News---Re: virus from 'support@microsoft.com' not blocked?

Julian Field mailscanner at ecs.soton.ac.uk
Wed May 28 22:31:18 IST 2003


I have been wading through the MIME-tools modules and its security patches
to see why some people are catching it correctly and some aren't.

If you are letting the filename through, you do not have the MIME-tools
security patches applied correctly. The first patch introduces a variable
"$BADTOKEN" into MIME/Field/ParamVal.pm. If you do *not* have "BADTOKEN"
anywhere in ParamVal.pm, you have not applied the security patches correctly.

Please check your Perl MIME-tools installations!

Jules.


At 20:09 28/05/2003, you wrote:
>I just checked, when I want to save the virus .pif from the message,
>indeed pine does only recognize it as a .pi and not .pif
>
>In the message body the attachment's name is displayed correctly however.
>
>It must be the thing as described below.
>
>On Wed, 28 May 2003, Craig Pratt wrote:
>
> > On Wednesday, May 28, 2003, at 10:58  AM, Remco Barendse wrote:
> > > Possibly, I'm running MailScanner-4.20-3 which isn't that old, not like
> > > the 4.13 series Julian mentioned in his earlier mail.
> > >
> > > I'd be more than happy to bounce the e-mail to Julian, if needed. I
> > > don't
> > >  have the df/qf pairs anymore, don't know if bouncing the mail is any
> > > good?
> >
> > It might be - but if your client didn't fix it in your mailbox, it
> > might very well fix it on send. So you'd need to poke around in the raw
> > mailbox file itself.
> >
> > Can I try sending you 2 test messages I put together? One contains the
> > EICAR test file and the other a plaintext file - both attached in
> > strange ways that (may) mimic how the virus is doing its attachment.
> > Then we can see what your MS does with it.
> >
> > Craig
> >
> > > On Wed, 28 May 2003, Craig Pratt wrote:
> > >
> > >> On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
> > >>> Perhaps this extract from the McAfee site may explain why some got
> > >>> through, although we were blocking most copies of the virus on our
> > >>> site
> > >>> before McAfee released the DAT (mailscanner v3.22-12):
> > >>>
> > >>> Similarly to W32/Sobig at MM, the outgoing messages constructed by the
> > >>> worm
> > >>> may have a closing quote omitted from the attachment filename. This
> > >>> may
> > >>> cause certain mail clients to remove a character from the remaining
> > >>> filename, thus attachments may have a ".PI" extension (as opposed to
> > >>> ".PIF").
> > >>>
> > >>> Anjana
> > >>
> > >> That's interesting. I constructed a raw message with the trailing
> > >> quote
> > >> missing from the filename and it was not caught by the filename rules.
> > >> And I do notice that two mail clients truncate the last character of
> > >> the filename when nonquoted.
> > >>
> > >> Another quick test shows that it's possible to write a message with a
> > >> filename extension listed in the filename rules. Perhaps that is what
> > >> is going on in the message being seen by Mirco, Remco, et al?
> > >>
> > >> Note that I'm using MS 4.12-2.
> > >>
> > >> Craig
> > >>
> > >>>> -----Original Message-----
> > >>>> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > >>>> Sent: 28 May 2003 08:42
> > >>>> To: MAILSCANNER at JISCMAIL.AC.UK
> > >>>> Subject: Re: virus from 'support at microsoft.com' not blocked?
> > >>>>
> > >>>> At 08:34 28/05/2003, you wrote:
> > >>>>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> > >>>>>> No, it didn't. This is why I sent a the mail to the list. The fact
> > >>> that
> > >>>>>> mcafee didn't spot it was due to my own mistake I didn't check
> > >>> whether
> > >>>>>> the
> > >>>>>> dat files were updated.
> > >>>>>>
> > >>>>>> But.... MailScanner did not block the .pif from that particular
