virus from 'support@microsoft.com' not blocked?

Remco Barendse mailscanner at BARENDSE.TO
Wed May 28 18:58:37 IST 2003


Possibly, I'm running MailScanner-4.20-3 which isn't that old, not like
the 4.13 series Julian mentioned in his earlier mail.

I'd be more than happy to bounce the e-mail to Julian, if needed. I don't
 have the df/qf pairs anymore, don't know if bouncing the mail is any
good?


On Wed, 28 May 2003, Craig Pratt wrote:

> On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
> > Perhaps this extract from the McAfee site may explain why some got
> > through, although we were blocking most copies of the virus on our site
> > before McAfee released the DAT (mailscanner v3.22-12):
> >
> > Similarly to W32/Sobig at MM, the outgoing messages constructed by the
> > worm
> > may have a closing quote omitted from the attachment filename. This may
> > cause certain mail clients to remove a character from the remaining
> > filename, thus attachments may have a ".PI" extension (as opposed to
> > ".PIF").
> >
> > Anjana
>
> That's interesting. I constructed a raw message with the trailing quote
> missing from the filename and it was not caught by the filename rules.
> And I do notice that two mail clients truncate the last character of
> the filename when nonquoted.
>
> Another quick test shows that it's possible to write a message with a
> filename extension listed in the filename rules. Perhaps that is what
> is going on in the message being seen by Mirco, Remco, et al?
>
> Note that I'm using MS 4.12-2.
>
> Craig
>
> >> -----Original Message-----
> >> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> >> Sent: 28 May 2003 08:42
> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> Subject: Re: virus from 'support at microsoft.com' not blocked?
> >>
> >> At 08:34 28/05/2003, you wrote:
> >>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> >>>> No, it didn't. This is why I sent a the mail to the list. The fact
> > that
> >>>> mcafee didn't spot it was due to my own mistake I didn't check
> > whether
> >>>> the
> >>>> dat files were updated.
> >>>>
> >>>> But.... MailScanner did not block the .pif from that particular
> > virus.
> >>>> It
> >>>> does block a random text file which is renamed to whatever.pif but
> > this
> >>>> virus was passed without filtering.
> >>>>
> >>>> Maybe the virus is generation some sort of invalid mail format which
> >>>> causes MailScanner not to recognize the attachment or the
> > attacjhment
> >>>> filename?
> >>>
> >>> Like I mentioned in a previous message, it is possible to name a file
> >>> in a way where MS will not match a filename rule it would otherwise
> >>> match - presuming it hasn't been remedied.
> >>>
> >>> Please send the original message - stuffed in an attachment or quoted
> > -
> >>> so I can determine if there is a known virus using weird file name
> >>> attribution.
> >>
> >> <aol>Me too!</aol>
> >> Please tell me what version of MailScanner is not detecting the
> > filename
> >> correctly, and also send me the original message in a zip file, so I
> > can
> >> get all the raw headers out of it and see what its MIME structure
> > looks
> >> like.
> >>
> >> This is clearly a problem only affecting some people, so it may be a
> > bug I
> >> have already fixed.
> >>
> >>
> >>> Craig
> >>>
> >>>> On Tue, 27 May 2003, Craig Pratt wrote:
> >>>>
> >>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> >>>>>> Hi!
> >>>>>>
> >>>>>>> RavAV's been catching it w/o issue:
> >>>>>>>
> >>>>>>> The following e-mail messages were found to have dangerous
> > content:
> >>>>>>>
> >>>>>>>      Sender: support at microsoft.com
> >>>>>>> IP Address: 68.4.203.36
> >>>>>>>   Recipient: [chomp]
> >>>>>>>     Subject: Re: Movie
> >>>>>>>   MessageID: h4MJ12gC000237
> >>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> >>>>>>> Win32/Sobig.B at mm
> >>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
> >>>>>>> (your_details.pif)
> >>>>>>
> >>>>>> Sorry, there are various versions of this virus floating around.
> > RAV
> >>>>>> dont
> >>>>>> pick them up all. Really. We have a open case by RAV for this. I
> > have
> >>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
> >>>>>> variants.
> >>>>>>
> >>>>>> Bye,
> >>>>>> Raymond.
> >>>>>
> >>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
> >>>>>
> >>>>> I hope/presume the filename rule still blocked them?
> >>>>>
> >>>>> Craig
> >>>>>
> >>>>> ---
> >>>>> Craig Pratt
> >>>>> Strongbox Network Services Inc.
> >>>>> mailto:craig at strong-box.net
> >>>>>
> >>>>>
> >>>>> --
> >>>>> This message checked for dangerous content by MailScanner on
> >>>>> StrongBox.
> >>>>>
> >>> ---
> >>> Craig Pratt
> >>> Strongbox Network Services Inc.
> >>> mailto:craig at strong-box.net
> >>>
> >>>
> >>> --
> >>> This message checked for dangerous content by MailScanner on
> > StrongBox.
> >>
> >> --
> >> Julian Field
> >> www.MailScanner.info
> >> MailScanner thanks transtec Computers for their support
> >>
> ---
> Craig Pratt
> Strongbox Network Services Inc.
> mailto:craig at strong-box.net
>
>
> --
> This message checked for dangerous content by MailScanner on StrongBox.
>



More information about the MailScanner mailing list