virus from 'support@microsoft.com' not blocked?

Remco Barendse mailscanner at BARENDSE.TO
Wed May 28 11:07:54 IST 2003 

I unfortunately do not have the df/qf pairs of that message, i received it
in Pine and can bounce it if that is of any help. Although pine sometimes
has the feature to fix invalid stuff when bouncing :( so not sure if it
will work.



On Wed, 28 May 2003, Craig Pratt wrote:

> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> > No, it didn't. This is why I sent a the mail to the list. The fact that
> > mcafee didn't spot it was due to my own mistake I didn't check whether
> > the
> > dat files were updated.
> >
> > But.... MailScanner did not block the .pif from that particular virus.
> > It
> > does block a random text file which is renamed to whatever.pif but this
> > virus was passed without filtering.
> >
> > Maybe the virus is generation some sort of invalid mail format which
> > causes MailScanner not to recognize the attachment or the attacjhment
> > filename?
>
> Like I mentioned in a previous message, it is possible to name a file
> in a way where MS will not match a filename rule it would otherwise
> match - presuming it hasn't been remedied.
>
> Please send the original message - stuffed in an attachment or quoted -
> so I can determine if there is a known virus using weird file name
> attribution.
>
> Craig
>
> > On Tue, 27 May 2003, Craig Pratt wrote:
> >
> >> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> >>> Hi!
> >>>
> >>>> RavAV's been catching it w/o issue:
> >>>>
> >>>> The following e-mail messages were found to have dangerous content:
> >>>>
> >>>>      Sender: support at microsoft.com
> >>>> IP Address: 68.4.203.36
> >>>>   Recipient: [chomp]
> >>>>     Subject: Re: Movie
> >>>>   MessageID: h4MJ12gC000237
> >>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> >>>> Win32/Sobig.B at mm
> >>>> Shortcuts to MS-Dos programs are very dangerous in email
> >>>> (your_details.pif)
> >>>
> >>> Sorry, there are various versions of this virus floating around. RAV
> >>> dont
> >>> pick them up all. Really. We have a open case by RAV for this. I have
> >>> seen f-prot picking up them all, McAfee and RAV did pass some
> >>> variants.
> >>>
> >>> Bye,
> >>> Raymond.
> >>
> >> Yikes - thanks for the heads-up! I'll keep an eye out for this.
> >>
> >> I hope/presume the filename rule still blocked them?
> >>
> >> Craig
> >>
> >> ---
> >> Craig Pratt
> >> Strongbox Network Services Inc.
> >> mailto:craig at strong-box.net
> >>
> >>
> >> --
> >> This message checked for dangerous content by MailScanner on
> >> StrongBox.
> >>
> >>
> ---
> Craig Pratt
> Strongbox Network Services Inc.
> mailto:craig at strong-box.net
>
>
> --
> This message checked for dangerous content by MailScanner on StrongBox.
>

More information about the MailScanner mailing list