Re: [Qmail-scanner-general]Bagle-h and password protected ZIP files

Tue, 02 Mar 2004 10:52:27 -0800 

I've been blocking Bagle-H and Bagle-I using the fileformat-scanner I wrote
and submitted about a week ago.  Bagle-H and Bagle-I seem to be using some
off-the-wall ZIP compressor that none of the other ZIP compressors (like
InfoZip and WinZip) use, which makes for a somewhat unique header to track
these things.  I've attached the PERL code to this e-mail.  This code also
blocks UPX compressed binaries as well (I've yet to see any UPX binary come
through via e-mail that wasn't a virus of some sort).

It is some crude code, and could be improved.  If there's a demand for it,
I'll work to improve it more.  To "install", just add this code to the end
of the qmail-scanner-queue.pl and add "fileformat_scanner" to the scanner
array.  Eg:

# cat ffs_scanner.pl >> /var/qmail/bin/qmail-scanner-queue.pl
# vi /var/qmail/bin/qmail-scanner-queue.pl
...
#Array of virus scanners used must point to subroutines
my @scanner_array=("fileformat_scanner", ... );



John Narron            | "Sacrifice, they always say
Network Administration |  Is a sign of nobility
CDS/CDSinet, LLC       |  But where does one draw the line
http://www.cdsinet.net |  In the face of injury?"
(660) 886 4045         |     - Queensryche

----- Original Message ----- 
From: "CertaintyTech-Ed" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 02, 2004 12:17 PM
Subject: [Qmail-scanner-general]Bagle-h and password protected ZIP files


> Anyone else seeing the Bagle-H virus getting thru?  I am using Q-S and
> sophie and it is not stopping them.  Sophie sees that the ZIP file is
> password encrypted so can't check it for viruses and Q-S goes ahead and
> passes it thru.  Does anyone know of any way to catch this one?  For now
> I am blocking all ZIP attachments...
>
> Thanks,
> ---
> Ed
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
>

Attachment: ffs-scanner.pl
Description: Perl program

Reply via email to