When there are waves of viruses as the one you are being, most of the times some of the infected emails will be stopped by SpamFilter even before they are scanned by the antivirus. This happens as other filters will detect the malicious emails based on the IP and/or email address of the sender.

In this case, you can easily use SpamFilter's quarantine to search for these emails. You are looking for emails in the quarantine that have a .zip attachment. To do so, you can use this query against the database:

SELECT     TOP (100) tblMsgs.MsgID,  tblQuarantine.MsgDate, tblRejectCodes.RejectID, tblRejectCodes.RejectDesc, tblQuarantine.RejectDetails, 

                      tblQuarantine.QuarID, tblQuarantine.EmailFrom, tblQuarantine.Subject, tblMsgs.Msg

FROM         tblRejectCodes INNER JOIN 

                      tblQuarantine ON tblRejectCodes.RejectID = tblQuarantine.RejectID INNER JOIN 

                      tblContentType ON tblQuarantine.MsgID = tblContentType.MsgID INNER JOIN 

                      tblMsgs ON tblContentType.MsgID = tblMsgs.MsgID 

WHERE (DATEDIFF(hour, tblQuarantine.MsgDate, GETDATE()) < 24) AND  

( (tblMsgs.Msg LIKE  N'%application/zip%') OR (tblMsgs.Msg LIKE N'%application/x-zip-compressed%')  ) 

ORDER BY tblMsgs.MsgID DESC 

It will look for all emails blocked within the past 24 hours and which have either application/zip or application/x-zip-compressed in their body (indicating a compressed attachment).

It may be a bit hard to get the actual message itself from the result set, so I've prepared a set of .asp pages you can use to run this query and click on a link to then download the .eml attachment:

http://www.logsat.com/SpamFilter/pub/SpamFilterBlockedZIPs.zip

To adapt to your environment simply change the path to the correct .UDL file defining your database connection in the file db_connect.asp.