[Mimedefang] Zip --> Zip --> PIF

Arthur Corliss corliss at digitalmages.com
Fri Feb 18 17:16:43 EST 2005

On Fri, 18 Feb 2005, David Eisner wrote:

> I just received an interesting virus.  It's a fake bounce with an
> attachment named letter.zip.  It made it through mimedefang (2.49)
> unscathed.
> I unzipped letter.zip, which contained a single file, named . . .
> letter.zip (kind of like Russian dolls).
> I unzipped the interior letter.zip, which contained a Letter.pif.  It
> appears to be Win32.Mydoom.am (according to Kasperky.com):
> http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056
> Am I correct that mimedefang will not recursively unzip files when
> searching for harmful attachments?

Mimedefang may not recursively unzip attachments, but if you're using a
scanner like Clamav with it, that should handle and stop viruses like that
from getting through.

Personally, I don't think mimedefang should even have to do that out of the
box.  Ideally it should just decode the original attachments and let the
scanner scan the applicable archives itself.  Besides, it's trivial to code
your own recursive decompressor if you really need/want it.

	--Arthur Corliss
	  Bolverk's Lair -- http://arthur.corlissfamily.org/
	  Digital Mages -- http://www.digitalmages.com/
	  "Live Free or Die, the Only Way to Live" -- NH State Motto

More information about the MIMEDefang mailing list