[update] virus mail slipped through
Raylund Lai
raylund.lai at KANKANWOO.COM
Wed Jul 13 08:38:39 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Hi,
After some research and testing. Here is my conclusion.
By the hint of MailScanner error message, "format error: can't find EOCD
signature", I found that is related to corrupted archive (may be
produced by Archive::Zip). Then I feed the virus mail (in .eml format)
to this web site http://www.virustotal.com/flash/index_en.html which
will scan the uploaded file by a bunch of current virus scanners. Here
is the interesting result.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.13.2005 no virus found
AVG 718 07.12.2005 no virus found
Avira 6.31.0.9 07.13.2005 no virus found
BitDefender 7.0 07.13.2005 no virus found
ClamAV devel-20050501 07.13.2005 no virus found
DrWeb 4.32b 07.13.2005 no virus found
eTrust-Iris 7.1.194.0 07.12.2005 no virus found
eTrust-Vet 11.9.1.0 07.13.2005 Win32.Mytob.FI!ZIP
Fortinet 2.36.0.0 07.13.2005 suspicious
F-Prot 3.16c 07.12.2005 no virus found
Ikarus 2.32 07.12.2005 no virus found
Kaspersky 4.0.2.24 07.13.2005 no virus found
McAfee 4533 07.12.2005 Generic Malware.a!zip
NOD32v2 1.1167 07.13.2005 archive damaged
Norman 5.70.10 07.12.2005 no virus found
Panda 8.02.00 07.12.2005 no virus found
Sybari 7.5.1314 07.13.2005 no virus found
Symantec 8.0 07.12.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.12.2005 no virus found
Although I use different versions of BitDefender, ClamAV and f-prot on
MailScanner, I think they share the same signatures. That's why my
gateway let go of this virus mail.
Further testing, I detached the virus and uploaded to the same web
site. Here comes a more interesting result.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.13.2005 Worm/Mytob.GK
AVG 718 07.12.2005 no virus found
Avira 6.31.0.9 07.13.2005 Worm/Mytob.GK
BitDefender 7.0 07.13.2005 no virus found
ClamAV devel-20050501 07.13.2005 no virus found
DrWeb 4.32b 07.13.2005 no virus found
eTrust-Iris 7.1.194.0 07.12.2005 no virus found
eTrust-Vet 11.9.1.0 07.13.2005 Win32.Mytob.FI!ZIP
Fortinet 2.36.0.0 07.13.2005 suspicious
F-Prot 3.16c 07.12.2005 no virus found
Ikarus 2.32 07.12.2005 no virus found
Kaspersky 4.0.2.24 07.13.2005 no virus found
McAfee 4533 07.12.2005 Generic Malware.a!zip
NOD32v2 1.1167 07.13.2005 archive damaged
Norman 5.70.10 07.12.2005 no virus found
Panda 8.02.00 07.12.2005 no virus found
Sybari 7.5.1314 07.13.2005 no virus found
Symantec 8.0 07.12.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 W32/Generic!zip-dobleextension
VBA32 3.10.4 07.12.2005 no virus found
More virus scanners have detected the zip file as virus. This may due
to some virus scanners could not decode MIME in the previous uploaded as
a whole mail file. But, still, the 3 virus scanners I used on the
gateway won't detect it.
In both results, I noticed that NOD32v2 did say "archive damaged".
McAfee and TheHacker said "generic".
Hence, my conclusion is that somehow the bounced virus mail attachment
was damaged. Thus MailScanner could not extract the zipped file for
scanning or actually the 3 virus scanners could not detect it.
I still don't understand one thing. It's why all the bounced virus mail
were corrupted but the non-bounced mail (the same sender has sent the
same mail to a valid account) are not. My gateway intercepted them.
Anyway, I'm happy to know that my system still in good shape without
hole. :)
btw, Drew, did you received my email? Do your MailScanner intercept it?
Cheers
Raylund
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list