Topic: How to block ZIP file attachment

[janet]

devtay

Here is what I get:

echo 'UEsDBBUAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/23.exe
file /tmp/23.exe
/tmp/23.exe: data

echo 'UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/24.exe
file /tmp/24.exe
/tmp/24.exe: data

[janet]

devtay

IMG_02_2015_3301796.JPEG.zip
IMG_02_2015_3537629.JPEG.zip
IMG_02_2015_8824553.JPEG.zip
I know this zip file is a virus because the desktop antivirus caught it when the email got downloaded. Here's my notification:
dated Thu, 26 Feb 2015 15:25:32 +0100  contains Win32/TrojanDownloader.Wauchos.AF trojan.

Based on my tests it is not a zip file. It might be named zip but it is a data file, with a Trojan embedded in it, & it is purporting to be a jpeg compressed as a zip file.

So if you create a mailpattern for that signature, then you need to be careful you are not blocking other data files that you do want to pass through your mail system.

[willdoicu]

Hello,
Last days I have some problem with a pattern which looks like this
UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC

It's a .docm attachment, it does contain a malicious macro. The problem is the "+" in the middle of the pattern. If I try to block the hole pattern the server(SME 9.1) it won't. As a result only the characters before the "+" will work, and .xlsx files would be blocked too.
Any ideea?