virus from 'support@microsoft.com' not blocked?

Patel, Anjana Anjana.Patel at CRANFIELD.AC.UK
Wed May 28 13:29:11 IST 2003


Perhaps this extract from the McAfee site may explain why some got
through, although we were blocking most copies of the virus on our site
before McAfee released the DAT (mailscanner v3.22-12):


Similarly to W32/Sobig at MM, the outgoing messages constructed by the worm
may have a closing quote omitted from the attachment filename. This may
cause certain mail clients to remove a character from the remaining
filename, thus attachments may have a ".PI" extension (as opposed to
".PIF").

Anjana

> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Sent: 28 May 2003 08:42
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: virus from 'support at microsoft.com' not blocked?
> 
> At 08:34 28/05/2003, you wrote:
> >On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> >>No, it didn't. This is why I sent a the mail to the list. The fact
that
> >>mcafee didn't spot it was due to my own mistake I didn't check
whether
> >>the
> >>dat files were updated.
> >>
> >>But.... MailScanner did not block the .pif from that particular
virus.
> >>It
> >>does block a random text file which is renamed to whatever.pif but
this
> >>virus was passed without filtering.
> >>
> >>Maybe the virus is generation some sort of invalid mail format which
> >>causes MailScanner not to recognize the attachment or the
attacjhment
> >>filename?
> >
> >Like I mentioned in a previous message, it is possible to name a file
> >in a way where MS will not match a filename rule it would otherwise
> >match - presuming it hasn't been remedied.
> >
> >Please send the original message - stuffed in an attachment or quoted
-
> >so I can determine if there is a known virus using weird file name
> >attribution.
> 
> <aol>Me too!</aol>
> Please tell me what version of MailScanner is not detecting the
filename
> correctly, and also send me the original message in a zip file, so I
can
> get all the raw headers out of it and see what its MIME structure
looks
> like.
> 
> This is clearly a problem only affecting some people, so it may be a
bug I
> have already fixed.
> 
> 
> >Craig
> >
> >>On Tue, 27 May 2003, Craig Pratt wrote:
> >>
> >>>On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> >>>>Hi!
> >>>>
> >>>>>RavAV's been catching it w/o issue:
> >>>>>
> >>>>>The following e-mail messages were found to have dangerous
content:
> >>>>>
> >>>>>      Sender: support at microsoft.com
> >>>>>IP Address: 68.4.203.36
> >>>>>   Recipient: [chomp]
> >>>>>     Subject: Re: Movie
> >>>>>   MessageID: h4MJ12gC000237
> >>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> >>>>>Win32/Sobig.B at mm
> >>>>>Shortcuts to MS-Dos programs are very dangerous in email
> >>>>>(your_details.pif)
> >>>>
> >>>>Sorry, there are various versions of this virus floating around.
RAV
> >>>>dont
> >>>>pick them up all. Really. We have a open case by RAV for this. I
have
> >>>>seen f-prot picking up them all, McAfee and RAV did pass some
> >>>>variants.
> >>>>
> >>>>Bye,
> >>>>Raymond.
> >>>
> >>>Yikes - thanks for the heads-up! I'll keep an eye out for this.
> >>>
> >>>I hope/presume the filename rule still blocked them?
> >>>
> >>>Craig
> >>>
> >>>---
> >>>Craig Pratt
> >>>Strongbox Network Services Inc.
> >>>mailto:craig at strong-box.net
> >>>
> >>>
> >>>--
> >>>This message checked for dangerous content by MailScanner on
> >>>StrongBox.
> >>>
> >---
> >Craig Pratt
> >Strongbox Network Services Inc.
> >mailto:craig at strong-box.net
> >
> >
> >--
> >This message checked for dangerous content by MailScanner on
StrongBox.
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support




More information about the MailScanner mailing list