On Wed, Jul 27, 2005 at 03:07:57PM -0500, Noel Jones wrote:
> Recent clamav (0.86.2, probably some earlier versions) should detect
> modified zips as "Exploit.Zip.ModifiedHeaders"
> The detection is built into the unzip code, there isn't an actual signature.
>
> If your zip file is hacked "correctly" clamav should detect it already.
>
> You can get a pre-hacked eicar zip to test from
> http://www.webmail.us/testvirus test # 26.
Indeed.
% clamscan test26
test26: Exploit.Zip.ModifiedHeaders FOUND
----------- SCAN SUMMARY -----------
Known viruses: 37151
Engine version: 0.86.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 7.557 sec (0 m 7 s)
% unzip -vl eicar.zip
Archive: eicar.zip
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
0 Stored 5 0% 10-19-04 12:29 f783d7be test.txt
0 Stored 68 0% 10-19-04 12:29 6851cf3c eicar.com
Demo des ct Emailcheck (www.heisec.de)
-------- ------- --- -------
0 73 0% 2 files
--
best regards
q#
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
