Worm.VB-8 not detected by filename or filetype
Scott Silva
ssilva at sgvwater.com
Wed Jan 18 16:16:31 GMT 2006
Jim Holland spake the following on 1/18/2006 1:19 AM:
> Hi Julian
>
> This morning I noticed that we were being bombarded with mail from one
> particular yahoo.it address with file attachments having names such as:
>
> Attachments00.HQX
> Original_Message.B64
> Video_part.mim
> Word_Document.hqx
> Word_Document.uu
> 392315089702606E02.UUE
> eBook.Uu
>
> The files are all of approximately 134 000 bytes, and consist of uuencoded
> text, with headers such as:
>
> begin 664 392315089702606E-02,UUE .scR
> or
> begin 664 Attachments,zip .SCR
>
> The extracted files are identified by ClamAV as being infected with
> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV
> as being plain text and so does not get flagged as a virus.
>
> The problem therefore is that the messages themselves are still getting
> through. For the moment I am blocking the following extensions:
>
> .bhx
> .b64
> .hqx
> .uu
> .uue
>
> I presume that a user would have to manually decode these files before
> running the executable within, so infection is not likely to be very
> common. However in our case we are finding the sheer volume a problem, so
> are blocking the identified senders at MTA level.
>
> Can you see a way that scanning of such attachments can be forced?
>
> I see that "file -i" reports these attachments as being plain text, but
> "file" reports them correctly as "uuencoded or xxencoded text".
>
> Regards
>
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
>
If it can be opened, you will, sooner or later, find a user that opens it and
infects their system.
--
/-----------------------\ |~~\_____/~~\__ |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!| ~~~|/~~ |
\-----------------------/ ()
More information about the MailScanner
mailing list