Dumaru again

Stephan Ilaender mailscanner at LAYLINE.DE
Fri Mar 26 15:27:40 GMT 2004 

am 26.03.2004 schrieb Desai, Jason zum Thema
 ## Re: Dumaru again ##


> Is it possible that the virus coming "in from the wild" is actually
> something like a delivery failure notice?  Many times mailers will include
> the body of the failed message in the failure notice, but not in a way that
> mail clients would be able to decode properly if there were an attachment.
> Maybe the virus is not a valid mime attachment?
>
> Jason
>
>

ok, I've had a closer look at the quarantine files and think it's a broken mime
issue (hoping that the virus screws the mime and firmly believing that
MailScanner has no flaw ;))

The Dumaru Mail in question ends up in three files in the quarantine dir:

ls -1hs *
---------
4.0k msg-29968-12.html
 24k msg-29968-13.txt
 24k msg-29968-14.txt

head -5 msg-29968-13.txt:
-------------------------
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
       filename="myphoto.zip"

UEsDBAoAAAAAAFZ2ai/+n7Ua2kMAANpDAABHAAAAbXlwaG90by5q


head -5 msg-29968-14.txt:
-------------------------
UEsDBAoAAAAAAFZ2ai/+n7Ua2kMAANpDAABHAAAAbXlwaG90by5q
cGcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIC5leGVNWlAAAgAAAAQADwBQRQAA
TAECAEZTRyEAAAAAAAAAAOAAjoELAQAAAE4AAAAoAAAAAAAAufAA
AAAQAAAMAAAAAABAAAAQAAAAAgAAAQAAAAAAAAADAAoAAAAAAAAA

so the second file would look more like garbage to any scanner - maybe not
antivir.
Now I used metamail to decode both files:

metamail -w -r msg-29968-13.txt > /tmp/13.zip
which yields: Wrote file /tmp/13.zip

metamail -w -r msg-29968-14.txt > /tmp/14.zip
end with: metamail: Could not find end of mail headers.

ok, now unziping this zip brings me some errors:

unzip 13.zip:
-------------
Archive:  13.zip
error [13.zip]:  missing 3 bytes in zipfile
  (attempting to process anyway)
error [13.zip]:  attempt to seek before beginning of zipfile
  (please check that you have transferred or created the zipfile in the
  appropriate BINARY mode and that you have compiled UnZip properly)
  (attempting to re-compensate)
 extracting: myphoto.jpg
.exe   bad CRC cfeef7f1  (should be 1ab59ffe)

but still, clamscan is able to detect Dumaru:

clamscan myphoto.jpg\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .exe myphoto.jpg
                                           .exe: Worm.Dumaru.Y FOUND

and even in the broken zip:

clamscan --disable-archive /tmp/13.zip
/tmp/13.zip: Worm.Dumaru.Y FOUND

/usr/lib/AntiVir/antivir /tmp/13.zip
/tmp/13.zip <<< Contains signature of the worm Worm/Dumaru.AB

running the wrapper with --disable-archive (for external zip processing) gives
me:
/etc/MailScanner/wrapper/clamav-wrapper /usr /tmp/13.zip
=>
/tmp/5659ce5f53c80714/myphoto.jpg
        .exe: Worm.Dumaru.Y FOUND
/tmp/13.zip: Infected Archive FOUND

running the wrapper without (the default install) gives me:
/etc/MailScanner/wrapper/clamav-wrapper.dpkg-dist /usr /tmp/13.zip
=>
/tmp/13.zip: Worm.Dumaru.Y FOUND



ok, maybe the attachments of the virus are broken - why are two .txt files
extracted? Maybe Antivir can still find the pattern in the broken zip. Still not
really an explanation - clamscan also works on the broken zip. Any magic or
hickups Mailscanner might encounter on this one? BTW, this is UnZip 5.50 of 17
February 2002.

regards,
Stephan

More information about the MailScanner mailing list