Worm.VB-8 not detected by filename or filetype

Chan Min Wai dcmwai at pl.jaring.my
Wed Jan 18 13:18:47 GMT 2006 

Anyone can help me to stop this files..

I've try to include these but not success
filename.rules.conf
deny \.bhx$ Found possible filename hiding Worm VB-8 Dangerous attachment
deny \.b64$ Found possible filename hiding Worm VB-8 Dangerous attachment
deny \.hqx$ Found possible filename hiding Worm VB-8 Dangerous attachment
deny \.uu$ Found possible filename hiding Worm VB-8 Dangerous attachment
deny \.uue$ Found possible filename hiding Worm VB-8 Dangerous attachment


filetype.rules.conf
deny uuencoded - -

Regards,



Jim Holland 提到:

>Hi Julian
>
>This morning I noticed that we were being bombarded with mail from one 
>particular yahoo.it address with file attachments having names such as:
>
>	Attachments00.HQX
>	Original_Message.B64
>	Video_part.mim
>	Word_Document.hqx
>	Word_Document.uu
>	392315089702606E02.UUE
>	eBook.Uu
>
>The files are all of approximately 134 000 bytes, and consist of uuencoded
>text, with headers such as:
>
>	begin 664 392315089702606E-02,UUE              .scR
>or
>	begin 664 Attachments,zip                      .SCR
>
>The extracted files are identified by ClamAV as being infected with 
>Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV 
>as being plain text and so does not get flagged as a virus.
>
>The problem therefore is that the messages themselves are still getting 
>through.  For the moment I am blocking the following extensions:
>
>	.bhx
>	.b64
>	.hqx
>	.uu
>	.uue
>
>I presume that a user would have to manually decode these files before 
>running the executable within, so infection is not likely to be very 
>common.  However in our case we are finding the sheer volume a problem, so 
>are blocking the identified senders at MTA level.
>
>Can you see a way that scanning of such attachments can be forced?
>
>I see that "file -i" reports these attachments as being plain text, but 
>"file" reports them correctly as "uuencoded or xxencoded text".
>
>Regards
>
>Jim Holland
>System Administrator
>MANGO - Zimbabwe's non-profit e-mail service
>
>  
>

More information about the MailScanner mailing list