AW: MS04-028 trojan - a customer written A-V engine
DXrfler Andreas
Andreas.Doerfler at KEMPTEN.DE
Tue Sep 28 13:11:58 IST 2004
taken from clamav-list, its for amavis vs, hope it helps:
On Sep 27, 2004, at 23:06, Matthew Daubenspeck wrote:
> Will there be an updated signature for the new jpeg "virus" for the
> 0.75
> series of ClamAV?
You don't say what virus your talking about... try this... it goes in
amavisd,conf in the av_scanner section... copy/paste/save and restart
amavisd
This appears to be filtering out potentially dangerous JPG Images.
___________________________________________________
# ### http://www.daleenterprise.com/tools/
['Dale\'s jpeg-tester', sub {Amavis::AV::ask_av(sub{
my($f)=@_; local(*FF,$_,$1,$2); my(@r)=(0,'not jpeg');
open(FF,$f) or die "jpeg: open err $f: $!";
binmode(FF) or die "jpeg: binmode err $f: $!";
read(FF,$_,1000) or die "jpeg: read err $f: $!";
if (/^\xff\xd8\xff\xe0/ && /\xff\xfe(..)/s) {
my($len) = (unpack("n",$1))-2;
@r = /\xff\xfe..([^\xff]{$len})\xff/s ? (0,"jpeg $f ok,
len=$len")
: (1,"bad jpeg $f len=$len FOUND") } # output message on
bad file
close(FF) or die "jpeg: close err: $!"; @r}, @_) },
["{}/*"], [0], [1], qr/^(.*) FOUND$/ ],
___________________________________________________
> --
> Matthew Daubenspeck
> http://www.oddprocess.org
> -----Ursprüngliche Nachricht-----
> Von: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Gesendet: Dienstag, 28. September 2004 13:24
> An: MAILSCANNER at JISCMAIL.AC.UK
> Betreff: Re: MS04-028 trojan - a customer written A-V engine
>
>
> 1. Please can you send me a copy of the perl script that can
> detect it, I
> would really like a copy to build into my own system.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list