News---Re: virus from 'support@microsoft.com' not blocked?

Julian Field mailscanner at ecs.soton.ac.uk
Thu May 29 08:13:06 IST 2003


At 00:39 29/05/2003, you wrote:
>/stupid mode on
>is there a patched version of per(i)l mime tools packaged in the rpm
>installation?

Yes.

>the system is redhat up2date
>/stupid mode off
>
>the system does have references to BADTOKEN in ParamVal.pm
>guess it is patched?

Indeed.


>Remco
>
>On Wed, 28 May 2003, Julian Field wrote:
>
> > I have been wading through the MIME-tools modules and its security patches
> > to see why some people are catching it correctly and some aren't.
> >
> > If you are letting the filename through, you do not have the MIME-tools
> > security patches applied correctly. The first patch introduces a variable
> > "$BADTOKEN" into MIME/Field/ParamVal.pm. If you do *not* have "BADTOKEN"
> > anywhere in ParamVal.pm, you have not applied the security patches
> correctly.
> >
> > Please check your Perl MIME-tools installations!
> >
> > Jules.
> >
> >
> > At 20:09 28/05/2003, you wrote:
> > >I just checked, when I want to save the virus .pif from the message,
> > >indeed pine does only recognize it as a .pi and not .pif
> > >
> > >In the message body the attachment's name is displayed correctly however.
> > >
> > >It must be the thing as described below.
> > >
> > >On Wed, 28 May 2003, Craig Pratt wrote:
> > >
> > > > On Wednesday, May 28, 2003, at 10:58  AM, Remco Barendse wrote:
> > > > > Possibly, I'm running MailScanner-4.20-3 which isn't that old,
> not like
> > > > > the 4.13 series Julian mentioned in his earlier mail.
> > > > >
> > > > > I'd be more than happy to bounce the e-mail to Julian, if needed. I
> > > > > don't
> > > > >  have the df/qf pairs anymore, don't know if bouncing the mail is any
> > > > > good?
> > > >
> > > > It might be - but if your client didn't fix it in your mailbox, it
> > > > might very well fix it on send. So you'd need to poke around in the raw
> > > > mailbox file itself.
> > > >
> > > > Can I try sending you 2 test messages I put together? One contains the
> > > > EICAR test file and the other a plaintext file - both attached in
> > > > strange ways that (may) mimic how the virus is doing its attachment.
> > > > Then we can see what your MS does with it.
> > > >
> > > > Craig
> > > >
> > > > > On Wed, 28 May 2003, Craig Pratt wrote:
> > > > >
> > > > >> On Wednesday, May 28, 2003, at 05:29  AM, Patel, Anjana wrote:
> > > > >>> Perhaps this extract from the McAfee site may explain why some got
> > > > >>> through, although we were blocking most copies of the virus on our
> > > > >>> site
> > > > >>> before McAfee released the DAT (mailscanner v3.22-12):
> > > > >>>
> > > > >>> Similarly to W32/Sobig at MM, the outgoing messages constructed by the
> > > > >>> worm
> > > > >>> may have a closing quote omitted from the attachment filename. This
> > > > >>> may
> > > > >>> cause certain mail clients to remove a character from the remaining
> > > > >>> filename, thus attachments may have a ".PI" extension (as
> opposed to
> > > > >>> ".PIF").
> > > > >>>
> > > > >>> Anjana
> > > > >>
> > > > >> That's interesting. I constructed a raw message with the trailing
> > > > >> quote
> > > > >> missing from the filename and it was not caught by the filename
> rules.
> > > > >> And I do notice that two mail clients truncate the last character of
> > > > >> the filename when nonquoted.
> > > > >>
> > > > >> Another quick test shows that it's possible to write a message
> with a
> > > > >> filename extension listed in the filename rules. Perhaps that is
> what
> > > > >> is going on in the message being seen by Mirco, Remco, et al?
> > > > >>
> > > > >> Note that I'm using MS 4.12-2.
> > > > >>
> > > > >> Craig
> > > > >>
> > > > >>>> -----Original Message-----
> > > > >>>> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > > > >>>> Sent: 28 May 2003 08:42
> > > > >>>> To: MAILSCANNER at JISCMAIL.AC.UK
> > > > >>>> Subject: Re: virus from 'support at microsoft.com' not blocked?
> > > > >>>>
> > > > >>>> At 08:34 28/05/2003, you wrote:
> > > > >>>>> On Wednesday, May 28, 2003, at 12:24  AM, Remco Barendse wrote:
> > > > >>>>>> No, it didn't. This is why I sent a the mail to the list.
> The fact
> > > > >>> that
> > > > >>>>>> mcafee didn't spot it was due to my own mistake I didn't check
> > > > >>> whether
> > > > >>>>>> the
