Virus Klez.H and McAfee

Evert Jan van Ramselaar evertjan at VANRAMSELAAR.NL
Thu May 9 12:50:40 IST 2002 

Hi Julian,

I just applied this patch.
For "non Klez.H" messages it does not change behaviour for both clean and
infected messages, which is good.

Now I'm just waiting for behaviour with the Klez.H virus. Lately I get one
or two a day, so it's just a matter of time...

Tnx for coming up with patches so soon!

--
  Evert Jan van Ramselaar  <evertjan at vanramselaar.nl>
  Van Ramselaar Info Tech  <http://www.vanramselaar.nl>



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Thursday, May 09, 2002 1:07 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Virus Klez.H and McAfee
>
>
> At 10:22 09/05/2002, you wrote:
> >At 21:02 08/05/2002, you wrote:
> >>Martin Sapsed wrote:
> >> >
> >> > Freerk Kalsbeek wrote:
> >> > > I've seen a similar problem here.
> >> > > Klez is also detected in my setup with Sophos. I receive an HTML
> >>formatted
> >> > > email indicating that I can read details in the attachment
> >>virusalert.txt,
> >> > > but the attachment is not there.
> >> >
> >> > I had one this morning which was disinfected but all I see
> (in Netscape
> >> > Messenger) is a base64 encoded attachment. My guess is that
> the original
> >> > message uses slightly iffy MIME tags
> >>
> >>Correct. (the problem is a double boundary line)
> >>
> >> > and Julian's insertion of the warning doesn't quite work.
> >>
> >>Correct. (it doesn't handle multipart/alternative messages very well)
>
> Try this:
> -------------------------------------------------------------
> *** /usr/local/mailscanner/mailscanner/bin/explode.pl   Fri Feb
> 1 10:22:44
> 2002
> --- explode.pl  Thu May  9 12:07:58 2002
> ***************
> *** 301,310 ****
> --- 301,315 ----
>                               Data => $Warning,
>                               Encoding => 'quoted-printable',
>                               Charset => 'us-ascii',
>                               Top => 0;
>      $parent->parts(\@parts);
> +
> +   # And make the parent a multipart/mixed if it's a
> multipart/alternative
> +   $parent->head->mime_attr("content-type" => "multipart/mixed")
> +     if ($parent->is_multipart) &&
> +        ($parent->head->mime_attr("content-type") =~
> /multipart\/alternative/i);
>    }
>
>    # Disinfect all the infected entities
>    sub Disinfect {
>      my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent,
> $Entity2File, $IsTNEF) = @_;
> -------------------------------------------------------------
> If you don't understand what to do with the text above, you are probably
> best off not trying it!
> ;-)
>
> >>The following recent threads are also about this exact same problem
> >>(actually two separate, semi-related problems):
> >>
> >>   * Malformed attachments from MailScanner?
> >>   * Klez Virus get Passed !
> >>   * "Inline Text Warning" and "Stored Virus Message Report"
> >>
> >>And I'd still like to know if there's an easy way to change
> >>"multipart/alternative" messages to "multipart/mixed" if MailScanner
> >>adds a warning to them.
> >
> >That sounds like a good idea. I'll work on that.
>
> Done.
> --
> Julian Field                Teaching Systems Manager
> jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ
>

More information about the MailScanner mailing list