virus from 'support@microsoft.com' not blocked?

Craig Pratt craig at STRONG-BOX.NET
Thu May 29 00:12:36 IST 2003


On Wednesday, May 28, 2003, at 12:09  PM, Remco Barendse wrote:
> I just checked, when I want to save the virus .pif from the message,
> indeed pine does only recognize it as a .pi and not .pif
>
> In the message body the attachment's name is displayed correctly
> however.
>
> It must be the thing as described below.

I found one of the messages buried deep in the quarantine. Here's the
excerpt:

   MIME-Version: 1.0
   Content-Type: multipart/mixed;
           boundary="CSmtpMsgPart123X456_000_03986C5B"

   This is a multipart message in MIME format

   --CSmtpMsgPart123X456_000_03986C5B
   Content-Type: text/plain;
           charset="iso-8859-1"
   Content-Transfer-Encoding: 7bit

   All information is in the attached file.
   --CSmtpMsgPart123X456_000_03986C5B
   Content-Type: application/octet-stream;
           name="your_details.pif"
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment;
           filename="your_details.pif

Now what's weird about this is that the Content-Type name is properly
quoted and the Content-Disposition is missing the trailing quote. I'm
wondering if this is an accident or some attempt to bypass filename
filtering?

Still haven't tried this with Outlook to see what happens...

