Re: Worms in zip attachments!

From: Bjarni R. Einarsson (
Date: Thu 24 Apr 2003 - 13:31:05 GMT

  • Next message: Emmanuel Lacour: "Garbage on pdf attachements using quoted-printable"

    On 2003-04-24, 15:03:29 (+0200), Szûcs János wrote:
    > It seems nowadays it is trendy for email worms to travel in zip files, thus
    > avoiding being revealed by simple mail scanners like anomy. I myself use
    > anomy and may have missed a lot of these worms until I realised this fact
    > not so long time ago.

    This is news to me. :-) Could you give me an example of a worm which
    sends itself in this fashion? Or possibly send me a sample?

    > Is it planned to build the following features into anomy?
    > - either scan inside zip attachments, or
    > - check the filenames inside the zip attachment, (and e.g. quarantine
    > any zipped attachments containing an executable).

    These features will not be added to Anomy itself, mostly because the
    functionality is already there:

     - If you are using Anomy with an antivirus scanner (which is
       recommended) then most such scanners will scan the contents of
       zip files.

     - You could quite easily create your own shell-script "scanner" and
       plug into the Anomy rulesets. Such a shell script would simply
       do "unzip -l" and grep the output for file names such as
       "" or "blah.exe". If such a filename is detected the
       scanner would return an exit code which Anomy had been configured
       to interpret as "infected" and treat accordingly (e.g. by
       defanging the attachment or quranatining it).

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send lots of mail to:

    Was I helpful? Let others know:

    hosted by