Klez Virus get Passed !

Miroslav Spousta qiq at ATREY.KARLIN.MFF.CUNI.CZ
Tue Apr 30 15:45:51 IST 2002


> >        All the exe , pif , scr , com has been stopped by the MailScanner
> > without any problem , but today the virus "Klez" virus pass the checking of
> > MailScanner , I found this is the raw data of the message :
> >
> > Content-Type: audio/x-midi ;
> >         name=Product Catalogue(1).scr
> > Content-Transfer-Encoding: base64
> > Content-ID: <Wi1Ny441h56355a>
> >

I think the problem is with the incorrect MIME header the virus send.

MIME-Version: 1.0
Content-Type: multipart/alternative;
X-MailScanner: clean

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<iframe src=3Dcid:XOCq14H454Iflu height=3D0 width=3D0>

Content-Type: audio/x-midi;
        name=Sun Sep.pif
Content-Transfer-Encoding: base64
Content-ID: <XOCq14H454Iflu>


In both cases the name field contains spaces without quotes. Some debugging output
from MailScanner:

Message g3UCvic28129 looks like this
Content-type: multipart/alternative
Effective-type: multipart/alternative
Body-file: NONE
Subject: Questionnaire
Num-parts: 3
    Content-type: text/html
    Effective-type: text/html
    Body-file: /var/spool/MailScanner/incoming/g3UCvic28129/msg-28119-1.html
    Content-type: audio/x-midi
    Effective-type: audio/x-midi
    Body-file: /var/spool/MailScanner/incoming/g3UCvic28129/Sun
    Recommended-filename: Sun
    Content-type: text/plain
    Effective-type: text/plain
    Body-file: /var/spool/MailScanner/incoming/g3UCvic28129/msg-28119-2.txt

So the problem seems to be in MIME::Tools Perl module. The only solution I
was able to find is to disable ignore_errors in the Parser module:

--- explode.pl.orig  Mon Mar 25 13:31:29 2002
+++ explode.pl  Tue Apr 30 16:03:18 2002
@@ -81,6 +81,7 @@

     $parser->extract_uuencode(1); ### default is false, can read uuencode
+    $parser->ignore_errors(0);
     unless (open(PIPE, MTA::BuildMessageCmd($header,"$QDir/$dfile")." |")) {
       Log::WarnLog("Cannot build message from $header and $QDir/$dfile, %s", $!);

This way the MailScanner will not ignore incorrect MIME headers and produce this
message instead:

mailscanner[29087]: Scanning 1 messages, 8742 bytes
mailscanner[29087]: Cannot parse /var/spool/MailScanner/incoming/g3UEYbc29537.header and /var/spool/mqueue.in/dfg3UEYbc29537,       unexpected end of header
mailscanner[29087]: Scanned 1 messages, 8742 bytes in 0 seconds
mailscanner[29087]: Saved entire message to /var/spool/MailScanner/quarantine/20020430/g3UEYbc29537
mailscanner[29087]: Deleting unparsable message g3UEYbc29537 from queue



More information about the MailScanner mailing list