virus from 'support@microsoft.com' not blocked?

Craig Pratt craig at STRONG-BOX.NET
Tue May 27 22:17:44 IST 2003


OK - I'm a bit confused too - since it *is* supposed to be Palyh that
sends messages from support at microsoft.com with subjects "Screensaver",
"Re: My application", & "Re: Movie" and attachments "your_details.pif",
"password.pif", & "screen_doc.pif".

A quick search of Symantec's virus support DB shows that Palyh and
Sobig.b are the same thing. Mystery solved.

On Tuesday, May 27, 2003, at 01:54  PM, Remco Barendse wrote:
> indeed, it is :
> Found the W32/Sobig.b at MM virus !!!
>
> For some reason the dat file hasn't been updating since the version of
> may
> 7th but even so, the mailscanner rule didn't catch the attachment.
>
> i just tried sending a testfile ending with .pif which was blocked
> correctly.
>
> Is there anything invalid in sobig mails that causes MailScanner to not
> recognize the attachment filename maybe?
>
> For some reason /pif is blocked correctly, bot not when sobig is sent??

Indeeed, there is/was a way to bypass the filename extension checking.
The Nessus SMTP tests demonstrate that some weird forms of MIME
attachment pass through the filename rules. Can you send the raw
message body as an attachment? I'll check it.

Craig

>
> On Tue, 27 May 2003, Craig Pratt wrote:
>
>> On Tuesday, May 27, 2003, at 01:36  PM, Remco Barendse wrote:
>>> I have just received the virus that claims to be from
>>> support at microsoft.com
>>>
>>> The weird thing it, it isn't filtered at all.
>>>
>> [chomp]
>>
>> I presume this is the Sobig virus.
>>
>> RavAV's been catching it w/o issue:
>>
>> The following e-mail messages were found to have dangerous content:
>>
>>      Sender: support at microsoft.com
>> IP Address: 68.4.203.36
>>   Recipient: [chomp]
>>     Subject: Re: Movie
>>   MessageID: h4MJ12gC000237
>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
>> Win32/Sobig.B at mm
>> Shortcuts to MS-Dos programs are very dangerous in email
>> (your_details.pif)
>>
>> So it was caught based on content and extension.
>>
>> Craig
>>
>> ---
>> Craig Pratt
>> Strongbox Network Services Inc.
>> mailto:craig at strong-box.net
>>
>>
>> --
>> This message checked for dangerous content by MailScanner on
>> StrongBox.
>>
>>
---
Craig Pratt
Strongbox Network Services Inc.
mailto:craig at strong-box.net


--
This message checked for dangerous content by MailScanner on StrongBox.



More information about the MailScanner mailing list