'Empty' zip files?
Alex Neuman
alex at nkpanama.com
Mon Aug 9 13:09:05 IST 2004
This message in particular "tripped" Norton Antivirus 2004 for Windows.
Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the antivirus pop
up and say it found something since I installed MS so many months ago.
I usually have to get rid of the "catch all double extensions" rule because
of clients who insist on being able to name their files whatever they want;
I guess this means I'll have to use rules to disallow "dot + three
characters + dot zip"...
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Remco Barendse
Sent: Monday, August 09, 2004 4:42 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: 'Empty' zip files?
Guess this is slightly off-topic but we are getting viruses with a zipfile
(in the form of usernamemydomainname.com.zip)
MailScanner traps these zip files because of filename rules. The strange
thing is however that MS is just reporting a filename problem and no
virus name. The zip file in /var/spool/MailScanner/quarantine has a file
size of 0 (that would explain why no virus was reported) but I think the
zip file may not be 0 size on every client.
When I look into the df/qf pair there is a considerable amount of
data in it that would be for the attachment.
Could there be something wrong with the mime decoder and would M$ Outlook
be able to decode it properly (which would potentially mean that we would
be vulnerable to the virus?
I will paste the top part of the df file here:
This is a multi-part message in MIME format.
------=_NextPart_000_0005_653AB3AB.01F72A06
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: base64
RGVhciB1c2VyIG9mIHh4eC5jb20sDQoNCllvdXIgZW1haWwgYWNjb3VudCBoYXMgYmVlbiB1
c2VkIHRvIHNlbmQgYSBodWdlIGFtb3VudCBvZiBzcGFtIG1lc3NhZ2VzDQpkdXJpbmcgdGhp
cyB3ZWVrLg0KV2Ugc3VzcGVjdCB0aGF0IHlvdXIgY29tcHV0ZXIgaGFkIGJlZW4gY29tcHJv
bWlzZWQgYW5kIG5vdyBydW5zIGEgdHJvamFuZWQNCnByb3h5IHNlcnZlci4NCg0KUGxlYXNl
IGZvbGxvdyBpbnN0cnVjdGlvbnMgaW4gdGhlIGF0dGFjaGVkIGZpbGUgaW4gb3JkZXIgdG8g
a2VlcCB5b3VyDQpjb21wdXRlciBzYWZlLg0KDQpCZXN0IHdpc2hlcywNCnh4eC5jb20gc3Vw
cG9ydCB0ZWFtLg0KDQoNCi0tLS0tLT1fTmV4dFBhcnRfMDAwXzAwMDVfNjUzQUIzQUIuMDFG
NzJBMDYNCkNvbnRlbnQtVHlwZTogcGxhaW4vdGV4dDsNCgluYW1lPSJOb3J0b24gQW50aVZp
cnVzIERlbGV0ZWQxLnR4dCINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0K
Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsNCiAgICAgICAgIGZpbGVuYW1lPSJO
b3J0b24gQW50aVZpcnVzIERlbGV0ZWQxLnR4dCINCg0KVG05eWRHOXVJRUZ1ZEdsV2FYSjFj
eUJ5WlcxdmRtVmtJSFJvWlNCaGRIUmhZMmh0Wlc1ME9pQjFjMlZ5UUhoNGVDNWpiMjB1DQpl
bWx3TGcwS1ZHaGxJRmN6TWk1TmVXUnZiMjB1VFVCdGJTQjBhSEpsWVhRZ2QyRnpJR1JsZEdW
amRHVmtJR2x1SUhSb1pTQmgNCmRIUmhZMmh0Wlc1MExnPT0NCg==
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list