Worm.VB-8 not detected by filename or filetype

Wed Jan 18 09:29:28 GMT 2006

Jim

Another user identified this problem last night on the IRC channel.

Looks like the problem is with MIME::Tools perl module. Julian has contacted
the maintainer of this module in order to get to fix.

In the mean time you might want to see if virustotal.com's list of scanners
give any results. When I tried last night with the example given (was a
uuencoded .hqx file) clamav and some others didn't spot it either. From
memory Sophos, F-prot, Kapersky and a couple of others did...

--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Jim Holland
> Sent: 18 January 2006 09:20
> To: MailScanner mailing list
> Subject: Worm.VB-8 not detected by filename or filetype
> 
> Hi Julian
> 
> This morning I noticed that we were being bombarded with mail from one
> particular yahoo.it address with file attachments having names such as:
> 
> 	Attachments00.HQX
> 	Original_Message.B64
> 	Video_part.mim
> 	Word_Document.hqx
> 	Word_Document.uu
> 	392315089702606E02.UUE
> 	eBook.Uu
> 
> The files are all of approximately 134 000 bytes, and consist of uuencoded
> text, with headers such as:
> 
> 	begin 664 392315089702606E-02,UUE              .scR
> or
> 	begin 664 Attachments,zip                      .SCR
> 
> The extracted files are identified by ClamAV as being infected with
> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV
> as being plain text and so does not get flagged as a virus.
> 
> The problem therefore is that the messages themselves are still getting
> through.  For the moment I am blocking the following extensions:
> 
> 	.bhx
> 	.b64
> 	.hqx
> 	.uu
> 	.uue
> 
> I presume that a user would have to manually decode these files before
> running the executable within, so infection is not likely to be very
> common.  However in our case we are finding the sheer volume a problem, so
> are blocking the identified senders at MTA level.
> 
> Can you see a way that scanning of such attachments can be forced?
> 
> I see that "file -i" reports these attachments as being plain text, but
> "file" reports them correctly as "uuencoded or xxencoded text".
> 
> Regards
> 
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
> 
> --
> MailScanner mailing list
> MailScanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************