dealing with zips with corrupted headers

Chris Yuzik chris at fractalweb.com
Wed Nov 5 02:04:23 GMT 2003


Hi everyone,

No sooner do we (well...Julian) come out a workaround for the extra status
line that ClamAV was spitting out than another virus using similar zip-header
trickery to sneak through our scanners.

Worm.Mimail.G arrives in a zip file called "readnow.zip" that strangely gets a
simple "OK" from clamscan, and the virus goes right through. After some
experimenting, I've figured out that the virus will happily unzip with the
console unzip tool, but complains with the following message:

# unzip readnow.zip
Archive:  readnow.zip
warning [readnow.zip]:  3 extra bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  3
  (attempting to re-compensate)
 extracting: readnow.doc.scr

After reading the man page for clamscan, I came across an option that disables
clamscan's internal archive tools. When I typed "clamscan --disable-archive
readnow.zip" I got the expected response of "readnow.zip: Worm.Mimail.G
FOUND".

Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and
removing the "--unzip" option and replacing it with "--disable-archive"? Am I
on the right track?

Thanks,
Chris
--
Chris Yuzik
chris at fractalweb.com
604-304-0444

"Reality is that which, when you stop believing in it, doesn't go
away".
                -- Philip K. Dick



More information about the MailScanner mailing list