[Mimedefang] quick heads up: tampered zip passes viruscheck
Jan Pieter Cornet
johnpc at xs4all.nl
Thu Oct 21 20:36:24 EDT 2004
This came by on the clamav mailinglist, and it went straight through
both of my virus scanners built into mimedefang:
http://www.xs4all.nl/~johnpc/eicar-hidden2.zip
It's a tampered .zip file which includes a copy of EICAR. You might
want to test how your virus scanners handle it. At least "zip" from
InfoZip unpacks it, albeit with a warning, producing a "real"
virus (EICAR).
It's possible to detect this with a bit of Archive::Zip prodding,
but it's too late for me to try that right now.
--
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet
More information about the MIMEDefang
mailing list