Virus Klez.H and McAfee

Jason Summers jason at MED-WEB.COM
Wed May 8 21:02:16 IST 2002


Martin Sapsed wrote:
>
> Freerk Kalsbeek wrote:
> > I've seen a similar problem here.
> > Klez is also detected in my setup with Sophos. I receive an HTML formatted
> > email indicating that I can read details in the attachment virusalert.txt,
> > but the attachment is not there.
>
> I had one this morning which was disinfected but all I see (in Netscape
> Messenger) is a base64 encoded attachment. My guess is that the original
> message uses slightly iffy MIME tags

Correct. (the problem is a double boundary line)

> and Julian's insertion of the warning doesn't quite work.

Correct. (it doesn't handle multipart/alternative messages very well)

> I've still got what was left if anyone who understands
> MIME or MailScanner better than I wants to look at it?


The following recent threads are also about this exact same problem
(actually two separate, semi-related problems):

  * Malformed attachments from MailScanner?
  * Klez Virus get Passed !
  * "Inline Text Warning" and "Stored Virus Message Report"

I think the only workaround to be posted so far is Miroslav Spousta's
suggestion of adding a "$parser->ignore_errors(0)" instruction to
explode.pl. This, apparently, will cause MailScanner to completely
discard messages containing Klez.

That change seems like a good thing to do in principle, but shouldn't
the recipient at least receive a warning message when an unparseable
message is discarded?

(And in this case, it seems to me that MIME-tools ought to be able to
parse the Klez messages. As of at least version 5.503, it can't, and
even its fallback behavior seems rather poor.)

And I'd still like to know if there's an easy way to change
"multipart/alternative" messages to "multipart/mixed" if MailScanner
adds a warning to them.

--
Jason Summers



More information about the MailScanner mailing list