Worm.VB-8 not detected by filename or filetype

Jim Holland mailscanner at mango.zw
Wed Jan 18 09:19:58 GMT 2006


Hi Julian

This morning I noticed that we were being bombarded with mail from one 
particular yahoo.it address with file attachments having names such as:

	Attachments00.HQX
	Original_Message.B64
	Video_part.mim
	Word_Document.hqx
	Word_Document.uu
	392315089702606E02.UUE
	eBook.Uu

The files are all of approximately 134 000 bytes, and consist of uuencoded
text, with headers such as:

	begin 664 392315089702606E-02,UUE              .scR
or
	begin 664 Attachments,zip                      .SCR

The extracted files are identified by ClamAV as being infected with 
Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV 
as being plain text and so does not get flagged as a virus.

The problem therefore is that the messages themselves are still getting 
through.  For the moment I am blocking the following extensions:

	.bhx
	.b64
	.hqx
	.uu
	.uue

I presume that a user would have to manually decode these files before 
running the executable within, so infection is not likely to be very 
common.  However in our case we are finding the sheer volume a problem, so 
are blocking the identified senders at MTA level.

Can you see a way that scanning of such attachments can be forced?

I see that "file -i" reports these attachments as being plain text, but 
"file" reports them correctly as "uuencoded or xxencoded text".

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service



More information about the MailScanner mailing list