[Mimedefang] clamav

Jack Olszewski jacek at hermes.net.au
Fri Jun 10 22:25:53 EDT 2005

From: -ray <ray at ops.selu.edu>
Subject: [Mimedefang] clamav
Date: Fri, 10 Jun 2005 17:06:04 -0500 (CDT)

ray> Clamav has missed a few zip virii lately.  I believe variants of the Mytob 
ray> virus.  Most of them when unzipped have the same format:
ray> [root at norm tmp]# unzip accepted-password.zip
ray> Archive:  accepted-password.zip
ray>   extracting: accepted-password.txt                                                                      .exe
ray> Notice lots and lots of spaces in the filename to fool users into thinking 
ray> it's a .txt file.  Has anyone coded a MD rule to check for more than say 
ray> 10 consequtive spaces in a filename in a zip file?  Should be pretty 
ray> simple, just haven't had time to look at it yet...

Here it is:
use Archive::Zip qw( :ERROR_CODES );

sub filter {
    my($entity, $fname, $ext, $type) = @_;
# bounce mail with possibly infected attachments
# check for a zipped executable with '...      .exe' type of name, spaces
# before extension
# put into action on 1-06-04
    if (lc($ext) =~ /zip/) {
        my $path = $entity->bodyhandle->path;
        my $size = (stat($entity->bodyhandle->path))[7];
        my $badext = 0;
        if (lc($ext) =~ /zip/ && $size <200000) {
            my $zip = Archive::Zip->new();
            if ($zip->read($path) == AZ_OK) {
                my @members = $zip->members();
                foreach my $member (@members) {
                    my $file = $member->fileName();
                    if (lc($file) =~ /\s+\.(bat|cmd|exe|pif|scr)/) {
                        $badext = 1;
        return action_bounce("Rejected, bad attachment, see http://www.hermes.ne
t.au/badatt.php") if $badext;


More information about the MIMEDefang mailing list