Virus Klez.H and McAfee

Julian Field jkf at ecs.soton.ac.uk
Mon May 13 10:54:01 IST 2002 

At 09:46 13/05/2002, you wrote:
>I have applied the patch, but now Klez infected mails have two attachments:
>1. Viruswarning
>2. Plain text file with the JPG data in it.

The JPG data is harmless in this form. The real virus has been replaced
with the VirusWarning.

> > -----Oorspronkelijk bericht-----
> > Van: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]Namens
> > Julian Field
> > Verzonden: donderdag 9 mei 2002 13:07
> > Aan: MAILSCANNER at JISCMAIL.AC.UK
> > Onderwerp: Re: Virus Klez.H and McAfee
> >
> >
> > At 10:22 09/05/2002, you wrote:
> > >At 21:02 08/05/2002, you wrote:
> > >>Martin Sapsed wrote:
> > >> >
> > >> > Freerk Kalsbeek wrote:
> > >> > > I've seen a similar problem here.
> > >> > > Klez is also detected in my setup with Sophos. I receive an HTML
> > >>formatted
> > >> > > email indicating that I can read details in the attachment
> > >>virusalert.txt,
> > >> > > but the attachment is not there.
> > >> >
> > >> > I had one this morning which was disinfected but all I see
> > (in Netscape
> > >> > Messenger) is a base64 encoded attachment. My guess is that
> > the original
> > >> > message uses slightly iffy MIME tags
> > >>
> > >>Correct. (the problem is a double boundary line)
> > >>
> > >> > and Julian's insertion of the warning doesn't quite work.
> > >>
> > >>Correct. (it doesn't handle multipart/alternative messages very well)
> >
> > Try this:
> > -------------------------------------------------------------
> > *** /usr/local/mailscanner/mailscanner/bin/explode.pl   Fri Feb
> > 1 10:22:44
> > 2002
> > --- explode.pl  Thu May  9 12:07:58 2002
> > ***************
> > *** 301,310 ****
> > --- 301,315 ----
> >                               Data => $Warning,
> >                               Encoding => 'quoted-printable',
> >                               Charset => 'us-ascii',
> >                               Top => 0;
> >      $parent->parts(\@parts);
> > +
> > +   # And make the parent a multipart/mixed if it's a
> > multipart/alternative
> > +   $parent->head->mime_attr("content-type" => "multipart/mixed")
> > +     if ($parent->is_multipart) &&
> > +        ($parent->head->mime_attr("content-type") =~
> > /multipart\/alternative/i);
> >    }
> >
> >    # Disinfect all the infected entities
> >    sub Disinfect {
> >      my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent,
> > $Entity2File, $IsTNEF) = @_;
> > -------------------------------------------------------------
> > If you don't understand what to do with the text above, you are probably
> > best off not trying it!
> > ;-)
> >
> > >>The following recent threads are also about this exact same problem
> > >>(actually two separate, semi-related problems):
> > >>
> > >>   * Malformed attachments from MailScanner?
> > >>   * Klez Virus get Passed !
> > >>   * "Inline Text Warning" and "Stored Virus Message Report"
> > >>
> > >>And I'd still like to know if there's an easy way to change
> > >>"multipart/alternative" messages to "multipart/mixed" if MailScanner
> > >>adds a warning to them.
> > >
> > >That sounds like a good idea. I'll work on that.
> >
> > Done.
> > --
> > Julian Field                Teaching Systems Manager
> > jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > Tel. 023 8059 2817          University of Southampton
> >                              Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list