Virus Klez.H and McAfee

Freerk Kalsbeek freerk at MINDSWITCH.NET
Mon May 13 09:46:58 IST 2002


Hi,

I have applied the patch, but now Klez infected mails have two attachments:
1. Viruswarning
2. Plain text file with the JPG data in it.

Freerk

> -----Oorspronkelijk bericht-----
> Van: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]Namens
> Julian Field
> Verzonden: donderdag 9 mei 2002 13:07
> Aan: MAILSCANNER at JISCMAIL.AC.UK
> Onderwerp: Re: Virus Klez.H and McAfee
>
>
> At 10:22 09/05/2002, you wrote:
> >At 21:02 08/05/2002, you wrote:
> >>Martin Sapsed wrote:
> >> >
> >> > Freerk Kalsbeek wrote:
> >> > > I've seen a similar problem here.
> >> > > Klez is also detected in my setup with Sophos. I receive an HTML
> >>formatted
> >> > > email indicating that I can read details in the attachment
> >>virusalert.txt,
> >> > > but the attachment is not there.
> >> >
> >> > I had one this morning which was disinfected but all I see
> (in Netscape
> >> > Messenger) is a base64 encoded attachment. My guess is that
> the original
> >> > message uses slightly iffy MIME tags
> >>
> >>Correct. (the problem is a double boundary line)
> >>
> >> > and Julian's insertion of the warning doesn't quite work.
> >>
> >>Correct. (it doesn't handle multipart/alternative messages very well)
>
> Try this:
> -------------------------------------------------------------
> *** /usr/local/mailscanner/mailscanner/bin/explode.pl   Fri Feb
> 1 10:22:44
> 2002
> --- explode.pl  Thu May  9 12:07:58 2002
> ***************
> *** 301,310 ****
> --- 301,315 ----
>                               Data => $Warning,
>                               Encoding => 'quoted-printable',
>                               Charset => 'us-ascii',
>                               Top => 0;
>      $parent->parts(\@parts);
> +
> +   # And make the parent a multipart/mixed if it's a
> multipart/alternative
> +   $parent->head->mime_attr("content-type" => "multipart/mixed")
> +     if ($parent->is_multipart) &&
> +        ($parent->head->mime_attr("content-type") =~
> /multipart\/alternative/i);
>    }
>
>    # Disinfect all the infected entities
>    sub Disinfect {
>      my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent,
> $Entity2File, $IsTNEF) = @_;
> -------------------------------------------------------------
> If you don't understand what to do with the text above, you are probably
> best off not trying it!
> ;-)
>
> >>The following recent threads are also about this exact same problem
> >>(actually two separate, semi-related problems):
> >>
> >>   * Malformed attachments from MailScanner?
> >>   * Klez Virus get Passed !
> >>   * "Inline Text Warning" and "Stored Virus Message Report"
> >>
> >>And I'd still like to know if there's an easy way to change
> >>"multipart/alternative" messages to "multipart/mixed" if MailScanner
> >>adds a warning to them.
> >
> >That sounds like a good idea. I'll work on that.
>
> Done.
> --
> Julian Field                Teaching Systems Manager
> jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ



More information about the MailScanner mailing list