> Worm.Bagle.H found in unzipped file. It\'s impossible > to create signature of encrypted zip file.
This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: $ uvscan -lv virus.zip Archive: TextDocument.zip Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 21150 Stored 21150 0% 03-01-04 19:33 7ac0095f hifrm.scr -------- ------- --- ------- 21150 21150 0% 1 file Fortunately we can get the file crc w/o actually extracting the file. Can zip file crc's count as sigs? A quick/crude perl hack to test for this at the MTA seems to work pretty well: if (!open(UNZIP, "-|")) { exec("/usr/bin/unzip", '-lv', $file); } while (<UNZIP>) { if (/7ac0095f/) { close(UNZIP); print "Found the w32nsc/Bagle.H-zip virus !!!\n"; found_virus(); } } close(UNZIP); Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users