strange behaviour detected with W32/Mimail@MM

Sat Aug 2 01:21:12 IST 2003

Hi,

I received a couple of hours ago a copy of W32/Mimail at MM in an unprotected
mail account.

I opened it cautiously, since it had a very virus-like content and discovered
the ugly trick it uses.

Just for fun, I resent it to an account protected by MailScanner... to my
dismay, it passed thru... but the strangest thing is that McAfee detected it,
nonetheless, MailScanner let it thru.

On to the details:

I'm running MailScanner 4.20-3 with McAfee Virus Scan for Linux v4.24.0, with
dat file version 4282 (this is updated hourly with Tony's script, this was
the dat file version when I did the test and it does detect W32/Mimail at MM).

The machine is a RedHat Linux 7.3 with some stuff from 8.0 (notably, perl
5.8.0 - all the perl modules are configured with perl 5.8.0).

It uses ZMailer 2.99.56-pre4 for the mail delivery.

Here's some relevant info from MailScanner.conf:
====================================MailScanner.conf====================
Virus Scanning = yes
Virus Scanners = mcafee
Deliver Disinfected Files = no
Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar
Still Deliver Silent Viruses = yes
Filename Rules = /app/MailScanner/etc/filename.rules.conf
Quarantine Infections = no
Quarantine Whole Message = no
Quarantine Whole Messages As Queue Files = no
Include Scanner Name In Reports = yes
Mail Header = X-Alerce:
Spam Header = X-Alerce-SpamAnalisis:
Spam Score Header = X-Alerce-PuntajeSpam:
Spam Score Character = A
Clean Header Value = Se encontro limpio
Infected Header Value = Se encontro infectado
Disinfected Header Value = Fue desinfectado
Detailed Spam Report = yes
Sign Clean Messages = no
Mark Infected Messages = yes
Mark Unscanned Messages = yes
Unscanned Header Value = No ha sido revisado en busqueda de virus.
Deliver Cleaned Messages = yes
Notify Senders = no
Never Notify Senders Of Precedence = list bulk
Scanned Modify Subject = no
Scanned Subject Text = {Revisado}
Virus Modify Subject = yes
Virus Subject Text = {Virus identificado}
Filename Modify Subject = no
Filename Subject Text = {Nombre de archivo prohibido}
Spam Modify Subject = yes
Spam Subject Text = {Posible Spam}
High Scoring Spam Modify Subject = yes
High Scoring Spam Subject Text = {***Spam!!!***}
Warning Is Attachment = yes
Attachment Warning Filename = AvisoDeVirus.txt
Send Notices = no
Spam Checks = yes
Spam List =
Spam Domain List =
Use SpamAssassin = yes
Max SpamAssassin Size = 250_000
Required SpamAssassin Score = 6
High SpamAssassin Score = 40
SpamAssassin Auto Whitelist = no
Check SpamAssassin If On Spam List = yes
Always Include SpamAssassin Report = yes
Spam Score = yes
Spam Actions = deliver
High Scoring Spam Actions = deliver
Syslog Facility = local3
Log Spam = yes
Log Permitted Filenames = yes
Always Looked Up Last = &AlerceLogging
Delivery Method = queue
====================================MailScanner.conf====================

Testing:
After seeing how the virus happily passed thru, I did a few simple tests.

Test 1:
bounced an original message containing a W32/Mimail at MM virus.

Test 2:
bounced an original message containing a W32/Hybris.gen at MM virus.

Test 3:
sent a fresh message containing a zipfile including a W32/Hybris.gen at MM
virus.

Test 4:
sent a fresh message containing a zipfile including a W32/Mimail at MM virus.

I'm enclosing a text file with results from everyone of these tests.

For every test I put the relevant log lines from syslog (luckily enough, the
trafic was so low, that every test message passed thru mailscanner as a
complete batch).

Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are equivalent
to the mysql log (generated by &AlerceLogging, that is a modified version of
SQLLogging that doesn't do any SQL).

Finally, the relevant MailScanner header lines in the received message.

As you can see, everytime, McAfee detected all viruses, however, both
W32/Mimail at MM passed thru, and both W32/Hybris.gen at MM were cleaned. However
the two cleaned mails worked differently.

In Test 2, I got the VirusWarning.txt attachment and its content only
referred to the invalid filename (.exe, blocked in filename.rules.conf).

In Test 3, I got a text attachment named "Replaced Infected File.txt" with
this content:
=======================Replaced Infected File.txt=========================
********               McAfee GroupShield Exchange          **********
********  Alert generated at: Viernes, Agosto 01, 2003 08:11:30 p. SA Eastern
Standard Time
**********************************************************************

The item virus.zip has been replaced because it was infected by the
W32/Hybris.gen at MM virus.
=======================Replaced Infected File.txt=========================

The attachment didn't have a closing newline.

>From this, I understand that if a file matches a filename rule _and_ a virus
is detected, it only informs the user about the filename... it'd be nice if I
also got the virus report.

But I still don't know why the messages with W32/Mimail at MM virus passed thru,
whenever they _were_ actually detected by the virus scanner.

If you got this far in the message, let me know I _really_ thank your
patience... If you give me a clue about what's happening, I'll be _really_
_really_ _really_ thankful!!!!

:-)

--
Mariano Absatz
El Baby
----------------------------------------------------------
A lack of planning on your part does not constitute an emergency on my part.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: mailscanner-log-excerpts
Type: application/octet-stream
Size: 7554 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030801/b2c6a089/mailscanner-log-excerpts.obj