http://www.informationweek.com/story/showArticle.jhtml?articleID=25600493
According to this it is double zipping so the only way I can think of stopping it is by banning .zip files completely. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, July 26, 2004 5:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Blocking the files in mydoom Please excuse me, but I'm having trouble figuring out exactly what is going on here. It sounds like this virus is double-zipping files, and that this technique is tricking the virus scanners. Is that correct? If so, BANZIPEXTS, which will by default ban double-zips in addition to other banned extensions, is the presumeably best work-around? If not that, then custom filters in Declude? I'm seeing a fair number of MyDoom.M (F-Prot)/MyDoom.N(McAfee), but no MyDoom.O that the scanners have picked up on. Am I missing something? Thanks, Matt R. Scott Perry wrote: > >> Maybe even a BANZIPEXT ON (not just e-zip) so that people >> can get zipped .JPGs but not zipped .exe's > > > BANZIPEXTS ON is in v1.79. For any file extension that you ban with > the BANEXT option, it will then be blocked if it is in a .ZIP file as > well. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. > Declude Virus: Ultra reliable virus detection and the leader in > mailserver vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
