A virus inside a zip file inside another zip file of SAME name is not discovered

Peter Bonivart peter at UCGBOOK.COM
Thu Aug 5 23:52:03 IST 2004

Gerard Cleary wrote:
> We received such a virus but luckily the user became suspicious at a zip
> being inside a zip file.
> I tried putting the eicar test virus inside such a setup but Linux zip
> doesn't bother doing the second level zip if I use the same name. So I
> changed the name of the second level zip file, created the second level
> archive file then used vi on that archive file to change the name of the
> first level archive to be the same as the second level archive file. I ended
> up with the eicar test virus inside a zip file called level2.zip which was
> enclosed in another zip file called level2. MailScanner allows this file to
> pass without comment. I can unzip the file to get to the enclosed eicar test
> virus. On the second unzip, I get asked if I want to overwrite the existing
> level2 file. If I use the same 2 level archive file but change the name of
> the inside archive file to say level3.zip, MailScanner correctly catches the
> eicar test virus and leaves its calling card message.

What version MS are you using? This sounds like the bug Julian posted a
patch for and it's fixed in 4.32.5.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.32.5,
SpamAssassin 2.63 + DCC 1.2.50, ClamAV 0.75.1 + GMP 4.1.2, Vispan 1.4

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at

More information about the MailScanner mailing list