News---Re: virus from 'support@microsoft.com' not blocked?

Remco Barendse mailscanner at BARENDSE.TO
Thu May 29 00:39:39 IST 2003 

/stupid mode on
is there a patched version of per(i)l mime tools packaged in the rpm
installation?

the system is redhat up2date
/stupid mode off

the system does have references to BADTOKEN in ParamVal.pm
guess it is patched?

Remco

On Wed, 28 May 2003, Julian Field wrote:

> I have been wading through the MIME-tools modules and its security patches
> to see why some people are catching it correctly and some aren't.
>
> If you are letting the filename through, you do not have the MIME-tools
> security patches applied correctly. The first patch introduces a variable
> "$BADTOKEN" into MIME/Field/ParamVal.pm. If you do *not* have "BADTOKEN"
> anywhere in ParamVal.pm, you have not applied the security patches correctly.
>
> Please check your Perl MIME-tools installations!
>
> Jules.
>
>
> At 20:09 28/05/2003, you wrote:
> >I just checked, when I want to save the virus .pif from the message,
> >indeed pine does only recognize it as a .pi and not .pif
> >
> >In the message body the attachment's name is displayed correctly however.
> >
> >It must be the thing as described below.
> >
> >On Wed, 28 May 2003, Craig Pratt wrote:
> >
> > > On Wednesday, May 28, 2003, at 10:58  AM, Remco Barendse wrote:
> > > > Possibly, I'm running MailScanner-4.20-3 which isn't that old, not like
> > > > the 4.13 series Julian mentioned in his earlier mail.
> > > >
> > > > I'd be more than happy to bounce the e-mail to Julian, if needed. I
> > > > don't
> > > >  have the df/qf pairs anymore, don't know if bouncing the mail is any
> > > > good?
> > >
> > > It might be - but if your client didn't fix it in your mailbox, it
> > > might very well fix it on send. So you'd need to poke around in the raw
> > > mailbox file itself.
> > >
> > > Can I try sending you 2 test messages I put together? One contains the
> > > EICAR test file and the other a plaintext file - both attached in
> > > strange ways that (may) mimic how the virus is doing its attachment.
> > > Then we can see what your MS does with it.
> > >
> > > Craig
> > >
> > > > On Wed, 28 May 2003, Craig Pratt wrote:
> > > >
> > > >> On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
> > > >>> Perhaps this extract from the McAfee site may explain why some got
> > > >>> through, although we were blocking most copies of the virus on our
> > > >>> site
> > > >>> before McAfee released the DAT (mailscanner v3.22-12):
> > > >>>
> > > >>> Similarly to W32/Sobig at MM, the outgoing messages constructed by the
> > > >>> worm
> > > >>> may have a closing quote omitted from the attachment filename. This
> > > >>> may
> > > >>> cause certain mail clients to remove a character from the remaining
> > > >>> filename, thus attachments may have a ".PI" extension (as opposed to
> > > >>> ".PIF").
> > > >>>
> > > >>> Anjana
> > > >>
> > > >> That's interesting. I constructed a raw message with the trailing
> > > >> quote
> > > >> missing from the filename and it was not caught by the filename rules.
> > > >> And I do notice that two mail clients truncate the last character of
> > > >> the filename when nonquoted.
> > > >>
> > > >> Another quick test shows that it's possible to write a message with a
> > > >> filename extension listed in the filename rules. Perhaps that is what
> > > >> is going on in the message being seen by Mirco, Remco, et al?
> > > >>
> > > >> Note that I'm using MS 4.12-2.
> > > >>
> > > >> Craig
> > > >>
> > > >>>> -----Original Message-----
> > > >>>> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > > >>>> Sent: 28 May 2003 08:42
> > > >>>> To: MAILSCANNER at JISCMAIL.AC.UK
> > > >>>> Subject: Re: virus from 'support at microsoft.com' not blocked?
> > > >>>>
> > > >>>> At 08:34 28/05/2003, you wrote:
> > > >>>>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> > > >>>>>> No, it didn't. This is why I sent a the mail to the list. The fact
> > > >>> that
> > > >>>>>> mcafee didn't spot it was due to my own mistake I didn't check
> > > >>> whether
> > > >>>>>> the
> > > >>>>>> dat files were updated.
