Worm.VB-8 not detected by filename or filetype
Dhawal Doshy
dhawal at netmagicsolutions.com
Wed Jan 18 09:38:42 GMT 2006
Martin Hepworth wrote:
> Jim
>
> Another user identified this problem last night on the IRC channel.
>
> Looks like the problem is with MIME::Tools perl module. Julian has contacted
> the maintainer of this module in order to get to fix.
>
> In the mean time you might want to see if virustotal.com's list of scanners
> give any results. When I tried last night with the example given (was a
> uuencoded .hqx file) clamav and some others didn't spot it either. From
> memory Sophos, F-prot, Kapersky and a couple of others did...
Bitdefender and mcafee's uvscan seem to catch them well enough.
McAfee: W32/Generic.worm!p2p virus
Bitdefender: Win32.Worm.P2P.ABM
ClamAV doesn't catch them all.
- dhawal
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Jim Holland
>> Sent: 18 January 2006 09:20
>> To: MailScanner mailing list
>> Subject: Worm.VB-8 not detected by filename or filetype
>>
>> Hi Julian
>>
>> This morning I noticed that we were being bombarded with mail from one
>> particular yahoo.it address with file attachments having names such as:
>>
>> Attachments00.HQX
>> Original_Message.B64
>> Video_part.mim
>> Word_Document.hqx
>> Word_Document.uu
>> 392315089702606E02.UUE
>> eBook.Uu
>>
>> The files are all of approximately 134 000 bytes, and consist of uuencoded
>> text, with headers such as:
>>
>> begin 664 392315089702606E-02,UUE .scR
>> or
>> begin 664 Attachments,zip .SCR
>>
>> The extracted files are identified by ClamAV as being infected with
>> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV
>> as being plain text and so does not get flagged as a virus.
>>
>> The problem therefore is that the messages themselves are still getting
>> through. For the moment I am blocking the following extensions:
>>
>> .bhx
>> .b64
>> .hqx
>> .uu
>> .uue
>>
>> I presume that a user would have to manually decode these files before
>> running the executable within, so infection is not likely to be very
>> common. However in our case we are finding the sheer volume a problem, so
>> are blocking the identified senders at MTA level.
>>
>> Can you see a way that scanning of such attachments can be forced?
>>
>> I see that "file -i" reports these attachments as being plain text, but
>> "file" reports them correctly as "uuencoded or xxencoded text".
>>
>> Regards
>>
>> Jim Holland
>> System Administrator
>> MANGO - Zimbabwe's non-profit e-mail service
>>
>> --
>> MailScanner mailing list
>> MailScanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
More information about the MailScanner
mailing list