Hi, Just discussed a bit here and usually this virus will send the zip password in clear text inside the e-mail. Woudn't be a way to try every word in the e-mail to try to crack the zip, then unzip it and virus-scan the content ?
Just my 2 cents... Andre Courchesne - Consultant http://www.net-forces.com -----Original Message----- From: Michael L Torrie [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 3:38 PM To: [EMAIL PROTECTED] Subject: [Clamav-users] Simple patch for dealing with password zip files Like many clamav users, I have found clamav to not be effective against the latest crop of password zip viruses. I have made a rudimentary patch (clean patch) against clamav 0.67 to mark all zip files containing password-protected (and hence unscannable) files as a virus type "SuspectEncrypted.Zip." This way I can simply quarantine all such passworded zip files, along with normal viruses. I know of no other way for clamav to catch this virus currently. (In fact it didn't even catch one of them using fingerprinters.) I see this patch as a stop-gap measure until ClamAV has a workable mechanism for dealing with viruses passing themselves around as passworded zip files. Anyone who is interested can apply this patch. Hopefully clamav will have an official method of dealing with this new pest. The patch is very short and simple. It merely patches zzlib to pass the header flags field out, and then scanners.c then looks at bits 0 and 6 to check the encrypted file status (per file) and if they are set, then the zip file is marked as "SuspectedEncrypted.Zip" and you can deal with it accordingly. I hope it is useful to some people. Apply it to the base of the clamav source code tree: cat /path/to/clamav-pwdzip-0.67.patch | patch -p1 Michael -- Michael L Torrie <[EMAIL PROTECTED]> ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
