Missed virus?

Gerry Doris gerry at DORFAM.CA
Fri Sep 5 22:37:42 IST 2003 

On Fri, 5 Sep 2003, Kevin Spicer wrote:

> On Fri, 2003-09-05 at 19:27, Antony Stone wrote:
>
> > I just tested this by taking eicar.com, tar-gzipping it, then
> winzipping
> > the tgz file, then bzip2-ing the winzip file, and emailing myself the
> .bz2
> > file.
> >
> > Eicar got found by ClamAV, AntiVir and McAfee (which, with the AV
> engines I
> > run on this mail server, means it got missed by BitDefender, F-Prot,
> > Inoculan, Kaspersky and NOD32).
>
> And of course MailScanner didn't pick up the .com file & block it.
>
> I performed a test myself, which I hoped would imitate the message which
> the original post was about.  I created an email with email.com and
> eicar.zip attached, then forwarded the email as an attachment to
> myself.  Both Sophos(savi) and Clam picked up both copies of eicar,
> whats more MailScanner also blocked the com file.
>
> This suggests that although the original post's problem message (I
> guess) had the original email attached ther was something irregular
> about its formatting which prevented MailScanner and Clam from
> recognising it as an attached message and treat it as such.
>
> It would be most interesting to see the source of the original message
> (if you still have it Gerry).


I have attached the headers for both messages.  I'm really confused on
this.  The first message's attachment in my quarantine directory is only
the warning text message put in by MailScanner.  It is included as
msg-6184-52.txt.

The second messsage has an actual virus document_9446.pif stored in the
quarantine directory.  It didn't bother with attaching this.

There seems to be something about the first message that triggered F-Prot
and Trend to believe there was a virus in it and MailScanner duly
quarantined the txt message...which was nothing but the warning message???

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer
-------------- next part --------------

From Mailer-Daemon at twista.freelimit.com  Fri Sep  5 12:21:13 2003
Return-Path: <Mailer-Daemon at twista.freelimit.com>
Received: from localhost (localhost [127.0.0.1])
	by tiger.dorfam.ca (8.12.8/8.12.8) with ESMTP id h85GKCv7010242
	for <bdoris at localhost>; Fri, 5 Sep 2003 12:20:13 -0400
Received: from pop.bloor.is.net.cable.rogers.com [66.185.95.101]
	by localhost with POP3 (fetchmail-6.2.0)
	for bdoris at localhost (single-drop); Fri, 05 Sep 2003 12:20:13 -0400 (EDT)
Received: from twista.freelimit.com ([69.57.144.39])
          by fep01-mail.bloor.is.net.cable.rogers.com
          (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP
          id <20030905161929.NTIY232520.fep01-mail.bloor.is.net.cable.rogers.com at twista.freelimit.com>
          for <bdoris at rogers.com>; Fri, 5 Sep 2003 12:19:29 -0400
Received: from mailnull by twista.freelimit.com with local (Exim 4.20)
	id 19vJJ2-0005O9-7M
	for bdoris at rogers.com; Fri, 05 Sep 2003 11:19:28 -0500
X-Failed-Recipients: comments at kidschat.ws
From: Mail Delivery System <Mailer-Daemon at twista.freelimit.com>
To: bdoris at rogers.com
Subject: {Virus?} Mail delivery failed: returning message to sender
Message-Id: <E19vJJ2-0005O9-7M at twista.freelimit.com>
Date: Fri, 05 Sep 2003 11:19:28 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - twista.freelimit.com
X-AntiAbuse: Original Domain - rogers.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - 
X-DORFAM-MailScanner-Info: Contact postmaster at dorfam.ca
X-DORFAM-MailScanner: Found to be infected
X-DORFAM-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.1,
	required 7, BAYES_30, LARGE_HEX, MAILER_DAEMON, UPPERCASE_25_50)
X-IMAPbase: 1062795648 3
Status: RO
X-Status: 
X-Keywords:                      
X-UID: 1

Warning: This message has had one or more attachments removed
Warning: (the entire message).
Warning: Please read the "VirusWarning.txt" attachment(s) for more information.

