MS04-028 trojan - a customer written A-V engine

Julian Field mailscanner at ecs.soton.ac.uk
Tue Sep 28 12:23:33 IST 2004 

<x-flowed>
1. Please can you send me a copy of the perl script that can detect it, I
would really like a copy to build into my own system.

2. Building a generic interface should be dead easy, it will be very like
the clamavmodule interface. I'm just about to go to lunch, after which I
have a champagne reception with our Vice-Chancellor (MailScanner
recognition :-) and I should be able to get onto this afterwards. I'll try
to avoid spilling champagne on the keyboard...
It shouldn't take me long to write, and the interface spec will be dead
simple. I'll just clone the clamavmodule or sophossavi code, and give you a
pair of generic "-wrapper" and "-autoupdate" scripts.

At 12:08 28/09/2004, you wrote:
>Julian
>
>In spite of having up to date Sophos and McAfee virus scan engines and
>data files they both failed to detect what is supposed to be an example
>of the MS04-028 JPEG exploit.
>
>A number of Perl scripts are now available which _will_ detect the
>exploit, or at least the example we have. How can we use these scripts
>in MailScanner?
>
>One suggestion made by a colleague here is for you to provide an
>interface in MS to a GENERIC anti-virus engine. Your MS interface would
>specify the strings/codes to be returned by this engine and the method
>of return.
>
>You would publish details of this interface. As far as MS is concerned
>it would be just another A-V engine that it can use.
>
>Sites could then write their own Perl script that conform to this
>interface and have the script used by MS by adding the "GENERIC" engine
>to the list in "MailScanner.conf" of the A-V engines to be used by
>MailScanner.
>
>In our case the GENERIC A-V engine would implement one of the publicly
>available Perl scripts that can detect the JPEG trojan.
>
>Being able to quickly respond ourselves to known virus/worm/trojan
>threats would be of significant benefit. Has implementing a "custom
>anti-virus" engines been suggested before?
>
>PS. Why can't we simply block JPEGs using an existing MS mechanism? Well
>it is more likely that a JPEG carrying this exploit will be embedded in
>Word docs and other file types rather than appear as a JPEG attachment
>to a message.
>
>Quentin
>---
>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                            University of Newcastle,
>                            Newcastle upon Tyne,
>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinion expressed above is mine. The University can get its own."
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list