anything I can use as a starting point.
We do it like that:
if ($fname =~ /\.zip/i) {
use Archive::Zip;
if (my $zip = Archive::Zip->new($entity->bodyhandle->path)) {
# only look at ZIPs with exact 1 member
if ($zip->numberOfMembers==1) {
my ($name)=$zip->memberNames;
my $member=$zip->memberNamed($name);
if ($member->isEncrypted && ($name=~/\.(?:com|exe|bat|pif|scr)$/)) {
# exact 1 enctypted member with bad name found.
md_graphdefang_log("CRYPTZIPEXE","$fname:$name",$RelayAddr);
action_bounce("DOS EXEcutable in ZIP attachment found. "
. "Mail rejected.");
} else {
$member->rewindData;
my ( $outRef, $status ) = $member->readChunk(2);
if ($status == 0 && $$outRef eq "MZ") {
# EXE signature ("MZ") in member found
md_graphdefang_log("ZIPEXE","$fname:$name",$RelayAddr);
action_bounce("DOS EXEcutable in ZIP attachment found. "
. "Mail rejected.");
}
}
$member->endRead;
}
}
# log other ZIPs for debugging
unless (message_rejected) {
my $size = (stat($entity->bodyhandle->path))[7];
md_graphdefang_log("ZIP",$fname,$size);
}
}
best wishes -
FD
More information about the MIMEDefang
mailing list