virus from 'support@microsoft.com' not blocked?

Craig Pratt craig at STRONG-BOX.NET
Wed May 28 08:34:21 IST 2003 

On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> No, it didn't. This is why I sent a the mail to the list. The fact that
> mcafee didn't spot it was due to my own mistake I didn't check whether
> the
> dat files were updated.
>
> But.... MailScanner did not block the .pif from that particular virus.
> It
> does block a random text file which is renamed to whatever.pif but this
> virus was passed without filtering.
>
> Maybe the virus is generation some sort of invalid mail format which
> causes MailScanner not to recognize the attachment or the attacjhment
> filename?

Like I mentioned in a previous message, it is possible to name a file
in a way where MS will not match a filename rule it would otherwise
match - presuming it hasn't been remedied.

Please send the original message - stuffed in an attachment or quoted -
so I can determine if there is a known virus using weird file name
attribution.

Craig

> On Tue, 27 May 2003, Craig Pratt wrote:
>
>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
>>> Hi!
>>>
>>>> RavAV's been catching it w/o issue:
>>>>
>>>> The following e-mail messages were found to have dangerous content:
>>>>
>>>>      Sender: support at microsoft.com
>>>> IP Address: 68.4.203.36
>>>>   Recipient: [chomp]
>>>>     Subject: Re: Movie
>>>>   MessageID: h4MJ12gC000237
>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
>>>> Win32/Sobig.B at mm
>>>> Shortcuts to MS-Dos programs are very dangerous in email
>>>> (your_details.pif)
>>>
>>> Sorry, there are various versions of this virus floating around. RAV
>>> dont
>>> pick them up all. Really. We have a open case by RAV for this. I have
>>> seen f-prot picking up them all, McAfee and RAV did pass some
>>> variants.
>>>
>>> Bye,
>>> Raymond.
>>
>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
>>
>> I hope/presume the filename rule still blocked them?
>>
>> Craig
>>
>> ---
>> Craig Pratt
>> Strongbox Network Services Inc.
>> mailto:craig at strong-box.net
>>
>>
>> --
>> This message checked for dangerous content by MailScanner on
>> StrongBox.
>>
>>
---
Craig Pratt
Strongbox Network Services Inc.
mailto:craig at strong-box.net


--
This message checked for dangerous content by MailScanner on StrongBox.

More information about the MailScanner mailing list