[Mimedefang] Zip --> Zip --> PIF

David Eisner cradle at umd.edu
Fri Feb 18 18:14:33 EST 2005

Arthur Corliss wrote:

>On Fri, 18 Feb 2005, David Eisner wrote:
>>I just received an interesting virus.  It's a fake bounce with an
>>attachment named letter.zip.  It made it through mimedefang (2.49)
>>I unzipped letter.zip, which contained a single file, named . . .
>>letter.zip (kind of like Russian dolls).
>>I unzipped the interior letter.zip, which contained a Letter.pif.  It
>>appears to be Win32.Mydoom.am (according to Kasperky.com):
>>Am I correct that mimedefang will not recursively unzip files when
>>searching for harmful attachments?
>Mimedefang may not recursively unzip attachments, but if you're using a
>scanner like Clamav with it, that should handle and stop viruses like that
>from getting through.

I'm not suggesting the behavior of Mimedefang is wrong, I just want to
make sure I understand what it's doing.

The problem is that in general there is a delay between the time a virus
outbreak occurs, and the time that virus scanners have updated DATs that
detect it.  That's one of the great things about Mimedefang -- it
removes the potentially harmful attachment during this window.

In our case, we're using McAfee Virusscan.  Oddly, it still doesn't
detect this worm.


D a v i d  E i s n e r        c r a d l e @ u m d . e d u   
CALCE EPSC                         University of Maryland    

More information about the MIMEDefang mailing list