Virus Klez.H and McAfee
Freerk Kalsbeek
freerk at MINDSWITCH.NET
Mon May 13 09:46:58 IST 2002
Hi,
I have applied the patch, but now Klez infected mails have two attachments:
1. Viruswarning
2. Plain text file with the JPG data in it.
Freerk
> -----Oorspronkelijk bericht-----
> Van: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]Namens
> Julian Field
> Verzonden: donderdag 9 mei 2002 13:07
> Aan: MAILSCANNER at JISCMAIL.AC.UK
> Onderwerp: Re: Virus Klez.H and McAfee
>
>
> At 10:22 09/05/2002, you wrote:
> >At 21:02 08/05/2002, you wrote:
> >>Martin Sapsed wrote:
> >> >
> >> > Freerk Kalsbeek wrote:
> >> > > I've seen a similar problem here.
> >> > > Klez is also detected in my setup with Sophos. I receive an HTML
> >>formatted
> >> > > email indicating that I can read details in the attachment
> >>virusalert.txt,
> >> > > but the attachment is not there.
> >> >
> >> > I had one this morning which was disinfected but all I see
> (in Netscape
> >> > Messenger) is a base64 encoded attachment. My guess is that
> the original
> >> > message uses slightly iffy MIME tags
> >>
> >>Correct. (the problem is a double boundary line)
> >>
> >> > and Julian's insertion of the warning doesn't quite work.
> >>
> >>Correct. (it doesn't handle multipart/alternative messages very well)
>
> Try this:
> -------------------------------------------------------------
> *** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb
> 1 10:22:44
> 2002
> --- explode.pl Thu May 9 12:07:58 2002
> ***************
> *** 301,310 ****
> --- 301,315 ----
> Data => $Warning,
> Encoding => 'quoted-printable',
> Charset => 'us-ascii',
> Top => 0;
> $parent->parts(\@parts);
> +
> + # And make the parent a multipart/mixed if it's a
> multipart/alternative
> + $parent->head->mime_attr("content-type" => "multipart/mixed")
> + if ($parent->is_multipart) &&
> + ($parent->head->mime_attr("content-type") =~
> /multipart\/alternative/i);
> }
>
> # Disinfect all the infected entities
> sub Disinfect {
> my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent,
> $Entity2File, $IsTNEF) = @_;
> -------------------------------------------------------------
> If you don't understand what to do with the text above, you are probably
> best off not trying it!
> ;-)
>
> >>The following recent threads are also about this exact same problem
> >>(actually two separate, semi-related problems):
> >>
> >> * Malformed attachments from MailScanner?
> >> * Klez Virus get Passed !
> >> * "Inline Text Warning" and "Stored Virus Message Report"
> >>
> >>And I'd still like to know if there's an easy way to change
> >>"multipart/alternative" messages to "multipart/mixed" if MailScanner
> >>adds a warning to them.
> >
> >That sounds like a good idea. I'll work on that.
>
> Done.
> --
> Julian Field Teaching Systems Manager
> jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
> Tel. 023 8059 2817 University of Southampton
> Southampton SO17 1BJ
More information about the MailScanner
mailing list