Worm.VB-8 not detected by filename or filetype

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jan 18 16:32:06 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----

On 18 Jan 2006, at 16:16, Scott Silva wrote:

> Jim Holland spake the following on 1/18/2006 1:19 AM:
>> Hi Julian
>>
>> This morning I noticed that we were being bombarded with mail from  
>> one
>> particular yahoo.it address with file attachments having names  
>> such as:
>>
>> 	Attachments00.HQX
>> 	Original_Message.B64
>> 	Video_part.mim
>> 	Word_Document.hqx
>> 	Word_Document.uu
>> 	392315089702606E02.UUE
>> 	eBook.Uu
>>
>> The files are all of approximately 134 000 bytes, and consist of  
>> uuencoded
>> text, with headers such as:
>>
>> 	begin 664 392315089702606E-02,UUE              .scR
>> or
>> 	begin 664 Attachments,zip                      .SCR
>>
>> The extracted files are identified by ClamAV as being infected with
>> Worm.VB-8, but the actual uuencoded attachment is just regarded by  
>> ClamAV
>> as being plain text and so does not get flagged as a virus.
>>
>> The problem therefore is that the messages themselves are still  
>> getting
>> through.  For the moment I am blocking the following extensions:
>>
>> 	.bhx
>> 	.b64
>> 	.hqx
>> 	.uu
>> 	.uue
>>
>> I presume that a user would have to manually decode these files  
>> before
>> running the executable within, so infection is not likely to be very
>> common.  However in our case we are finding the sheer volume a  
>> problem, so
>> are blocking the identified senders at MTA level.
>>
>> Can you see a way that scanning of such attachments can be forced?
>>
>> I see that "file -i" reports these attachments as being plain  
>> text, but
>> "file" reports them correctly as "uuencoded or xxencoded text".

Please upgrade to the latest beta. I have already solved all this.
- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQEVAwUBQ85tivw32o+k+q+hAQEuRAgApxBg2J/0KGcj1cur8wb6Xr3Ld2FHY/Mz
QKJ4P01iL9dW3dkkyZ2kjr1jzSuIMeSjLvv7JyiyM4eOZ7BbEDIcmhioJqRZNsml
KXLaUdThH9lu12bvTB0M47oasAolqSFy/kCHCvnkR2QPOli//aT3astcGh1sm3KE
En3QySb22m65wXM3SJB7ZkukWUkqdrOBag9e813dB0BjjWRR4V5312jXbbq+mqja
BltvKepZUJ9a8HnFSBLj9PmKKmo6C0A8nWD6enOaafAyRwm+BifFXgjeBQ0R71Jl
CUBu9psE3h3FLJhpyYBaUr2JLPTEC4/O9i3gW8IFxW1RlfhN+UzPRw==
=BFb5
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list