virus from 'support@microsoft.com' not blocked?

Remco Barendse mailscanner at BARENDSE.TO
Wed May 28 08:24:04 IST 2003


No, it didn't. This is why I sent a the mail to the list. The fact that
mcafee didn't spot it was due to my own mistake I didn't check whether the
dat files were updated.

But.... MailScanner did not block the .pif from that particular virus. It
does block a random text file which is renamed to whatever.pif but this
virus was passed without filtering.

Maybe the virus is generation some sort of invalid mail format which
causes MailScanner not to recognize the attachment or the attacjhment
filename?


On Tue, 27 May 2003, Craig Pratt wrote:

> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> > Hi!
> >
> >> RavAV's been catching it w/o issue:
> >>
> >> The following e-mail messages were found to have dangerous content:
> >>
> >>      Sender: support at microsoft.com
> >> IP Address: 68.4.203.36
> >>   Recipient: [chomp]
> >>     Subject: Re: Movie
> >>   MessageID: h4MJ12gC000237
> >>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> >> Win32/Sobig.B at mm
> >> Shortcuts to MS-Dos programs are very dangerous in email
> >> (your_details.pif)
> >
> > Sorry, there are various versions of this virus floating around. RAV
> > dont
> > pick them up all. Really. We have a open case by RAV for this. I have
> > seen f-prot picking up them all, McAfee and RAV did pass some variants.
> >
> > Bye,
> > Raymond.
>
> Yikes - thanks for the heads-up! I'll keep an eye out for this.
>
> I hope/presume the filename rule still blocked them?
>
> Craig
>
> ---
> Craig Pratt
> Strongbox Network Services Inc.
> mailto:craig at strong-box.net
>
>
> --
> This message checked for dangerous content by MailScanner on StrongBox.
>



More information about the MailScanner mailing list