Worm.VB-8 not detected by filename or filetype

Anthony Peacock a.peacock at chime.ucl.ac.uk
Wed Jan 18 10:23:59 GMT 2006


Jim Holland wrote:
> Hi
> 
> On Wed, 18 Jan 2006, Dhawal Doshy wrote:
> 
>> Martin Hepworth wrote:
>>> Jim
>>>
>>> Another user identified this problem last night on the IRC channel.
>>>
>>> Looks like the problem is with MIME::Tools perl module. Julian has contacted
>>> the maintainer of this module in order to get to fix.
>>>
>>> In the mean time you might want to see if virustotal.com's list of scanners
>>> give any results. When I tried last night with the example given (was a
>>> uuencoded .hqx file) clamav and some others didn't spot it either. From
>>> memory Sophos, F-prot, Kapersky and a couple of others did...
>> Bitdefender and mcafee's uvscan seem to catch them well enough.
>>
>> McAfee: W32/Generic.worm!p2p virus
>> Bitdefender: Win32.Worm.P2P.ABM
>>
>> ClamAV doesn't catch them all.
> 
> This worm arrives in two forms.  One form has an executable attachment
> which is immediately recognised by ClamAV as being the worm, and is being
> blocked successfully as a result.  The other form sends the virus inside
> an attached text file.  The text file is uuencoded, so ideally should be
> decoded before being presented to ClamAV for scanning.  Then it would be 
> recognised.  However at the moment this form of the virus is not being 
> caught by ClamAV.  I also suspect that the other virus scanners are not
> catching the worm when it arrives in this form, so would like to warn 
> those who are relying on McAfee and Bitdefender not to be complacent.

None of us should be complacent.  However, Sophos is correctly detecting 
these viruses in their UUencoded incarnation.

But see below...

> My point is that we need to ask Julian if he can arrange for MailScanner
> to decode such attachments automatically, and then apply normal filename
> and filetype rules as well as sending them for virus scanning.  Then we
> would have the usual protection even with new variants which were not
> recognised by their viral signatures.

<SNIP>

In the spirit of trying to trap at as many points as possible, I would 
agree that extending the extracting options in MailScanner to include 
UUE might also be a useful tool.  We already have RAR and ZIP support.


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"The most exciting phrase to hear in science, the one that heralds new 
discoveries, is not 'Eureka!' but 'That's funny....'" -- Isaac Asimov


More information about the MailScanner mailing list