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "the entire message"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Fri Sep  5 12:21:12 2003 the virus scanner said:
   F-Prot: msg-6184-52.txt->document_all.pif  Infection: W32/Sobig.F at mm
   Trend: Found virus WORM_SOBIG.F in file msg-6184-52.txt

Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030905 (message h85GKCv7010242).
-- 
Postmaster
Mailscanner thanks transtec Computers for their support

From 7UIfBBLy6 at compuserve.com  Fri Sep  5 12:30:26 2003
Return-Path: <7UIfBBLy6 at compuserve.com>
Received: from localhost (localhost [127.0.0.1])
	by tiger.dorfam.ca (8.12.8/8.12.8) with ESMTP id h85GUEv7010704
	for <bdoris at localhost>; Fri, 5 Sep 2003 12:30:17 -0400
Received: from pop.bloor.is.net.cable.rogers.com [66.185.95.101]
	by localhost with POP3 (fetchmail-6.2.0)
	for bdoris at localhost (single-drop); Fri, 05 Sep 2003 12:30:17 -0400 (EDT)
Received: from SILVERTH-ULL7ZO ([24.42.1.205])
          by fep01-mail.bloor.is.net.cable.rogers.com
          (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP
          id <20030905162802.OJON232520.fep01-mail.bloor.is.net.cable.rogers.com at SILVERTH-ULL7ZO>
          for <bdoris at rogers.com>; Fri, 5 Sep 2003 12:28:02 -0400
From: <7UIfBBLy6 at compuserve.com>
To: <bdoris at rogers.com>
Subject: {Virus?} {Spam?} Your details
Date: Fri, 5 Sep 2003 12:28:08 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="_NextPart_000_013A03D1"
Message-Id: <20030905162802.OJON232520.fep01-mail.bloor.is.net.cable.rogers.com at SILVERTH-ULL7ZO>
X-DORFAM-MailScanner-Info: Contact postmaster at dorfam.ca
X-DORFAM-MailScanner: Found to be infected
X-DORFAM-MailScanner-SpamCheck: spam, SpamAssassin (score=10.6, required 7,
	DATE_IN_PAST_03_06, DCC_CHECK, FORGED_MUA_OUTLOOK,
	FROM_HAS_MIXED_NUMS, INVALID_DATE, MICROSOFT_EXECUTABLE,
	MIME_BOUND_NEXTPART, MISSING_MIMEOLE, NO_REAL_NAME, PYZOR_CHECK,
	RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK)
Status: RO
X-Status: 
X-Keywords:                 
X-UID: 2

This is a multipart message in MIME format

--_NextPart_000_013A03D1
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Warning: This message has had one or more attachments removed
Warning: (document_9446.pif).
Warning: Please read the "VirusWarning.txt" attachment(s) for more information.

Please see the attached file for details.

--_NextPart_000_013A03D1
Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt"
Content-Disposition: attachment; filename="VirusWarning.txt"
Content-Transfer-Encoding: quoted-printable

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "document_9446.pif"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Fri Sep  5 12:30:25 2003 the virus scanner said:
   ClamAV: document_9446.pif contains Worm.Sobig.F=20
   F-Prot: document_9446.pif  Infection: W32/Sobig.F at mm
   Trend: Found virus WORM_SOBIG.F in file document_9446.pif
   MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (d=
ocument_9446.pif)
   No programs allowed (document_9446.pif)

Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran=
tine/20030905 (message h85GUEv7010704).
--=20
Postmaster
Mailscanner thanks transtec Computers for their support


-------------- next part --------------
Warning: This message has had one or more attachments removed
Warning: (the entire message).
Warning: Please read the "VirusWarning.txt" attachment(s) for more information.

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "the entire message"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Fri Sep  5 12:21:12 2003 the virus scanner said:
   F-Prot: msg-6184-52.txt->document_all.pif  Infection: W32/Sobig.F at mm
   Trend: Found virus WORM_SOBIG.F in file msg-6184-52.txt

Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030905 (message h85GKCv7010242).
-- 
Postmaster
Mailscanner thanks transtec Computers for their support

More information about the MailScanner mailing list