gfi virus/exploits test (fwd)

[Jan-Peter Koopmann]

> The email with the subject "hide.hta..." contains an 
> attachment called "untitled" which contains vb script, and 
> another email with the subject "Attachment with no filename 
> vulnerability test" contains an attachment called 
> untitled.hta which is also a vb script. Please double check 
> your results and get back to me, maybe I have misconfigured something

Ok. This is what I got:

1. Iframe remote vulnerability test --> got through but did not do
anything. Was obviously disarmed by MailScanner.

2. Object Codebase vulnerability test --> virus found
   McAfee: msg-93664-9.html        Found the Exploit-CodeBase trojan !!!
   ClamAV: msg-93664-9.html contains Exploit.ObjCodebase.Calc 

3. GFI's Access exploit vulnerability test --> I see the mail but no
attachment. Nothing. 

4. CLSID extension vulnerability test --> 
   ClamAV: viewthis.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} contains
GFI.VBS.Test 
   MailScanner: Files ending in CLSID's are trying to hide their real
extension (viewthis.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b})

5. MIME header vulnerability test -->
   ClamAV: viewthis.vbs contains GFI.VBS.Test 
   MailScanner: Visual Basic (Scripts) are/is dangerous in email
(viewthis.vbs)

6. ActiveX vulnerability test --> I see the mail but nothing else.

7. VBS attachment vulnerability test --> 
   ClamAV: viewthis.jpg.vbs contains GFI.VBS.Test 
   MailScanner: Visual Basic (Scripts) are/is dangerous in email
(viewthis.jpg.vbs)

8. CLSID extension vulnerability test --> 
   ClamAV: viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} contains
GFI.VBS.Test 
   MailScanner: Files ending in CLSID's are trying to hide their real
extension (viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b})

9. Malformed file extension vulnerability test (for Outlook 2002 - XP)
-->
   ClamAV: viewthis.hta. contains GFI.VBS.Test 

10. Popup Object Exploit vulnerability test -->
   McAfee: msg-93664-12.html        Found the Exploit-CodeBase trojan
!!!
   ClamAV: msg-93664-12.html contains Exploit.ObjCodebase.Calc 

11. Long filename vulnerability test -->
   ClamAV: nicepicture   .hta contains GFI.VBS.Test 
   MailScanner: Very long filenames are good signs of attacks against
Microsoft e-mail packages (nicepicture   .hta)

12. Attachment with no filename vulnerability test -->
   ClamAV: msg-93664-16.dat contains GFI.VBS.Test 

13. Double file extension vulnerability test -->
   ClamAV: viewthis.jpg.hta contains GFI.VBS.Test 
   MailScanner: HTML archives are very dangerous in email
(viewthis.jpg.hta)

14. eicar.com [1/5] --> Mail gets through but attachment renamed to
{Virus } eicar.com [1_5].dat

15. eicar.com [2/5] until eicar.com [5/5] -->
   MailScanner: Fragmented messages cannot be scanned and are removed

16. I received two mails containing hide.hta (MAAAANY WHITESPACES)
Outlook blocked both attachments. I tried to deblock them but were only
successfull with one. That one I can save. But it is not executed
automatically.

17. Eicar anti-virus test -->
   McAfee: eicar.com        Found: EICAR test file NOT a virus.
   ClamAV: eicar.com contains Eicar-Test-Signature 
   Kaspersky: eicar.com INFECTED EICAR-Test-File
   F-Secure: eicar.com: Infected: EICAR_Test_File [F-Prot]
   F-Secure: eicar.com: Infected: EICAR Test File [Orion]
   F-Secure: eicar.com: Infected: EICAR-Test-File [AVP]
   MailScanner: Executable DOS/Windows programs are dangerous in email
(eicar.com)


The only thing that might be troubling is point 16. I agree that those
files should not get through. I do not get why this one is not caught by

deny    \s{10,}         Filename contains lots of white space  

in filename.rules.conf though, since the filename itself is so long.
Nevertheless we should have a possibility to detect virus-like subjects
as well. Julian could you have a look at this? This is indeed
troublesome. The subject and the filename contain a lot of whitespaces
but it is not caught by MailScanner....

Regards,
  JP