BugBear-M getting through?
Ewald Beekman
E.H.Beekman at AMC.UVA.NL
Thu Apr 15 12:41:18 IST 2004
I just discovered that W32/Bugbear-E (Sophos name) is not being
detected in our configuration.
This worm is sent via a zip file which contains a html
file. The html file starts with a base64 block and ends
on a small piece of javascript:
I will attach a jpg with the info so it won't get rejected
by your installations.
The logging does not show that the htm inside the zip gets
scanned by MailScanner, it's just doing filename checks:
Apr 14 16:08:30 sukke MailScanner[5712]: Filename Checks: Allowing i3EE8DlF014367 msg-5712-94.txt
Apr 14 16:08:30 sukke MailScanner[5712]: Filename Checks: Allowing i3EE8DlF014367 AboveNet Cross-Connect Request Form Rev 9-8-03.zip
Apr 14 16:08:30 sukke MailScanner[5712]: Filename Checks: Allowing i3EE8DlF014367 AboveNet Cross-Connect Request Form Rev 9-8-03.htm (no rule matched)
We are using version 4.28.6-1 together with Sophos,
Maximum Archive depth for scanning inside zips is set to 3,
Filetyp checks are disabled via "Filetype Rules =".
Any help is appreciated.
regards,
Ewald...
--
Ewald Beekman, Security Engineer, Academic Medical Center,
dept. ADB/ICT Computer & Network Services, The Netherlands
## Your mind-mint is:
Never appeal to a man's "better nature." He may not have one.
Invoking his self-interest gives you more leverage.
-- Lazarus Long
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bb.jpg
Type: image/jpeg
Size: 66745 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040415/b367e963/bb.jpg
More information about the MailScanner
mailing list