Re: Worms in zip attachments!

From: szucs (
Date: Thu 15 May 2003 - 10:37:56 GMT

  • Next message: Ryan van Rensburg: "Anomy won't run on Redhat 9, Perl 5.8"

    > This is news to me. :-) Could you give me an example
    > of a worm which sends itself in this fashion?

    It was W32.Yaha.P. We received many of this worm either in executable or zipped executable attachments. When it was zipped, the filename was always setup.exe in the archive.

    > Or possibly send me a sample?
    Yes, if you'd really like it. Where to send the sample?
    I would prefer avoiding another virus alert at this mailing list, like the last time when I only sent the first some bytes of a viral attachment.
    > - You could quite easily create your own shell script
    > "scanner" and plug into the Anomy rulesets. Such a shell
    > script would simply do "unzip -l" and grep the output for
    > file names such as "" or "blah.exe". If such a
    > filename is detected the scanner would return an exit code
    > which Anomy had been configured to interpret as "infected"
    > and treat accordingly (e.g. by defanging the attachment or
    > quranatining it).

    I did it and it works. Thanks for the tip!


    hosted by