[Mimedefang] Zip --> Zip --> PIF
Arthur Corliss
corliss at digitalmages.com
Fri Feb 18 17:16:43 EST 2005
On Fri, 18 Feb 2005, David Eisner wrote:
> I just received an interesting virus. It's a fake bounce with an
> attachment named letter.zip. It made it through mimedefang (2.49)
> unscathed.
>
> I unzipped letter.zip, which contained a single file, named . . .
> letter.zip (kind of like Russian dolls).
> I unzipped the interior letter.zip, which contained a Letter.pif. It
> appears to be Win32.Mydoom.am (according to Kasperky.com):
> http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056
>
> Am I correct that mimedefang will not recursively unzip files when
> searching for harmful attachments?
Mimedefang may not recursively unzip attachments, but if you're using a
scanner like Clamav with it, that should handle and stop viruses like that
from getting through.
Personally, I don't think mimedefang should even have to do that out of the
box. Ideally it should just decode the original attachments and let the
scanner scan the applicable archives itself. Besides, it's trivial to code
your own recursive decompressor if you really need/want it.
--Arthur Corliss
Bolverk's Lair -- http://arthur.corlissfamily.org/
Digital Mages -- http://www.digitalmages.com/
"Live Free or Die, the Only Way to Live" -- NH State Motto
More information about the MIMEDefang
mailing list