virus from 'support@microsoft.com' not blocked?

Craig Pratt craig at STRONG-BOX.NET
Wed May 28 17:48:38 IST 2003


On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
> Perhaps this extract from the McAfee site may explain why some got
> through, although we were blocking most copies of the virus on our site
> before McAfee released the DAT (mailscanner v3.22-12):
>
> Similarly to W32/Sobig at MM, the outgoing messages constructed by the
> worm
> may have a closing quote omitted from the attachment filename. This may
> cause certain mail clients to remove a character from the remaining
> filename, thus attachments may have a ".PI" extension (as opposed to
> ".PIF").
>
> Anjana

That's interesting. I constructed a raw message with the trailing quote
missing from the filename and it was not caught by the filename rules.
And I do notice that two mail clients truncate the last character of
the filename when nonquoted.

Another quick test shows that it's possible to write a message with a
filename extension listed in the filename rules. Perhaps that is what
is going on in the message being seen by Mirco, Remco, et al?

Note that I'm using MS 4.12-2.

Craig

>> -----Original Message-----
>> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>> Sent: 28 May 2003 08:42
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: virus from 'support at microsoft.com' not blocked?
>>
>> At 08:34 28/05/2003, you wrote:
>>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
>>>> No, it didn't. This is why I sent a the mail to the list. The fact
> that
>>>> mcafee didn't spot it was due to my own mistake I didn't check
> whether
>>>> the
>>>> dat files were updated.
>>>>
>>>> But.... MailScanner did not block the .pif from that particular
> virus.
>>>> It
>>>> does block a random text file which is renamed to whatever.pif but
> this
>>>> virus was passed without filtering.
>>>>
>>>> Maybe the virus is generation some sort of invalid mail format which
>>>> causes MailScanner not to recognize the attachment or the
> attacjhment
>>>> filename?
>>>
>>> Like I mentioned in a previous message, it is possible to name a file
>>> in a way where MS will not match a filename rule it would otherwise
>>> match - presuming it hasn't been remedied.
>>>
>>> Please send the original message - stuffed in an attachment or quoted
> -
>>> so I can determine if there is a known virus using weird file name
>>> attribution.
>>
>> <aol>Me too!</aol>
>> Please tell me what version of MailScanner is not detecting the
> filename
>> correctly, and also send me the original message in a zip file, so I
> can
>> get all the raw headers out of it and see what its MIME structure
> looks
>> like.
>>
>> This is clearly a problem only affecting some people, so it may be a
> bug I
>> have already fixed.
>>
>>
>>> Craig
>>>
>>>> On Tue, 27 May 2003, Craig Pratt wrote:
>>>>
>>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
>>>>>> Hi!
>>>>>>
>>>>>>> RavAV's been catching it w/o issue:
>>>>>>>
>>>>>>> The following e-mail messages were found to have dangerous
> content:
>>>>>>>
>>>>>>>      Sender: support at microsoft.com
>>>>>>> IP Address: 68.4.203.36
>>>>>>>   Recipient: [chomp]
>>>>>>>     Subject: Re: Movie
>>>>>>>   MessageID: h4MJ12gC000237
>>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
>>>>>>> Win32/Sobig.B at mm
>>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
>>>>>>> (your_details.pif)
>>>>>>
>>>>>> Sorry, there are various versions of this virus floating around.
> RAV
>>>>>> dont
>>>>>> pick them up all. Really. We have a open case by RAV for this. I
> have
>>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
>>>>>> variants.
>>>>>>
>>>>>> Bye,
>>>>>> Raymond.
>>>>>
>>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
>>>>>
>>>>> I hope/presume the filename rule still blocked them?
>>>>>
>>>>> Craig
>>>>>
>>>>> ---
>>>>> Craig Pratt
>>>>> Strongbox Network Services Inc.
>>>>> mailto:craig at strong-box.net
>>>>>
>>>>>
>>>>> --
>>>>> This message checked for dangerous content by MailScanner on
>>>>> StrongBox.
>>>>>
>>> ---
>>> Craig Pratt
>>> Strongbox Network Services Inc.
>>> mailto:craig at strong-box.net
>>>
>>>
>>> --
>>> This message checked for dangerous content by MailScanner on
> StrongBox.
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>>
---
Craig Pratt
Strongbox Network Services Inc.
mailto:craig at strong-box.net


--
This message checked for dangerous content by MailScanner on StrongBox.



More information about the MailScanner mailing list