Worm.VB-8 not detected by filename or filetype

Devi Sambamoorthy devi.sambamoorthy at inmail.tranquilmoney.com
Wed Jan 18 13:30:23 GMT 2006


please try

deny \.bhx$
deny \.BHX$

-Devi

(list - pls ignore my signature & confidentiality statement)

On Wed, 18 Jan 2006, Chan Min Wai wrote:

> Anyone can help me to stop this files..
>
> I've try to include these but not success
> filename.rules.conf
> deny \.bhx$ Found possible filename hiding Worm VB-8 Dangerous attachment
> deny \.b64$ Found possible filename hiding Worm VB-8 Dangerous attachment
> deny \.hqx$ Found possible filename hiding Worm VB-8 Dangerous attachment
> deny \.uu$ Found possible filename hiding Worm VB-8 Dangerous attachment
> deny \.uue$ Found possible filename hiding Worm VB-8 Dangerous attachment
>
>
> filetype.rules.conf
> deny uuencoded - -
>
> Regards,
>
>
>
> Jim Holland 提到:
>
>> Hi Julian
>>
>> This morning I noticed that we were being bombarded with mail from one
>> particular yahoo.it address with file attachments having names such as:
>>
>> 	Attachments00.HQX
>> 	Original_Message.B64
>> 	Video_part.mim
>> 	Word_Document.hqx
>> 	Word_Document.uu
>> 	392315089702606E02.UUE
>> 	eBook.Uu
>>
>> The files are all of approximately 134 000 bytes, and consist of uuencoded
>> text, with headers such as:
>>
>> 	begin 664 392315089702606E-02,UUE              .scR
>> or
>> 	begin 664 Attachments,zip                      .SCR
>>
>> The extracted files are identified by ClamAV as being infected with
>> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV
>> as being plain text and so does not get flagged as a virus.
>>
>> The problem therefore is that the messages themselves are still getting
>> through.  For the moment I am blocking the following extensions:
>>
>> 	.bhx
>> 	.b64
>> 	.hqx
>> 	.uu
>> 	.uue
>>
>> I presume that a user would have to manually decode these files before
>> running the executable within, so infection is not likely to be very
>> common.  However in our case we are finding the sheer volume a problem, so
>> are blocking the identified senders at MTA level.
>>
>> Can you see a way that scanning of such attachments can be forced?
>>
>> I see that "file -i" reports these attachments as being plain text, but
>> "file" reports them correctly as "uuencoded or xxencoded text".
>>
>> Regards
>>
>> Jim Holland
>> System Administrator
>> MANGO - Zimbabwe's non-profit e-mail service
>>
>>
>>
>
> -- 
> MailScanner mailing list
> MailScanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


CONFIDENTIALITY NOTICE: This e-mail and its attachments may contain PRIVILEGED and CONFIDENTIAL INFORMATION and/or PROTECTED PATIENT HEALTH INFORMATION intended solely for the use of Tranquilmoney Inc. it's clients and the recipient(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing, or copying of this e-mail message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately and permanently delete this e-mail [shred the document] and any attachments.

 



More information about the MailScanner mailing list