Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

clamscan --unrar failure

  

 
ClamAV devel RSS feed   Index | Next | Previous | View Threaded


roal at anet

Apr 18, 2004, 9:06 AM

Post #1 of 7 (1152 views)
Permalink
clamscan --unrar failure
Hi,

recently, an infected mail has been sent to me, containing the virus
inside a Rar version 2.9 archive.

clamscan 0.70 does work with the shipped test virus signature inside a
Rar 2.9 archive, with the --unrar option set, using UNRAR 3.30
freeware:

[root [at] bab root]# unrar l /usr/share/doc/clamav-0.70/test/rarfail.rar | sed -ne '8p'
test1 50 64 100% 08-08-02 23:58 -rw-r--r-- EB1C995B m3b 2.9

[root [at] bab root]# clamscan --unrar /usr/share/doc/clamav-0.70/test/rarfail.rar
/usr/share/doc/clamav-0.70/test/rarfail.rar: RAR module failure.

UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal


Extracting from /usr/share/doc/clamav-0.70/test/rarfail.rar

Extracting test1 OK
All OK
/tmp/clamav-5e103e1ca9a91a5c/test1: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.70/test/rarfail.rar: Infected Archive FOUND

----------- SCAN SUMMARY -----------
Known viruses: 21129
Scanned directories: 1
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.550 sec (0 m 0 s)


The rar'ed virus has the following properties:

[root [at] bab root]# unrar l /home/roal/mail/TRASH/viruses/RAR/info.rar | sed -ne '8p'
further_information.txt .exe 4096 794 19% 25-03-04 00:55 .....A 193FFB6C m5e 2.9

(Note the many spaces within the filename, trying to hide the real
.exe extension)

Extracting it succeeds:

[root [at] bab root]# unrar x -p- -y "/home/roal/mail/TRASH/viruses/RAR/info.rar" "/home/roal/mail/TRASH/viruses/RAR/"

UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal


Extracting from /home/roal/mail/TRASH/viruses/RAR/info.rar

Extracting /home/roal/mail/TRASH/viruses/RAR/further_information.txt .exe OK
All OK


Scanning the directory containg both the rar archive and its extracted
.exe virus detects the extracted virus, but the scan fails on the rar
(with using the --unrar option):

[root [at] bab root]# clamscan --stdout --unrar "/home/roal/mail/TRASH/viruses/RAR"
/home/roal/mail/TRASH/viruses/RAR/info.rar: RAR module failure.

UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal

Cannot open /home/roal/mail/TRASH/viruses/RAR/info.rar
No files to extract
(raw) /home/roal/mail/TRASH/viruses/RAR/info.rar: OK
/home/roal/mail/TRASH/viruses/RAR/further_information.txt .exe: Trojan.Downloader.Small.GY FOUND

----------- SCAN SUMMARY -----------
Known viruses: 21129
Scanned directories: 2
Scanned files: 2
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.673 sec (0 m 0 s)

Any suggestions to fix that?

rob.


dmuell at gmx

Apr 18, 2004, 11:14 AM

Post #2 of 7 (1136 views)
Permalink
Re: clamscan --unrar failure [In reply to]
On Sunday 18 April 2004 18:05, Robert Allerstorfer wrote:

> Any suggestions to fix that?

There is no possible fix, since the only publically available source code for
unpacking RAR archives can only handle v2 archives. You found a v3 archive.

Use the --unrar option instead.

Dirk


roal at anet

Apr 18, 2004, 12:07 PM

Post #3 of 7 (1133 views)
Permalink
Re: clamscan --unrar failure [In reply to]
On Sun, 18 Apr 2004, 20:13 GMT+02 Dirk Mueller wrote:

> There is no possible fix, since the only publically available source code for
> unpacking RAR archives can only handle v2 archives. You found a v3 archive.

> Use the --unrar option instead.

as I explained and also titled this posting, I *did* use the --unrar
option. Here is it once again what I executed:

[root [at] bab root]# clamscan --unrar "/home/roal/mail/TRASH/viruses/RAR"
/home/roal/mail/TRASH/viruses/RAR/info.rar: RAR module failure.

UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal

Cannot open /home/roal/mail/TRASH/viruses/RAR/info.rar
No files to extract
(raw) /home/roal/mail/TRASH/viruses/RAR/info.rar: OK
/home/roal/mail/TRASH/viruses/RAR/further_information.txt .exe: Trojan.Downloader.Small.GY FOUND

----------- SCAN SUMMARY -----------
Known viruses: 21129
Scanned directories: 2
Scanned files: 2
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.536 sec (0 m 0 s)

As you can see, the error occurs when unrar will be called:

Cannot open /home/roal/mail/TRASH/viruses/RAR/info.rar
No files to extract

The rar archive in question is rar version 2.9.

Also, I am wondering about your statement that the only publically available source code for
unpacking RAR archives can only handle v2 archives. Download the
source code of the GPL program 7-Zip, available at

http://prdownloads.sourceforge.net/sevenzip/7z313.tar.bz2?download

Here are the sections of its History.txt regarding rar support of
versions other than v2:

Version 2.30 Beta 26 2003-01-12
- Supporting Rar 1.50 archives.

