[...]
Attached is what I use. I put it together from many different ideas and barowed code from a few palces. it works well.
That's the approach I've gone with: un-encode and scan files. (I'm using munpack, but same idea.) It seems to be the one approach that works with the virus scanners I've encountered so far.
It may break down when/if new worm/virus patterns emerge that are highly dependent on the message itself for detection... but then so will the scanners.
- Bob
