Klez Virus get Passed !

[Miroslav Spousta]

Hi!

> >        All the exe , pif , scr , com has been stopped by the MailScanner
> > without any problem , but today the virus "Klez" virus pass the checking of
> > MailScanner , I found this is the raw data of the message :
> >
> > Content-Type: audio/x-midi ;
> >         name=Product Catalogue(1).scr
> > Content-Transfer-Encoding: base64
> > Content-ID: <Wi1Ny441h56355a>
> >

I think the problem is with the incorrect MIME header the virus send.

MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary=T0064s6472n43NPxz1CBE991Y514511
X-MailScanner: clean

--T0064s6472n43NPxz1CBE991Y514511
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:XOCq14H454Iflu height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--T0064s6472n43NPxz1CBE991Y514511
Content-Type: audio/x-midi;
        name=Sun Sep.pif
Content-Transfer-Encoding: base64
Content-ID: <XOCq14H454Iflu>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn


In both cases the name field contains spaces without quotes. Some debugging output
from MailScanner:

Message g3UCvic28129 looks like this
---------------------------
Content-type: multipart/alternative
Effective-type: multipart/alternative
Body-file: NONE
Subject: Questionnaire
Num-parts: 3
--
    Content-type: text/html
    Effective-type: text/html
    Body-file: /var/spool/MailScanner/incoming/g3UCvic28129/msg-28119-1.html
    --
    Content-type: audio/x-midi
    Effective-type: audio/x-midi
    Body-file: /var/spool/MailScanner/incoming/g3UCvic28129/Sun
    Recommended-filename: Sun
    --
    Content-type: text/plain
    Effective-type: text/plain
    Body-file: /var/spool/MailScanner/incoming/g3UCvic28129/msg-28119-2.txt
    --

So the problem seems to be in MIME::Tools Perl module. The only solution I
was able to find is to disable ignore_errors in the Parser module:

--- explode.pl.orig  Mon Mar 25 13:31:29 2002
+++ explode.pl  Tue Apr 30 16:03:18 2002
@@ -81,6 +81,7 @@
     #$parser->output_dir($path);

     $parser->extract_uuencode(1); ### default is false, can read uuencode
+    $parser->ignore_errors(0);
     $parser->output_to_core('NONE');
     unless (open(PIPE, MTA::BuildMessageCmd($header,"$QDir/$dfile")." |")) {
       Log::WarnLog("Cannot build message from $header and $QDir/$dfile, %s", $!);


This way the MailScanner will not ignore incorrect MIME headers and produce this
message instead:

mailscanner[29087]: Scanning 1 messages, 8742 bytes
mailscanner[29087]: Cannot parse /var/spool/MailScanner/incoming/g3UEYbc29537.header and /var/spool/mqueue.in/dfg3UEYbc29537,       unexpected end of header
mailscanner[29087]: Scanned 1 messages, 8742 bytes in 0 seconds
mailscanner[29087]: Saved entire message to /var/spool/MailScanner/quarantine/20020430/g3UEYbc29537
mailscanner[29087]: Deleting unparsable message g3UEYbc29537 from queue

Cheers,

Mirek