Worm.VB-8 not detected by filename or filetype

Jim Holland mailscanner at mango.zw
Wed Jan 18 10:09:25 GMT 2006


Hi

On Wed, 18 Jan 2006, Dhawal Doshy wrote:

> Martin Hepworth wrote:
> > Jim
> > 
> > Another user identified this problem last night on the IRC channel.
> > 
> > Looks like the problem is with MIME::Tools perl module. Julian has contacted
> > the maintainer of this module in order to get to fix.
> > 
> > In the mean time you might want to see if virustotal.com's list of scanners
> > give any results. When I tried last night with the example given (was a
> > uuencoded .hqx file) clamav and some others didn't spot it either. From
> > memory Sophos, F-prot, Kapersky and a couple of others did...
> 
> Bitdefender and mcafee's uvscan seem to catch them well enough.
> 
> McAfee: W32/Generic.worm!p2p virus
> Bitdefender: Win32.Worm.P2P.ABM
> 
> ClamAV doesn't catch them all.

This worm arrives in two forms.  One form has an executable attachment
which is immediately recognised by ClamAV as being the worm, and is being
blocked successfully as a result.  The other form sends the virus inside
an attached text file.  The text file is uuencoded, so ideally should be
decoded before being presented to ClamAV for scanning.  Then it would be 
recognised.  However at the moment this form of the virus is not being 
caught by ClamAV.  I also suspect that the other virus scanners are not
catching the worm when it arrives in this form, so would like to warn 
those who are relying on McAfee and Bitdefender not to be complacent.

My point is that we need to ask Julian if he can arrange for MailScanner
to decode such attachments automatically, and then apply normal filename
and filetype rules as well as sending them for virus scanning.  Then we
would have the usual protection even with new variants which were not
recognised by their viral signatures.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service
 
> - dhawal
> 
> > --
> > Martin Hepworth 
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> > 
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> >> bounces at lists.mailscanner.info] On Behalf Of Jim Holland
> >> Sent: 18 January 2006 09:20
> >> To: MailScanner mailing list
> >> Subject: Worm.VB-8 not detected by filename or filetype
> >>
> >> Hi Julian
> >>
> >> This morning I noticed that we were being bombarded with mail from one
> >> particular yahoo.it address with file attachments having names such as:
> >>
> >> 	Attachments00.HQX
> >> 	Original_Message.B64
> >> 	Video_part.mim
> >> 	Word_Document.hqx
> >> 	Word_Document.uu
> >> 	392315089702606E02.UUE
> >> 	eBook.Uu
> >>
> >> The files are all of approximately 134 000 bytes, and consist of uuencoded
> >> text, with headers such as:
> >>
> >> 	begin 664 392315089702606E-02,UUE              .scR
> >> or
> >> 	begin 664 Attachments,zip                      .SCR
> >>
> >> The extracted files are identified by ClamAV as being infected with
> >> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV
> >> as being plain text and so does not get flagged as a virus.
> >>
> >> The problem therefore is that the messages themselves are still getting
> >> through.  For the moment I am blocking the following extensions:
> >>
> >> 	.bhx
> >> 	.b64
> >> 	.hqx
> >> 	.uu
> >> 	.uue
> >>
> >> I presume that a user would have to manually decode these files before
> >> running the executable within, so infection is not likely to be very
> >> common.  However in our case we are finding the sheer volume a problem, so
> >> are blocking the identified senders at MTA level.
> >>
> >> Can you see a way that scanning of such attachments can be forced?
> >>
> >> I see that "file -i" reports these attachments as being plain text, but
> >> "file" reports them correctly as "uuencoded or xxencoded text".
> >>
> >> Regards
> >>
> >> Jim Holland
> >> System Administrator
> >> MANGO - Zimbabwe's non-profit e-mail service
> >>
> >> --
> >> MailScanner mailing list
> >> MailScanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> > 
> > 
> > **********************************************************************
> > 
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> > 
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.	
> > 
> > **********************************************************************
> > 
> 
> 




More information about the MailScanner mailing list