[Esd-l] W32.Yaha.P@mm virus hidden in zip file
John D. Hardin
jhardin at impsec.org
Mon Aug 25 16:38:21 PDT 2003
On Mon, 25 Aug 2003, Bob Pietruszka wrote:
> Does anyone know the proper syntax for trapping a file with .zip as the
> last of two file extensions. I've tried modifying a line that's already in
> there (*.[a-z][a-z][a-z0-9].exe to *.[a-z][a-z][a-z0-9].zip) but it didn't
> seem to catch a double extension zip file. The file I got was
> CURSOR03.cur.zip.
Poisoning only applies to mangled extensions. You need to add "zip" to
the list of mangled extensions, and then your .zip rule will work.
'course, this will mangle the filenames on all .zip file attachments
you receive... Your choice. :)
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
68 days until Matrix Revolutions
More information about the esd-l
mailing list