Worm.VB-8 not detected by filename or filetype

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jan 18 09:59:16 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----

The problem is not one of filenames or filetypes, nor any problem  
with the MIME-tools. That is working fine.

MailScanner correctly extracts the ATTACHMENT.HQX or whatever it was  
called, no problem. The contents of the file is not HQX (Binhex) at  
all, it is uuencoded data. So trying to stop binhex files won't help  
you, that's a red herring.

What happens if you set filetype.rules.conf to stop "uuencoded" or  
"xxencoded" attachments? I think this should work, I see no reason  
why it wouldn't. I would try not to block .hqx files by name as you  
may well upset some of your Mac users.

I'll talk to David Skoll some more about possible resolutions for  
this problem.

On 18 Jan 2006, at 09:29, Martin Hepworth wrote:

> Jim
>
> Another user identified this problem last night on the IRC channel.
>
> Looks like the problem is with MIME::Tools perl module. Julian has  
> contacted
> the maintainer of this module in order to get to fix.
>
> In the mean time you might want to see if virustotal.com's list of  
> scanners
> give any results. When I tried last night with the example given  
> (was a
> uuencoded .hqx file) clamav and some others didn't spot it either.  
> From
> memory Sophos, F-prot, Kapersky and a couple of others did...
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Jim Holland
>> Sent: 18 January 2006 09:20
>> To: MailScanner mailing list
>> Subject: Worm.VB-8 not detected by filename or filetype
>>
>> Hi Julian
>>
>> This morning I noticed that we were being bombarded with mail from  
>> one
>> particular yahoo.it address with file attachments having names  
>> such as:
>>
>> 	Attachments00.HQX
>> 	Original_Message.B64
>> 	Video_part.mim
>> 	Word_Document.hqx
>> 	Word_Document.uu
>> 	392315089702606E02.UUE
>> 	eBook.Uu
>>
>> The files are all of approximately 134 000 bytes, and consist of  
>> uuencoded
>> text, with headers such as:
>>
>> 	begin 664 392315089702606E-02,UUE              .scR
>> or
>> 	begin 664 Attachments,zip                      .SCR
>>
>> The extracted files are identified by ClamAV as being infected with
>> Worm.VB-8, but the actual uuencoded attachment is just regarded by  
>> ClamAV
>> as being plain text and so does not get flagged as a virus.
>>
>> The problem therefore is that the messages themselves are still  
>> getting
>> through.  For the moment I am blocking the following extensions:
>>
>> 	.bhx
>> 	.b64
>> 	.hqx
>> 	.uu
>> 	.uue
>>
>> I presume that a user would have to manually decode these files  
>> before
>> running the executable within, so infection is not likely to be very
>> common.  However in our case we are finding the sheer volume a  
>> problem, so
>> are blocking the identified senders at MTA level.
>>
>> Can you see a way that scanning of such attachments can be forced?
>>
>> I see that "file -i" reports these attachments as being plain  
>> text, but
>> "file" reports them correctly as "uuencoded or xxencoded text".
>>
>> Regards
>>
>> Jim Holland
>> System Administrator
>> MANGO - Zimbabwe's non-profit e-mail service
>>
>> --
>> MailScanner mailing list
>> MailScanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.	
>
> **********************************************************************
>
> -- 
> MailScanner mailing list
> MailScanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQEVAwUBQ84Rdvw32o+k+q+hAQHV5QgAjUHML/GG75hl/ykS3V1haNUeqkeqvF4Q
UKO9FDRs4RTOi6HARYoHkqn1dMB/vWZaK+4nX8pCDJxmQ7DWCUPi9Lp6pxaVpnUK
/kpwgqX0YmzahJn15UQp4HbfClK+PfRaK2dQi1VdPOAPZJtxp/3sMPxG9pnhEPC1
oTgbcXWFpP7DYaZ8J1Ke2A8XHyXBc3calNjg6hayGeYrhuAFGhoXiUljQCioeNYF
djiN/1rshAVM+1A9VJS2r1+BklPMQO4y5ELISvXAe7sqc6O8Tbux/S0NESP4wGru
6hWc/uWaOyRpmEP1wpookZK0thguyzOPcw5iqrN6VT0t+/E/LIwCIw==
=hGAE
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list