MailScanner issue not detecting MyDoom-0 [Re: nested .zip containing bad files not being caught]

Stijn Jonker SJCJonker at SJC.NL
Mon Jul 26 21:16:17 IST 2004 

Hello Bob and others,

The longer explanation is below, but as far as I can tell the reason for
non detection is that the zip file inside the original zip file has the
same name. I think the explanation is below, and it is pointing towards
mailscanner.

=========================================================================

I think I have the same sort of issue here, I received 2 emails with a
zip file called message.zip, which contains a message.zip file, which in
turn contains a file named message.txt<lot of space>.pif and maybe some
control characters, but ls -alN shows nothing.

Some output:
[root:/home/maint/test]# unzip -v ../message.zip
Archive:  ../message.zip
  Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
    29370  Stored    29370   0%  07-26-04 18:22  5e811060  message.zip
--------          -------  ---                            -------
    29370            29370   0%                            1 file
[root:/home/maint/test]# unzip ../message.zip
Archive:  ../message.zip
  extracting: message.zip

[root:/home/maint/test]# unzip -t message.zip
Archive:  message.zip
     testing: message.txt


                 .pif   OK
No errors detected in compressed data of message.zip.

[root@:/home/maint/test]# clamscan ../message.zip
../message.zip: Worm.Mydoom.M FOUND

[root:/home/maint/test]# clamscan message.zip
message.zip: Worm.Mydoom.M FOUND

[root:/home/maint/test]# clamscan *pif
message.txt


   .pif: Worm.Mydoom.M FOUND

I scanned with sophos and f-prot as well and they detected this without
a flow, I'm assuming because the zip and the zip within is the same
name. Some simple test:

mv message.zip message2.zip && then email:

Et voila mailscanner detects it!

Bob Jones said the following on 26-Jul-04 19:48:

> Hey all.  I have an issue here.  It appears that a nested zip archive is
> getting through mailscanner.  I have mailscanner configured to look into
> archives and to block bad files.  Here's the scenario... were receiving
> a file called instruction.zip which is getting through our scanning.  If
> you unzip this file, you get another .zip which if you send it through
> *does* get caught by mailscanner, and if you unzip that you get
> instruction.pif which *does* get caught as well.  I've upgraded to
> Archive-Zip module version 1.12 as I know the previous version had a
> hole.  So, any idea what's going on here?  I running MailScanner-4.31.6
> and have attached my MailScanner.conf file.  Also, I've put 2 examples
> of the files up on our ftp server.  You can grabe them at:
>
> ftp://ftp.usg.edu/pub/mailscanner/file.zip
> ftp://ftp.usg.edu/pub/mailscanner/instruction.zip
>
> Help please!
>
> --
> Bob Jones
> USG Postmaster
> bob.jones at usg.edu
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html

--
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker at sjc.nl>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list