The following should go into mime_header_checks.regexp assuming you’re running Postfix. Which you should be.

/filename=”?body.zip”/ DISCARD Virus spam discarded (W32.Novarg.A@mm)

No point REJECTing it, since you’d just be sending it back to an already-infected victim.

=========================
*update*

OK, it turns out that the filename varies. For the moment, I’m dropping everything with a .zip attachment. I’ve gotten a HUGE surge in inbound email in the last 2 or 3 hours, MOST of it consisting of this virus message, and almost all of it is coming from two addresses: 63.164.145.33 and 63.164.145.161 I don’t know who this is, but they are making dozens of connections per second to deliver mail. Or at least, they were, until I told the firewall about them.

I hope they stop soon.