Virus Klez.H and McAfee

Julian Field jkf at ecs.soton.ac.uk
Thu May 9 12:06:54 IST 2002


At 10:22 09/05/2002, you wrote:
>At 21:02 08/05/2002, you wrote:
>>Martin Sapsed wrote:
>> >
>> > Freerk Kalsbeek wrote:
>> > > I've seen a similar problem here.
>> > > Klez is also detected in my setup with Sophos. I receive an HTML
>>formatted
>> > > email indicating that I can read details in the attachment
>>virusalert.txt,
>> > > but the attachment is not there.
>> >
>> > I had one this morning which was disinfected but all I see (in Netscape
>> > Messenger) is a base64 encoded attachment. My guess is that the original
>> > message uses slightly iffy MIME tags
>>
>>Correct. (the problem is a double boundary line)
>>
>> > and Julian's insertion of the warning doesn't quite work.
>>
>>Correct. (it doesn't handle multipart/alternative messages very well)

Try this:
-------------------------------------------------------------
*** /usr/local/mailscanner/mailscanner/bin/explode.pl   Fri Feb  1 10:22:44
2002
--- explode.pl  Thu May  9 12:07:58 2002
***************
*** 301,310 ****
--- 301,315 ----
                              Data => $Warning,
                              Encoding => 'quoted-printable',
                              Charset => 'us-ascii',
                              Top => 0;
     $parent->parts(\@parts);
+
+   # And make the parent a multipart/mixed if it's a multipart/alternative
+   $parent->head->mime_attr("content-type" => "multipart/mixed")
+     if ($parent->is_multipart) &&
+        ($parent->head->mime_attr("content-type") =~
/multipart\/alternative/i);
   }

   # Disinfect all the infected entities
   sub Disinfect {
     my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent,
$Entity2File, $IsTNEF) = @_;
-------------------------------------------------------------
If you don't understand what to do with the text above, you are probably
best off not trying it!
;-)

>>The following recent threads are also about this exact same problem
>>(actually two separate, semi-related problems):
>>
>>   * Malformed attachments from MailScanner?
>>   * Klez Virus get Passed !
>>   * "Inline Text Warning" and "Stored Virus Message Report"
>>
>>And I'd still like to know if there's an easy way to change
>>"multipart/alternative" messages to "multipart/mixed" if MailScanner
>>adds a warning to them.
>
>That sounds like a good idea. I'll work on that.

Done.
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list