[Esd-l] W32.Yaha.P@mm virus hidden in zip file

John D. Hardin jhardin at impsec.org
Mon Aug 25 16:38:21 PDT 2003

On Mon, 25 Aug 2003, Bob Pietruszka wrote:

> Does anyone know the proper syntax for trapping a file with .zip as the 
> last of two file extensions. I've tried modifying a line that's already in 
> there (*.[a-z][a-z][a-z0-9].exe to *.[a-z][a-z][a-z0-9].zip) but it didn't 
> seem to catch a double extension zip file. The file I got was 
> CURSOR03.cur.zip. 

Poisoning only applies to mangled extensions. You need to add "zip" to
the list of mangled extensions, and then your .zip rule will work.

'course, this will mangle the filenames on all .zip file attachments
you receive... Your choice. :)

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   68 days until Matrix Revolutions

More information about the esd-l mailing list