[Mimedefang] clamav
Jack Olszewski
jacek at hermes.net.au
Fri Jun 10 22:25:53 EDT 2005
From: -ray <ray at ops.selu.edu>
Subject: [Mimedefang] clamav
Date: Fri, 10 Jun 2005 17:06:04 -0500 (CDT)
ray>
ray> Clamav has missed a few zip virii lately. I believe variants of the Mytob
ray> virus. Most of them when unzipped have the same format:
ray>
ray> [root at norm tmp]# unzip accepted-password.zip
ray> Archive: accepted-password.zip
ray> extracting: accepted-password.txt .exe
ray>
ray> Notice lots and lots of spaces in the filename to fool users into thinking
ray> it's a .txt file. Has anyone coded a MD rule to check for more than say
ray> 10 consequtive spaces in a filename in a zip file? Should be pretty
ray> simple, just haven't had time to look at it yet...
ray>
Here it is:
--------------------------------------------------------------------
use Archive::Zip qw( :ERROR_CODES );
sub filter {
my($entity, $fname, $ext, $type) = @_;
# bounce mail with possibly infected attachments
# check for a zipped executable with '... .exe' type of name, spaces
# before extension
# put into action on 1-06-04
if (lc($ext) =~ /zip/) {
my $path = $entity->bodyhandle->path;
my $size = (stat($entity->bodyhandle->path))[7];
my $badext = 0;
if (lc($ext) =~ /zip/ && $size <200000) {
my $zip = Archive::Zip->new();
if ($zip->read($path) == AZ_OK) {
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
if (lc($file) =~ /\s+\.(bat|cmd|exe|pif|scr)/) {
$badext = 1;
last;
}
}
}
}
return action_bounce("Rejected, bad attachment, see http://www.hermes.ne
t.au/badatt.php") if $badext;
}
action_accept();
}
---------------------------------------------------------------------
J
More information about the MIMEDefang
mailing list