MailScanner issue not detecting MyDoom-0 [Re: nested .zip containing bad files not being caught]

Stijn Jonker SJCJonker at SJC.NL
Mon Jul 26 21:21:28 IST 2004 

Hello all again,

Forgot to mention config:

MailScanner 4.31.6

SophosSAVI 3.83 (Engine 2.20)
SophosSAVI using 90 IDE files

F-PROT ANTIVIRUS
Program version: 4.4.2
Engine version: 3.14.11

VIRUS SIGNATURE FILES
SIGN.DEF created 26 July 2004
SIGN2.DEF created 26 July 2004
MACRO.DEF created 26 July 2004

ClamAV-Mail 0.11
ClamAV 0.75
Signatures updated today.

Archive::Zip 0.12

Fedora Core 1

If more info is required let me know!


Stijn Jonker said the following on 26-Jul-04 22:16:

> Hello Bob and others,
>
> The longer explanation is below, but as far as I can tell the reason for
> non detection is that the zip file inside the original zip file has the
> same name. I think the explanation is below, and it is pointing towards
> mailscanner.
>
> =========================================================================
>
> I think I have the same sort of issue here, I received 2 emails with a
> zip file called message.zip, which contains a message.zip file, which in
> turn contains a file named message.txt<lot of space>.pif and maybe some
> control characters, but ls -alN shows nothing.
>
> Some output:
> [root:/home/maint/test]# unzip -v ../message.zip
> Archive:  ../message.zip
>  Length   Method    Size  Ratio   Date   Time   CRC-32    Name
> --------  ------  ------- -----   ----   ----   ------    ----
>    29370  Stored    29370   0%  07-26-04 18:22  5e811060  message.zip
> --------          -------  ---                            -------
>    29370            29370   0%                            1 file
> [root:/home/maint/test]# unzip ../message.zip
> Archive:  ../message.zip
>  extracting: message.zip
>
> [root:/home/maint/test]# unzip -t message.zip
> Archive:  message.zip
>     testing: message.txt
>
>
>                 .pif   OK
> No errors detected in compressed data of message.zip.
>
> [root@:/home/maint/test]# clamscan ../message.zip
> ../message.zip: Worm.Mydoom.M FOUND
>
> [root:/home/maint/test]# clamscan message.zip
> message.zip: Worm.Mydoom.M FOUND
>
> [root:/home/maint/test]# clamscan *pif
> message.txt
>
>
>   .pif: Worm.Mydoom.M FOUND
>
> I scanned with sophos and f-prot as well and they detected this without
> a flow, I'm assuming because the zip and the zip within is the same
> name. Some simple test:
>
> mv message.zip message2.zip && then email:
>
> Et voila mailscanner detects it!
>
> Bob Jones said the following on 26-Jul-04 19:48:
>
>> Hey all.  I have an issue here.  It appears that a nested zip archive is
>> getting through mailscanner.  I have mailscanner configured to look into
>> archives and to block bad files.  Here's the scenario... were receiving
>> a file called instruction.zip which is getting through our scanning.  If
>> you unzip this file, you get another .zip which if you send it through
>> *does* get caught by mailscanner, and if you unzip that you get
>> instruction.pif which *does* get caught as well.  I've upgraded to
>> Archive-Zip module version 1.12 as I know the previous version had a
>> hole.  So, any idea what's going on here?  I running MailScanner-4.31.6
>> and have attached my MailScanner.conf file.  Also, I've put 2 examples
>> of the files up on our ftp server.  You can grabe them at:
>>
>> ftp://ftp.usg.edu/pub/mailscanner/file.zip
>> ftp://ftp.usg.edu/pub/mailscanner/instruction.zip
>>
>> Help please!
>>
>> --
>> Bob Jones
>> USG Postmaster
>> bob.jones at usg.edu
>>
>> -------------------------- MailScanner list ----------------------
>> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>> Before posting, please see the Most Asked Questions at
>> http://www.mailscanner.biz/maq/     and the archives at
>> http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>
> --
> Met Vriendelijke groet/Yours Sincerely
> Stijn Jonker <SJCJonker at sjc.nl>
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html

--
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker at sjc.nl>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list