A virus inside a zip file inside another zip file of SAME name is not discovered

Gerard Cleary gcle at SMCAUS.COM.AU
Thu Aug 5 23:30:49 IST 2004


We received such a virus but luckily the user became suspicious at a zip
being inside a zip file.
I tried putting the eicar test virus inside such a setup but Linux zip
doesn't bother doing the second level zip if I use the same name. So I
changed the name of the second level zip file, created the second level
archive file then used vi on that archive file to change the name of the
first level archive to be the same as the second level archive file. I ended
up with the eicar test virus inside a zip file called level2.zip which was
enclosed in another zip file called level2. MailScanner allows this file to
pass without comment. I can unzip the file to get to the enclosed eicar test
virus. On the second unzip, I get asked if I want to overwrite the existing
level2 file. If I use the same 2 level archive file but change the name of
the inside archive file to say level3.zip, MailScanner correctly catches the
eicar test virus and leaves its calling card message.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list