Worm.VB-8 not detected by filename or filetype

Wed Jan 18 10:37:44 GMT 2006

Hi Julian

On Wed, 18 Jan 2006, Julian Field wrote:

> The problem is not one of filenames or filetypes, nor any problem  
> with the MIME-tools. That is working fine.
> 
> MailScanner correctly extracts the ATTACHMENT.HQX or whatever it was  
> called, no problem. The contents of the file is not HQX (Binhex) at  
> all, it is uuencoded data. So trying to stop binhex files won't help  
> you, that's a red herring.

Agreed.  I was simply working on the basis of the actual filenames that I 
saw being used by the worm, as I needed a quick fix to block further 
copies getting through.

> What happens if you set filetype.rules.conf to stop "uuencoded" or  
> "xxencoded" attachments? I think this should work, I see no reason  
> why it wouldn't.

I will also add this restriction - thanks for the suggestion.

> I would try not to block .hqx files by name as you may well upset some
> of your Mac users.
>
> I'll talk to David Skoll some more about possible resolutions for  
> this problem.

I think the real solution is to apply the same principle to uuencoded
attachments inside MIME base64 encoding that is currently applied to zip
files - the encapsulation should be removed by extracting whatever is
inside an attachment and the files that are finally extracted/decoded
should then be tested for filename, filetype and also sent for virus
scanning.  More work I do appreciate . . .

Regards

Jim

> On 18 Jan 2006, at 09:29, Martin Hepworth wrote:
> 
> > Jim
> >
> > Another user identified this problem last night on the IRC channel.
> >
> > Looks like the problem is with MIME::Tools perl module. Julian has  
> > contacted
> > the maintainer of this module in order to get to fix.
> >
> > In the mean time you might want to see if virustotal.com's list of  
> > scanners
> > give any results. When I tried last night with the example given  
> > (was a
> > uuencoded .hqx file) clamav and some others didn't spot it either.  
> > From
> > memory Sophos, F-prot, Kapersky and a couple of others did...
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> >> bounces at lists.mailscanner.info] On Behalf Of Jim Holland
> >> Sent: 18 January 2006 09:20
> >> To: MailScanner mailing list
> >> Subject: Worm.VB-8 not detected by filename or filetype
> >>
> >> Hi Julian
> >>
> >> This morning I noticed that we were being bombarded with mail from  
> >> one
> >> particular yahoo.it address with file attachments having names  
> >> such as:
> >>
> >> 	Attachments00.HQX
> >> 	Original_Message.B64
> >> 	Video_part.mim
> >> 	Word_Document.hqx
> >> 	Word_Document.uu
> >> 	392315089702606E02.UUE
> >> 	eBook.Uu
> >>
> >> The files are all of approximately 134 000 bytes, and consist of  
> >> uuencoded
> >> text, with headers such as:
> >>
> >> 	begin 664 392315089702606E-02,UUE              .scR
> >> or
> >> 	begin 664 Attachments,zip                      .SCR
> >>
> >> The extracted files are identified by ClamAV as being infected with
> >> Worm.VB-8, but the actual uuencoded attachment is just regarded by  
> >> ClamAV
> >> as being plain text and so does not get flagged as a virus.
> >>
> >> The problem therefore is that the messages themselves are still  
> >> getting
> >> through.  For the moment I am blocking the following extensions:
> >>
> >> 	.bhx
> >> 	.b64
> >> 	.hqx
> >> 	.uu
> >> 	.uue
> >>
> >> I presume that a user would have to manually decode these files  
> >> before
> >> running the executable within, so infection is not likely to be very
> >> common.  However in our case we are finding the sheer volume a  
> >> problem, so
> >> are blocking the identified senders at MTA level.
> >>
> >> Can you see a way that scanning of such attachments can be forced?
> >>
> >> I see that "file -i" reports these attachments as being plain  
> >> text, but
> >> "file" reports them correctly as "uuencoded or xxencoded text".
> >>
> >> Regards
> >>
> >> Jim Holland
> >> System Administrator
> >> MANGO - Zimbabwe's non-profit e-mail service
> >>
> >> --
> >> MailScanner mailing list
> >> MailScanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >
> >
> > **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.	
> >
> > **********************************************************************
> >
> > -- 
> > MailScanner mailing list
> > MailScanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> 
> - -- 
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.4 (Build 4042)
> 
> iQEVAwUBQ84Rdvw32o+k+q+hAQHV5QgAjUHML/GG75hl/ykS3V1haNUeqkeqvF4Q
> UKO9FDRs4RTOi6HARYoHkqn1dMB/vWZaK+4nX8pCDJxmQ7DWCUPi9Lp6pxaVpnUK
> /kpwgqX0YmzahJn15UQp4HbfClK+PfRaK2dQi1VdPOAPZJtxp/3sMPxG9pnhEPC1
> oTgbcXWFpP7DYaZ8J1Ke2A8XHyXBc3calNjg6hayGeYrhuAFGhoXiUljQCioeNYF
> djiN/1rshAVM+1A9VJS2r1+BklPMQO4y5ELISvXAe7sqc6O8Tbux/S0NESP4wGru
> 6hWc/uWaOyRpmEP1wpookZK0thguyzOPcw5iqrN6VT0t+/E/LIwCIw==
> =hGAE
> -----END PGP SIGNATURE-----
> 
> 

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service