Worm.VB-8 not detected by filename or filetype

[Anthony Peacock]

Hi,

Jim Holland wrote:
> Hi Julian
> 
> This morning I noticed that we were being bombarded with mail from one 
> particular yahoo.it address with file attachments having names such as:
> 
> 	Attachments00.HQX
> 	Original_Message.B64
> 	Video_part.mim
> 	Word_Document.hqx
> 	Word_Document.uu
> 	392315089702606E02.UUE
> 	eBook.Uu
> 
> The files are all of approximately 134 000 bytes, and consist of uuencoded
> text, with headers such as:
> 
> 	begin 664 392315089702606E-02,UUE              .scR
> or
> 	begin 664 Attachments,zip                      .SCR
> 
> The extracted files are identified by ClamAV as being infected with 
> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV 
> as being plain text and so does not get flagged as a virus.
> 
> The problem therefore is that the messages themselves are still getting 
> through.  For the moment I am blocking the following extensions:
> 
> 	.bhx
> 	.b64
> 	.hqx
> 	.uu
> 	.uue
> 
> I presume that a user would have to manually decode these files before 
> running the executable within, so infection is not likely to be very 
> common.  However in our case we are finding the sheer volume a problem, so 
> are blocking the identified senders at MTA level.
> 
> Can you see a way that scanning of such attachments can be forced?
> 
> I see that "file -i" reports these attachments as being plain text, but 
> "file" reports them correctly as "uuencoded or xxencoded text".
> 
> Regards
> 
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
> 

I know this doesn't help you in your situation, but Sophos is correctly 
detecting these files for me.  I also use ClamAV and that does not yet 
detect these files.

-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"The most exciting phrase to hear in science, the one that heralds new 
discoveries, is not 'Eureka!' but 'That's funny....'" -- Isaac Asimov