> > > >>>>>>
> > > >>>>>> But.... MailScanner did not block the .pif from that particular
> > > >>> virus.
> > > >>>>>> It
> > > >>>>>> does block a random text file which is renamed to whatever.pif but
> > > >>> this
> > > >>>>>> virus was passed without filtering.
> > > >>>>>>
> > > >>>>>> Maybe the virus is generation some sort of invalid mail format
> > > >>>>>> which
> > > >>>>>> causes MailScanner not to recognize the attachment or the
> > > >>> attacjhment
> > > >>>>>> filename?
> > > >>>>>
> > > >>>>> Like I mentioned in a previous message, it is possible to name a
> > > >>>>> file
> > > >>>>> in a way where MS will not match a filename rule it would otherwise
> > > >>>>> match - presuming it hasn't been remedied.
> > > >>>>>
> > > >>>>> Please send the original message - stuffed in an attachment or
> > > >>>>> quoted
> > > >>> -
> > > >>>>> so I can determine if there is a known virus using weird file name
> > > >>>>> attribution.
> > > >>>>
> > > >>>> <aol>Me too!</aol>
> > > >>>> Please tell me what version of MailScanner is not detecting the
> > > >>> filename
> > > >>>> correctly, and also send me the original message in a zip file, so I
> > > >>> can
> > > >>>> get all the raw headers out of it and see what its MIME structure
> > > >>> looks
> > > >>>> like.
> > > >>>>
> > > >>>> This is clearly a problem only affecting some people, so it may be a
> > > >>> bug I
> > > >>>> have already fixed.
> > > >>>>
> > > >>>>
> > > >>>>> Craig
> > > >>>>>
> > > >>>>>> On Tue, 27 May 2003, Craig Pratt wrote:
> > > >>>>>>
> > > >>>>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn wrote:
> > > >>>>>>>> Hi!
> > > >>>>>>>>
> > > >>>>>>>>> RavAV's been catching it w/o issue:
> > > >>>>>>>>>
> > > >>>>>>>>> The following e-mail messages were found to have dangerous
> > > >>> content:
> > > >>>>>>>>>
> > > >>>>>>>>>      Sender: support at microsoft.com
> > > >>>>>>>>> IP Address: 68.4.203.36
> > > >>>>>>>>>   Recipient: [chomp]
> > > >>>>>>>>>     Subject: Re: Movie
> > > >>>>>>>>>   MessageID: h4MJ12gC000237
> > > >>>>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> > > >>>>>>>>> Win32/Sobig.B at mm
> > > >>>>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
> > > >>>>>>>>> (your_details.pif)
> > > >>>>>>>>
> > > >>>>>>>> Sorry, there are various versions of this virus floating around.
> > > >>> RAV
> > > >>>>>>>> dont
> > > >>>>>>>> pick them up all. Really. We have a open case by RAV for this. I
> > > >>> have
> > > >>>>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
> > > >>>>>>>> variants.
> > > >>>>>>>>
> > > >>>>>>>> Bye,
> > > >>>>>>>> Raymond.
> > > >>>>>>>
> > > >>>>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
> > > >>>>>>>
> > > >>>>>>> I hope/presume the filename rule still blocked them?
> > > >>>>>>>
> > > >>>>>>> Craig
> > > >>>>>>>
> > > >>>>>>> ---
> > > >>>>>>> Craig Pratt
> > > >>>>>>> Strongbox Network Services Inc.
> > > >>>>>>> mailto:craig at strong-box.net
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> --
> > > >>>>>>> This message checked for dangerous content by MailScanner on
> > > >>>>>>> StrongBox.
> > > >>>>>>>
> > > >>>>> ---
> > > >>>>> Craig Pratt
> > > >>>>> Strongbox Network Services Inc.
> > > >>>>> mailto:craig at strong-box.net
> > > >>>>>
> > > >>>>>
> > > >>>>> --
> > > >>>>> This message checked for dangerous content by MailScanner on
> > > >>> StrongBox.
> > > >>>>
> > > >>>> --
> > > >>>> Julian Field
> > > >>>> www.MailScanner.info
> > > >>>> MailScanner thanks transtec Computers for their support
> > > >>>>
> > > >> ---
> > > >> Craig Pratt
> > > >> Strongbox Network Services Inc.
> > > >> mailto:craig at strong-box.net
> > > >>
> > > >>
> > > >> --
> > > >> This message checked for dangerous content by MailScanner on
> > > >> StrongBox.
> > > >>
> > > >>
> > > ---
> > > Craig Pratt
> > > Strongbox Network Services Inc.
> > > mailto:craig at strong-box.net
> > >
> > >
> > > --
> > > This message checked for dangerous content by MailScanner on StrongBox.
> > >
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>

More information about the MailScanner mailing list