[Mimedefang] Zip --> Zip --> PIF
David Eisner
cradle at umd.edu
Fri Feb 18 18:14:33 EST 2005
Arthur Corliss wrote:
>On Fri, 18 Feb 2005, David Eisner wrote:
>
>
>
>>I just received an interesting virus. It's a fake bounce with an
>>attachment named letter.zip. It made it through mimedefang (2.49)
>>unscathed.
>>
>>I unzipped letter.zip, which contained a single file, named . . .
>>letter.zip (kind of like Russian dolls).
>>I unzipped the interior letter.zip, which contained a Letter.pif. It
>>appears to be Win32.Mydoom.am (according to Kasperky.com):
>>http://www.viruslist.com/en/viruses/encyclopedia?virusid=74056
>>
>>Am I correct that mimedefang will not recursively unzip files when
>>searching for harmful attachments?
>>
>>
>
>Mimedefang may not recursively unzip attachments, but if you're using a
>scanner like Clamav with it, that should handle and stop viruses like that
>from getting through.
>
I'm not suggesting the behavior of Mimedefang is wrong, I just want to
make sure I understand what it's doing.
The problem is that in general there is a delay between the time a virus
outbreak occurs, and the time that virus scanners have updated DATs that
detect it. That's one of the great things about Mimedefang -- it
removes the potentially harmful attachment during this window.
In our case, we're using McAfee Virusscan. Oddly, it still doesn't
detect this worm.
-David
---------------------------------------------------------
D a v i d E i s n e r c r a d l e @ u m d . e d u
CALCE EPSC University of Maryland
More information about the MIMEDefang
mailing list