Worm.VB-8 not detected by filename or filetype

Scott Silva ssilva at sgvwater.com
Wed Jan 18 16:16:31 GMT 2006


Jim Holland spake the following on 1/18/2006 1:19 AM:
> Hi Julian
> 
> This morning I noticed that we were being bombarded with mail from one 
> particular yahoo.it address with file attachments having names such as:
> 
> 	Attachments00.HQX
> 	Original_Message.B64
> 	Video_part.mim
> 	Word_Document.hqx
> 	Word_Document.uu
> 	392315089702606E02.UUE
> 	eBook.Uu
> 
> The files are all of approximately 134 000 bytes, and consist of uuencoded
> text, with headers such as:
> 
> 	begin 664 392315089702606E-02,UUE              .scR
> or
> 	begin 664 Attachments,zip                      .SCR
> 
> The extracted files are identified by ClamAV as being infected with 
> Worm.VB-8, but the actual uuencoded attachment is just regarded by ClamAV 
> as being plain text and so does not get flagged as a virus.
> 
> The problem therefore is that the messages themselves are still getting 
> through.  For the moment I am blocking the following extensions:
> 
> 	.bhx
> 	.b64
> 	.hqx
> 	.uu
> 	.uue
> 
> I presume that a user would have to manually decode these files before 
> running the executable within, so infection is not likely to be very 
> common.  However in our case we are finding the sheer volume a problem, so 
> are blocking the identified senders at MTA level.
> 
> Can you see a way that scanning of such attachments can be forced?
> 
> I see that "file -i" reports these attachments as being plain text, but 
> "file" reports them correctly as "uuencoded or xxencoded text".
> 
> Regards
> 
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
> 
If it can be opened, you will, sooner or later, find a user that opens it and
infects their system.


-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()



More information about the MailScanner mailing list