C

> On Wed, 28 May 2003, Craig Pratt wrote:
>
>> On Wednesday, May 28, 2003, at 10:58  AM, Remco Barendse wrote:
>>> Possibly, I'm running MailScanner-4.20-3 which isn't that old, not
>>> like
>>> the 4.13 series Julian mentioned in his earlier mail.
>>>
>>> I'd be more than happy to bounce the e-mail to Julian, if needed. I
>>> don't
>>>  have the df/qf pairs anymore, don't know if bouncing the mail is any
>>> good?
>>
>> It might be - but if your client didn't fix it in your mailbox, it
>> might very well fix it on send. So you'd need to poke around in the
>> raw
>> mailbox file itself.
>>
>> Can I try sending you 2 test messages I put together? One contains the
>> EICAR test file and the other a plaintext file - both attached in
>> strange ways that (may) mimic how the virus is doing its attachment.
>> Then we can see what your MS does with it.
>>
>> Craig
>>
>>> On Wed, 28 May 2003, Craig Pratt wrote:
>>>
>>>> On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
>>>>> Perhaps this extract from the McAfee site may explain why some got
>>>>> through, although we were blocking most copies of the virus on our
>>>>> site
>>>>> before McAfee released the DAT (mailscanner v3.22-12):
>>>>>
>>>>> Similarly to W32/Sobig at MM, the outgoing messages constructed by the
>>>>> worm
>>>>> may have a closing quote omitted from the attachment filename. This
>>>>> may
>>>>> cause certain mail clients to remove a character from the remaining
>>>>> filename, thus attachments may have a ".PI" extension (as opposed
>>>>> to
>>>>> ".PIF").
>>>>>
>>>>> Anjana
>>>>
>>>> That's interesting. I constructed a raw message with the trailing
>>>> quote
>>>> missing from the filename and it was not caught by the filename
>>>> rules.
>>>> And I do notice that two mail clients truncate the last character of
>>>> the filename when nonquoted.
>>>>
>>>> Another quick test shows that it's possible to write a message with
>>>> a
>>>> filename extension listed in the filename rules. Perhaps that is
>>>> what
>>>> is going on in the message being seen by Mirco, Remco, et al?
>>>>
>>>> Note that I'm using MS 4.12-2.
>>>>
>>>> Craig
>>>>
>>>>>> -----Original Message-----
>>>>>> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>>>>>> Sent: 28 May 2003 08:42
>>>>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>> Subject: Re: virus from 'support at microsoft.com' not blocked?
>>>>>>
>>>>>> At 08:34 28/05/2003, you wrote:
>>>>>>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
>>>>>>>> No, it didn't. This is why I sent a the mail to the list. The
>>>>>>>> fact
>>>>> that
>>>>>>>> mcafee didn't spot it was due to my own mistake I didn't check
>>>>> whether
>>>>>>>> the
>>>>>>>> dat files were updated.
>>>>>>>>
>>>>>>>> But.... MailScanner did not block the .pif from that particular
>>>>> virus.
>>>>>>>> It
>>>>>>>> does block a random text file which is renamed to whatever.pif
>>>>>>>> but
>>>>> this
>>>>>>>> virus was passed without filtering.
>>>>>>>>
>>>>>>>> Maybe the virus is generation some sort of invalid mail format
>>>>>>>> which
>>>>>>>> causes MailScanner not to recognize the attachment or the
>>>>> attacjhment
>>>>>>>> filename?
>>>>>>>
>>>>>>> Like I mentioned in a previous message, it is possible to name a
>>>>>>> file
>>>>>>> in a way where MS will not match a filename rule it would
>>>>>>> otherwise
>>>>>>> match - presuming it hasn't been remedied.
>>>>>>>
>>>>>>> Please send the original message - stuffed in an attachment or
>>>>>>> quoted
>>>>> -
>>>>>>> so I can determine if there is a known virus using weird file
>>>>>>> name
>>>>>>> attribution.
>>>>>>
>>>>>> <aol>Me too!</aol>
>>>>>> Please tell me what version of MailScanner is not detecting the
>>>>> filename
>>>>>> correctly, and also send me the original message in a zip file,
>>>>>> so I
>>>>> can
>>>>>> get all the raw headers out of it and see what its MIME structure
>>>>> looks
>>>>>> like.
>>>>>>
>>>>>> This is clearly a problem only affecting some people, so it may
>>>>>> be a
>>>>> bug I
>>>>>> have already fixed.
>>>>>>
>>>>>>
>>>>>>> Craig
>>>>>>>
>>>>>>>> On Tue, 27 May 2003, Craig Pratt wrote:
>>>>>>>>
>>>>>>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn
>>>>>>>>> wrote:
>>>>>>>>>> Hi!
>>>>>>>>>>
>>>>>>>>>>> RavAV's been catching it w/o issue:
>>>>>>>>>>>
>>>>>>>>>>> The following e-mail messages were found to have dangerous
>>>>> content:
>>>>>>>>>>>
>>>>>>>>>>>      Sender: support at microsoft.com
>>>>>>>>>>> IP Address: 68.4.203.36
>>>>>>>>>>>   Recipient: [chomp]
>>>>>>>>>>>     Subject: Re: Movie
>>>>>>>>>>>   MessageID: h4MJ12gC000237
>>>>>>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
>>>>>>>>>>> Win32/Sobig.B at mm
>>>>>>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
>>>>>>>>>>> (your_details.pif)
>>>>>>>>>>
>>>>>>>>>> Sorry, there are various versions of this virus floating
>>>>>>>>>> around.
>>>>> RAV
>>>>>>>>>> dont
>>>>>>>>>> pick them up all. Really. We have a open case by RAV for
>>>>>>>>>> this. I
>>>>> have
>>>>>>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
>>>>>>>>>> variants.
>>>>>>>>>>
>>>>>>>>>> Bye,
>>>>>>>>>> Raymond.
>>>>>>>>>
>>>>>>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
>>>>>>>>>
>>>>>>>>> I hope/presume the filename rule still blocked them?
>>>>>>>>>
>>>>>>>>> Craig
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>> Craig Pratt
>>>>>>>>> Strongbox Network Services Inc.
>>>>>>>>> mailto:craig at strong-box.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> This message checked for dangerous content by MailScanner on
>>>>>>>>> StrongBox.
>>>>>>>>>
>>>>>>> ---
>>>>>>> Craig Pratt
>>>>>>> Strongbox Network Services Inc.
>>>>>>> mailto:craig at strong-box.net
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> This message checked for dangerous content by MailScanner on
>>>>> StrongBox.
>>>>>>
>>>>>> --
>>>>>> Julian Field
>>>>>> www.MailScanner.info
>>>>>> MailScanner thanks transtec Computers for their support
>>>>>>
>>>> ---
>>>> Craig Pratt
>>>> Strongbox Network Services Inc.
>>>> mailto:craig at strong-box.net
>>>>
>>>>
>>>> --
>>>> This message checked for dangerous content by MailScanner on
>>>> StrongBox.
>>>>
>>>>
>> ---
>> Craig Pratt
>> Strongbox Network Services Inc.
>> mailto:craig at strong-box.net
>>
>>
>> --
>> This message checked for dangerous content by MailScanner on
>> StrongBox.
>>
>>
---
Craig Pratt
Strongbox Network Services Inc.
mailto:craig at strong-box.net


--
This message checked for dangerous content by MailScanner on StrongBox.



More information about the MailScanner mailing list