Zip of Death

Julian Field mailscanner at ecs.soton.ac.uk
Tue Jun 10 11:38:56 IST 2003 

At 03:36 10/06/2003, you wrote:
>Sophos sweep finished scanning the 42.zip and found it to be a denial of
>service
>attack.

i.e. MailScanner found it to be a DoS attack :-)
(unless you actually ran sweep by hand)


>Mike
>
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Mike Kercher
> > Sent: Monday, June 09, 2003 9:32 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Zip of Death
> >
> >
> > I just ran it through my system.  It appears that Sophos is
> > scanning each embedded zip file.  This could take a while! :)
> >
> > Mike
> >
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > > Behalf Of Ernest W. Lessenger
> > > Sent: Monday, June 09, 2003 4:09 PM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Zip of Death
> > >
> > >
> > > I just sent it through my system and both the primary
> > > (f-prot) and secondary (Norman AV) scanners caught it. Trend Micro
> > > running on my computer caused a blue-screen in Windows XP :)
> > >
> > > Good news is I don't think my proxy server will be affected by this
> > > particular file. Bad news is I now know how to create one that will
> > > kill it. I'll have get the developer to patch :(
> > >
> > > --Ernest
> > >
> > > At 04:55 PM 6/9/2003 -0400, you wrote:
> > > >I sent this thru my current MS setup and CLAMAV found it in a
> > > >hearbeat!!!!
> > > >
> > > >Thanks for the resource link!
> > > >Michael Weiner
> > > >
> > > >-----Original Message-----
> > > >From: Steffan Henke [mailto:henker at SHCOM.US]
> > > >Sent: Monday, June 09, 2003 4:43 PM
> > > >To: MAILSCANNER at JISCMAIL.AC.UK
> > > >Subject: Re: Zip of Death
> > > >
> > > >On Mon, 9 Jun 2003, Ernest W. Lessenger wrote:
> > > >
> > > > > I'd be happy to know how to defend against this (presumably by
> > > > > watching
> > > >out
> > > > > for a loop in the decompression routing), or happier to have a
> > > > > sample to test with. PLEASE DON'T EMAIL IT LIVE!!!!
> > > >
> > > >You could download a testfile from here: http://www.fefe.de/
> > > , it's the
> > > >link "why anti viruses don't work" at the bottom of the
> > page. Norton
> > > >seems to choke on it, not sure about other products.
> > > >
> > > >Regards,
> > > >
> > > >Steffan
> > >
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list