virus from 'support@microsoft.com' not blocked?

Remco Barendse mailscanner at BARENDSE.TO
Wed May 28 20:09:24 IST 2003


I just checked, when I want to save the virus .pif from the message,
indeed pine does only recognize it as a .pi and not .pif

In the message body the attachment's name is displayed correctly however.

It must be the thing as described below.

On Wed, 28 May 2003, Craig Pratt wrote:

> On Wednesday, May 28, 2003, at 10:58  AM, Remco Barendse wrote:
> > Possibly, I'm running MailScanner-4.20-3 which isn't that old, not like
> > the 4.13 series Julian mentioned in his earlier mail.
> >
> > I'd be more than happy to bounce the e-mail to Julian, if needed. I
> > don't
> >  have the df/qf pairs anymore, don't know if bouncing the mail is any
> > good?
>
> It might be - but if your client didn't fix it in your mailbox, it
> might very well fix it on send. So you'd need to poke around in the raw
> mailbox file itself.
>
> Can I try sending you 2 test messages I put together? One contains the
> EICAR test file and the other a plaintext file - both attached in
> strange ways that (may) mimic how the virus is doing its attachment.
> Then we can see what your MS does with it.
>
> Craig
>
> > On Wed, 28 May 2003, Craig Pratt wrote:
> >
> >> On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
> >>> Perhaps this extract from the McAfee site may explain why some got
> >>> through, although we were blocking most copies of the virus on our
> >>> site
> >>> before McAfee released the DAT (mailscanner v3.22-12):
> >>>
> >>> Similarly to W32/Sobig at MM, the outgoing messages constructed by the
> >>> worm
> >>> may have a closing quote omitted from the attachment filename. This
> >>> may
> >>> cause certain mail clients to remove a character from the remaining
> >>> filename, thus attachments may have a ".PI" extension (as opposed to
> >>> ".PIF").
> >>>
> >>> Anjana
> >>
> >> That's interesting. I constructed a raw message with the trailing
> >> quote
> >> missing from the filename and it was not caught by the filename rules.
> >> And I do notice that two mail clients truncate the last character of
> >> the filename when nonquoted.
> >>
> >> Another quick test shows that it's possible to write a message with a
> >> filename extension listed in the filename rules. Perhaps that is what
> >> is going on in the message being seen by Mirco, Remco, et al?
> >>
> >> Note that I'm using MS 4.12-2.
> >>
> >> Craig
> >>
> >>>> -----Original Message-----
> >>>> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> >>>> Sent: 28 May 2003 08:42
> >>>> To: MAILSCANNER at JISCMAIL.AC.UK
> >>>> Subject: Re: virus from 'support at microsoft.com' not blocked?
> >>>>
> >>>> At 08:34 28/05/2003, you wrote:
> >>>>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> >>>>>> No, it didn't. This is why I sent a the mail to the list. The fact
> >>> that
> >>>>>> mcafee didn't spot it was due to my own mistake I didn't check
> >>> whether
> >>>>>> the
> >>>>>> dat files were updated.
> >>>>>>
> >>>>>> But.... MailScanner did not block the .pif from that particular
> >>> virus.
> >>>>>> It
> >>>>>> does block a random text file which is renamed to whatever.pif but
> >>> this
> >>>>>> virus was passed without filtering.
> >>>>>>
> >>>>>> Maybe the virus is generation some sort of invalid mail format
> >>>>>> which
> >>>>>> causes MailScanner not to recognize the attachment or the
> >>> attacjhment
> >>>>>> filename?
> >>>>>
> >>>>> Like I mentioned in a previous message, it is possible to name a
> >>>>> file
> >>>>> in a way where MS will not match a filename rule it would otherwise
> >>>>> match - presuming it hasn't been remedied.
> >>>>>
> >>>>> Please send the original message - stuffed in an attachment or
> >>>>> quoted
> >>> -
> >>>>> so I can determine if there is a known virus using weird file name
> >>>>> attribution.
> >>>>
> >>>> <aol>Me too!</aol>
> >>>> Please tell me what version of MailScanner is not detecting the
> >>> filename
> >>>> correctly, and also send me the original message in a zip file, so I
> >>> can
> >>>> get all the raw headers out of it and see what its MIME structure
> >>> looks
> >>>> like.
> >>>>
> >>>> This is clearly a problem only affecting some people, so it may be a
> >>> bug I
> >>>> have already fixed.
> >>>>
> >>>>
> >>>>> Craig
> >>>>>
> >>>>>> On Tue, 27 May 2003, Craig Pratt wrote:
> >>>>>>
> >>>>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> >>>>>>>> Hi!
> >>>>>>>>
> >>>>>>>>> RavAV's been catching it w/o issue:
> >>>>>>>>>
> >>>>>>>>> The following e-mail messages were found to have dangerous
> >>> content:
> >>>>>>>>>
> >>>>>>>>>      Sender: support at microsoft.com
> >>>>>>>>> IP Address: 68.4.203.36
> >>>>>>>>>   Recipient: [chomp]
> >>>>>>>>>     Subject: Re: Movie
> >>>>>>>>>   MessageID: h4MJ12gC000237
> >>>>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> >>>>>>>>> Win32/Sobig.B at mm
> >>>>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
> >>>>>>>>> (your_details.pif)
> >>>>>>>>
> >>>>>>>> Sorry, there are various versions of this virus floating around.
> >>> RAV
> >>>>>>>> dont
> >>>>>>>> pick them up all. Really. We have a open case by RAV for this. I
> >>> have
> >>>>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
> >>>>>>>> variants.
> >>>>>>>>
> >>>>>>>> Bye,
> >>>>>>>> Raymond.
> >>>>>>>
> >>>>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
> >>>>>>>
> >>>>>>> I hope/presume the filename rule still blocked them?
> >>>>>>>
> >>>>>>> Craig
> >>>>>>>
> >>>>>>> ---
> >>>>>>> Craig Pratt
> >>>>>>> Strongbox Network Services Inc.
> >>>>>>> mailto:craig at strong-box.net
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> This message checked for dangerous content by MailScanner on
> >>>>>>> StrongBox.
> >>>>>>>
> >>>>> ---
> >>>>> Craig Pratt
> >>>>> Strongbox Network Services Inc.
> >>>>> mailto:craig at strong-box.net
> >>>>>
> >>>>>
> >>>>> --
> >>>>> This message checked for dangerous content by MailScanner on
> >>> StrongBox.
> >>>>
> >>>> --
> >>>> Julian Field
> >>>> www.MailScanner.info
> >>>> MailScanner thanks transtec Computers for their support
> >>>>
> >> ---
> >> Craig Pratt
> >> Strongbox Network Services Inc.
> >> mailto:craig at strong-box.net
> >>
> >>
> >> --
> >> This message checked for dangerous content by MailScanner on
> >> StrongBox.
> >>
> >>
> ---
> Craig Pratt
> Strongbox Network Services Inc.
> mailto:craig at strong-box.net
>
>
> --
> This message checked for dangerous content by MailScanner on StrongBox.
>



More information about the MailScanner mailing list