#351 do_unzip fails on some copies of Sober.G with 'format error'

open-later
Lars Hecking
None
5
2004-06-01
2004-05-25
Russell Odom
No

Using amavisd (installed around 8 January this year;
unsure what version) in conjunction with AVG. It's been
letting through copies of "Sober.G" (resulting in one
of our less PC-savvy users getting infected!).

The mail log on the server shows messages like the
following for the offending message:

May 25 17:26:16 biscotti amavis[14933]: (XXXZcEjS)
do_executable/do_unzip failed, ignoring: format error:
bad signature: 0x00905a4d at offset 0 in file
/var/amavis/amavis-milter-XXXZcEjS/parts/part-00003

The attached file, when sent in an e-mail, triggers
this message and is delivered to the intended
recipient. Other virii are sucessfully stopped. DO NOT
RUN THE FILE INSIDE THIS ZIP - IT IS A VIRUS (Sober.G)!

I've upgraded to the latest version of Archive::Zip
(1.09) to no avail.

Discussion

  • Russell Odom
    Russell Odom
    2004-05-25

    DO NOT RUN THE CONTENTS OF THIS FILE. Attachment from Sober.G - triggers the error

     
    Attachments
  • Lars Hecking
    Lars Hecking
    2004-06-01

    • assigned_to: nobody --> lhecking
    • status: open --> open-later
     
  • Lars Hecking
    Lars Hecking
    2004-06-01

    Logged In: YES
    user_id=28904

    Confirmed with Archive-Zip 1.10.

    At the moment, I can only recommend a workaround: install a
    virus
    scanner that understands zip files. E.g. install clamav as
    additional
    scanner to AVG.

    I'll see if I can contact the Archive-Zip author.

     
  • Lars Hecking
    Lars Hecking
    2004-06-03

    Logged In: YES
    user_id=28904

    There is no bug IMHO. The file do_unzip fails on is the .pif
    from inside the
    .zip. If no virus is detected, it's a problem with your av
    scanner.

    If you disagree, post a complete log.