> > > > >>>>>> dat files were updated.
> > > > >>>>>>
> > > > >>>>>> But.... MailScanner did not block the .pif from that particular
> > > > >>> virus.
> > > > >>>>>> It
> > > > >>>>>> does block a random text file which is renamed to
> whatever.pif but
> > > > >>> this
> > > > >>>>>> virus was passed without filtering.
> > > > >>>>>>
> > > > >>>>>> Maybe the virus is generation some sort of invalid mail format
> > > > >>>>>> which
> > > > >>>>>> causes MailScanner not to recognize the attachment or the
> > > > >>> attacjhment
> > > > >>>>>> filename?
> > > > >>>>>
> > > > >>>>> Like I mentioned in a previous message, it is possible to name a
> > > > >>>>> file
> > > > >>>>> in a way where MS will not match a filename rule it would
> otherwise
> > > > >>>>> match - presuming it hasn't been remedied.
> > > > >>>>>
> > > > >>>>> Please send the original message - stuffed in an attachment or
> > > > >>>>> quoted
> > > > >>> -
> > > > >>>>> so I can determine if there is a known virus using weird file
> name
> > > > >>>>> attribution.
> > > > >>>>
> > > > >>>> <aol>Me too!</aol>
> > > > >>>> Please tell me what version of MailScanner is not detecting the
> > > > >>> filename
> > > > >>>> correctly, and also send me the original message in a zip
> file, so I
> > > > >>> can
> > > > >>>> get all the raw headers out of it and see what its MIME structure
> > > > >>> looks
> > > > >>>> like.
> > > > >>>>
> > > > >>>> This is clearly a problem only affecting some people, so it
> may be a
> > > > >>> bug I
> > > > >>>> have already fixed.
> > > > >>>>
> > > > >>>>
> > > > >>>>> Craig
> > > > >>>>>
> > > > >>>>>> On Tue, 27 May 2003, Craig Pratt wrote:
> > > > >>>>>>
> > > > >>>>>>> On Tuesday, May 27, 2003, at 02:02  PM, Raymond Dijkxhoorn
> wrote:
> > > > >>>>>>>> Hi!
> > > > >>>>>>>>
> > > > >>>>>>>>> RavAV's been catching it w/o issue:
> > > > >>>>>>>>>
> > > > >>>>>>>>> The following e-mail messages were found to have dangerous
> > > > >>> content:
> > > > >>>>>>>>>
> > > > >>>>>>>>>      Sender: support at microsoft.com
> > > > >>>>>>>>> IP Address: 68.4.203.36
> > > > >>>>>>>>>   Recipient: [chomp]
> > > > >>>>>>>>>     Subject: Re: Movie
> > > > >>>>>>>>>   MessageID: h4MJ12gC000237
> > > > >>>>>>>>>      Report: ./h4MJ12gC000237/your_details.pif  Infected:
> > > > >>>>>>>>> Win32/Sobig.B at mm
> > > > >>>>>>>>> Shortcuts to MS-Dos programs are very dangerous in email
> > > > >>>>>>>>> (your_details.pif)
> > > > >>>>>>>>
> > > > >>>>>>>> Sorry, there are various versions of this virus floating
> around.
> > > > >>> RAV
> > > > >>>>>>>> dont
> > > > >>>>>>>> pick them up all. Really. We have a open case by RAV for
> this. I
> > > > >>> have
> > > > >>>>>>>> seen f-prot picking up them all, McAfee and RAV did pass some
> > > > >>>>>>>> variants.
> > > > >>>>>>>>
> > > > >>>>>>>> Bye,
> > > > >>>>>>>> Raymond.
> > > > >>>>>>>
> > > > >>>>>>> Yikes - thanks for the heads-up! I'll keep an eye out for this.
> > > > >>>>>>>
> > > > >>>>>>> I hope/presume the filename rule still blocked them?
> > > > >>>>>>>
> > > > >>>>>>> Craig
> > > > >>>>>>>
> > > > >>>>>>> ---
> > > > >>>>>>> Craig Pratt
> > > > >>>>>>> Strongbox Network Services Inc.
> > > > >>>>>>> mailto:craig at strong-box.net
> > > > >>>>>>>
> > > > >>>>>>>
> > > > >>>>>>> --
> > > > >>>>>>> This message checked for dangerous content by MailScanner on
> > > > >>>>>>> StrongBox.
> > > > >>>>>>>
> > > > >>>>> ---
> > > > >>>>> Craig Pratt
> > > > >>>>> Strongbox Network Services Inc.
> > > > >>>>> mailto:craig at strong-box.net
> > > > >>>>>
> > > > >>>>>
> > > > >>>>> --
> > > > >>>>> This message checked for dangerous content by MailScanner on
> > > > >>> StrongBox.
> > > > >>>>
> > > > >>>> --
> > > > >>>> Julian Field
> > > > >>>> www.MailScanner.info
> > > > >>>> MailScanner thanks transtec Computers for their support
> > > > >>>>
> > > > >> ---
> > > > >> Craig Pratt
> > > > >> Strongbox Network Services Inc.
> > > > >> mailto:craig at strong-box.net
> > > > >>
> > > > >>
> > > > >> --
> > > > >> This message checked for dangerous content by MailScanner on
> > > > >> StrongBox.
> > > > >>
> > > > >>
> > > > ---
> > > > Craig Pratt
> > > > Strongbox Network Services Inc.
> > > > mailto:craig at strong-box.net
> > > >
> > > >
> > > > --
> > > > This message checked for dangerous content by MailScanner on StrongBox.
> > > >
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list