Patch for new virus - Mabuto.B or Mabutu-A

Julian Field mailscanner at ecs.soton.ac.uk
Tue Oct 26 23:16:10 IST 2004 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

There is a new virus out called variously
    W32/Mabuto.B at mm (F-Prot)
    W32/Mabutu-A (Sophos)

This virus exploits a hole in the MIME-tools modules. I have added a
patch to MailScanner to save you having to mess with the MIME-tools
directly.

Attached is a patch to /usr/lib/MailScanner/MailScanner/Message.pm which
will add a function to solve the problem. If you don't know how to apply
a patch, then something like
    cd /usr/lib/MailScanner/MailScanner
    patch -p0 < Message.pm.patch
should do the trick. If it rejects the patch on your version of
MailScanner, just take a look at the patch file and insert the code by hand.

I am also putting together a new beta-release including this patch (and
an improvement to the phishing net) which I will publish very shortly.

The result of the patch will be that these infected messages are
rejected as unparsable. This is not ideal, but will have to do for now.
I will try to produce a better solution in the next few days. The MIME
header analysis code gets really difficult to follow :-(

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

    [ Part 2: "Attached Text" ]

--- Message.pm.old      Tue Oct 26 22:11:47 2004
+++ Message.pm  Tue Oct 26 22:12:42 2004
@@ -4343,6 +4345,24 @@
   if(scalar(@{$arr}) && $arr->[0] =~ /\A\s*\Z/o);

  $me;
+}
+
+#
+# Over-ride the MIME boundary extracting code so that we fail to parse
+# messages with an empty MIME boundary. Best I can do for now.
+#
+
+package MIME::Parser::Reader;
+
+sub add_boundary {
+    my ($self, $bound) = @_;
+    unshift @{$self->{Bounds}}, $bound;   ### now at index 0
+    # JKF Fix problem with the Britney virus
+    $bound = "" if $bound eq '""';
+    # JKF End
+    $self->{BH}{"--$bound"}   = "DELIM $bound";
+    $self->{BH}{"--$bound--"} = "CLOSE $bound";
+    $self;
 }

 #

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list