dealing with zips with corrupted headers

Ulysees Ulysees at ULYSEES.COM
Wed Nov 5 10:41:32 GMT 2003

is it just me or does the latest version of Sophos not see it either ?


> Hi everyone,
> No sooner do we (well...Julian) come out a workaround for the extra status
> line that ClamAV was spitting out than another virus using similar
> trickery to sneak through our scanners.
> Worm.Mimail.G arrives in a zip file called "" that strangely
gets a
> simple "OK" from clamscan, and the virus goes right through. After some
> experimenting, I've figured out that the virus will happily unzip with the
> console unzip tool, but complains with the following message:
> # unzip
> Archive:
> warning []:  3 extra bytes at beginning or within zipfile
>   (attempting to process anyway)
> file #1:  bad zipfile offset (local header sig):  3
>   (attempting to re-compensate)
>  extracting: readnow.doc.scr
> After reading the man page for clamscan, I came across an option that
> clamscan's internal archive tools. When I typed
"clamscan --disable-archive
>" I got the expected response of " Worm.Mimail.G
> Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper"
> removing the "--unzip" option and replacing it with "--disable-archive"?
Am I
> on the right track?
> Thanks,
> Chris
> --
> Chris Yuzik
> chris at
> 604-304-0444
> "Reality is that which, when you stop believing in it, doesn't go
> away".
>                 -- Philip K. Dick

More information about the MailScanner mailing list