Version 2.30 Beta 25 2003-01-02
- Supporting encrypted Rar3 archives.

Version 2.30 Beta 19 2002-04-11
- Supporting RAR 3.0 archives.

Version 2.20 2000-11-20
- Decryption support (Rar and Zip).

Version 2.10 2000-05-16
- Decompression RAR.

rob.


dmuell at gmx

Apr 18, 2004, 12:57 PM

Post #4 of 7 (1129 views)
Permalink
Re: clamscan --unrar failure [In reply to]
> as I explained and also titled this posting, I *did* use the --unrar
> option. Here is it once again what I executed:

Oh, I'm sorry. Forget my posting.


tk at lodz

Apr 18, 2004, 5:22 PM

Post #5 of 7 (1135 views)
Permalink
Re: clamscan --unrar failure [In reply to]
On Sun, 18 Apr 2004 18:05:46 +0200
Robert Allerstorfer <roal [at] anet> wrote:

> Any suggestions to fix that?

Please send me that archive.

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Mon Apr 19 01:41:53 CEST 2004


tk at lodz

Apr 27, 2004, 5:59 AM

Post #6 of 7 (1119 views)
Permalink
Re: clamscan --unrar failure [In reply to]
On Sun, 18 Apr 2004 18:05:46 +0200
Robert Allerstorfer <roal [at] anet> wrote:

> Hi,
>
> recently, an infected mail has been sent to me, containing the virus
> inside a Rar version 2.9 archive.
>
> clamscan 0.70 does work with the shipped test virus signature inside a
> Rar 2.9 archive, with the --unrar option set, using UNRAR 3.30
> freeware:
>
> [root [at] bab root]# unrar l /usr/share/doc/clamav-0.70/test/rarfail.rar
> | sed -ne '8p'
> test1 50 64 100% 08-08-02 23:58 -rw-r--r--
> EB1C995B m3b 2.9
>
> [root [at] bab root]# clamscan --unrar
> /usr/share/doc/clamav-0.70/test/rarfail.rar/usr/share/doc/clamav-0.70
> /test/rarfail.rar: RAR module failure.
>
> UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal
>
>
> Extracting from /usr/share/doc/clamav-0.70/test/rarfail.rar
>
> Extracting test1
> OK All OK
> /tmp/clamav-5e103e1ca9a91a5c/test1: ClamAV-Test-Signature FOUND
> /usr/share/doc/clamav-0.70/test/rarfail.rar: Infected Archive FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 21129
> Scanned directories: 1
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> I/O buffer size: 131072 bytes
> Time: 0.550 sec (0 m 0 s)
>
>
> The rar'ed virus has the following properties:
>
> [root [at] bab root]# unrar l /home/roal/mail/TRASH/viruses/RAR/info.rar |
> sed -ne '8p'
> further_information.txt
> .
> e
> xe
>
4096 794 19% 25-03-04 00:55 .....A 193FFB6C m5e 2.9
>
> (Note the many spaces within the filename, trying to hide the real
> .exe extension)
>
> Extracting it succeeds:
>
> [root [at] bab root]# unrar x -p- -y
> "/home/roal/mail/TRASH/viruses/RAR/info.rar"
> "/home/roal/mail/TRASH/viruses/RAR/"
>
> UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal
>
>
> Extracting from /home/roal/mail/TRASH/viruses/RAR/info.rar
>
> Extracting /home/roal/mail/TRASH/viruses/RAR/further_information.txt
>
.exe OK
> All OK
>
>
> Scanning the directory containg both the rar archive and its extracted
> .exe virus detects the extracted virus, but the scan fails on the rar
> (with using the --unrar option):
>
> [root [at] bab root]# clamscan --stdout --unrar
> "/home/roal/mail/TRASH/viruses/RAR"/home/roal/mail/TRASH/viruses/RAR/
> info.rar: RAR module failure.
>
> UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal
>
> Cannot open /home/roal/mail/TRASH/viruses/RAR/info.rar
> No files to extract
> (raw) /home/roal/mail/TRASH/viruses/RAR/info.rar: OK
> /home/roal/mail/TRASH/viruses/RAR/further_information.txt
>
.exe: Trojan.Downloader.Small.GY FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 21129
> Scanned directories: 2
> Scanned files: 2
> Infected files: 1
> Data scanned: 0.00 MB
> I/O buffer size: 131072 bytes
> Time: 0.673 sec (0 m 0 s)
>
> Any suggestions to fix that?

Fixed in CVS.

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Tue Apr 27 13:43:56 CEST 2004


roal at anet

Apr 28, 2004, 8:02 AM

Post #7 of 7 (1133 views)
Permalink
Re: clamscan --unrar failure [In reply to]
On Tue, 27 Apr 2004, 13:44 GMT+02 Tomasz Kojm wrote:

> Fixed in CVS.

Thanks!

rob.

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.