> > >>> virus.
> > >>>>>> It
> > >>>>>> does block a random text file which is renamed to whatever.pif but
> > >>> this
> > >>>>>> virus was passed without filtering.
> > >>>>>>
> > >>>>>> Maybe the virus is generation some sort of invalid mail format
> > >>>>>> which
> > >>>>>> causes MailScanner not to recognize the attachment or the
> > >>> attacjhment
> > >>>>>> filename?
> > >>>>>
> > >>>>> Like I mentioned in a previous message, it is possible to name a
> > >>>>> file
> > >>>>> in a way where MS will not match a filename rule it would otherwise
> > >>>>> match - presuming it hasn't been remedied.
> > >>>>>
> > >>>>> Please send the original message - stuffed in an attachment or
> > >>>>> quoted
> > >>> -
> > >>>>> so I can determine if there is a known virus using weird file name
> > >>>>> attribution.
> > >>>>
> > >>>> <aol>Me too!</aol>
> > >>>> Please tell me what version of MailScanner is not detecting the
> > >>> filename
> > >>>> correctly, and also send me the original message in a zip file, so I
> > >>> can
> > >>>> get all the raw headers out of it and see what its MIME structure
> > >>> looks
> > >>>> like.
> > >>>>
> > >>>> This is clearly a problem only affecting some people, so it may be a
> > >>> bug I
> > >>>> have already fixed.
> > >>>>
> > >>>>
> > >>>>> Craig
> > >>>>>
> > >>>>>> On Tue, 27 May 2003, Craig Pratt wrote:
> > >>>>>>
> > >>>>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> > >>>>>>>> Hi!
> > >>>>>>>>
> > >>>>>>>>> RavAV's been catching it w/o issue:
> > >>>>>>>>>
> > >>>>>>>>> The following e-mail messages were found to have dangerous
> > >>> content:
> > >>>>>>>>>
> > >>>>>>>>>      Sender: support at microsoft.com
> > >>>>>>>>> IP Address: 68.4.203.36
> > >>>>>>>>>   Recipient: [chomp]
> > >>>>>>>>>     Subject: Re: Movie
> > >>>>>>>>>   MessageID: h4MJ12gC000237
> > >>>>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> > >>>>>>>>> Win32/Sobig.B at mm
> > >>>>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
> > >>>>>>>>> (your_details.pif)
> > >>>>>>>>
> > >>>>>>>> Sorry, there are various versions of this virus floating around.
> > >>> RAV
> > >>>>>>>> dont
> > >>>>>>>> pick them up all. Really. We have a open case by RAV for this. I
> > >>> have
> > >>>>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
> > >>>>>>>> variants.
> > >>>>>>>>
> > >>>>>>>> Bye,
> > >>>>>>>> Raymond.
> > >>>>>>>
> > >>>>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
> > >>>>>>>
> > >>>>>>> I hope/presume the filename rule still blocked them?
> > >>>>>>>
> > >>>>>>> Craig
> > >>>>>>>
> > >>>>>>> ---
> > >>>>>>> Craig Pratt
> > >>>>>>> Strongbox Network Services Inc.
> > >>>>>>> mailto:craig at strong-box.net
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> --
> > >>>>>>> This message checked for dangerous content by MailScanner on
> > >>>>>>> StrongBox.
> > >>>>>>>
> > >>>>> ---
> > >>>>> Craig Pratt
> > >>>>> Strongbox Network Services Inc.
> > >>>>> mailto:craig at strong-box.net
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> This message checked for dangerous content by MailScanner on
> > >>> StrongBox.
> > >>>>
> > >>>> --
> > >>>> Julian Field
> > >>>> www.MailScanner.info
> > >>>> MailScanner thanks transtec Computers for their support
> > >>>>
> > >> ---
> > >> Craig Pratt
> > >> Strongbox Network Services Inc.
> > >> mailto:craig at strong-box.net
> > >>
> > >>
> > >> --
> > >> This message checked for dangerous content by MailScanner on
> > >> StrongBox.
> > >>
> > >>
> > ---
> > Craig Pratt
> > Strongbox Network Services Inc.
> > mailto:craig at strong-box.net
> >
> >
> > --
> > This message checked for dangerous content by MailScanner on StrongBox.
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list