Re: [Full-Disclosure] f-prot not catching mimail ? (now fixed)

From: Mike Tancsa (mike_at_sentex.net)
Date: 08/05/03

  • Next message: Martin Ekendahl: "Re: [Full-Disclosure] Full Disclosure Awards" 
    To: psz@maths.usyd.edu.au (Paul Szabo)
Date: Tue, 05 Aug 2003 13:56:38 -0400

    This is now fixed with an updated engine. I verified both with my Windows
    Desktop version as well with my FreeBSD version. This gets both versions of
    the virus I have found.

    avscan1# f-prot *.zip
    Virus scanning report - 5 August 2003 @ 13:50

    F-PROT ANTIVIRUS
    Program version: 4.1.1
    Engine version: 3.13.4

    VIRUS SIGNATURE FILES
    SIGN.DEF created 1 August 2003
    SIGN2.DEF created 4 August 2003
    MACRO.DEF created 4 August 2003

    Search: message1.zip message4.zip new.zip
    Action: Report only
    Files: Attempt to identify files
    Switches: <none>

    /tmp/tmp2/message1.zip->message.html Infection: W32/Mimail.A@mm
    /tmp/tmp2/message4.zip->message.html Infection: W32/Mimail.A@mm
    /tmp/tmp2/new.zip->message1.zip Not scanned (encrypted)
    /tmp/tmp2/new.zip->message4.zip Not scanned (encrypted)

    Results of virus scanning:

    Files: 3
    MBRs: 0
    Boot sectors: 0
    Objects scanned: 4
    Infected: 2
    Suspicious: 0
    Disinfected: 0
    Deleted: 0
    Renamed: 0

    Time: 0:00

    At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote:
    > >>I cannot see anything "special" in the MIME structure of Mimail that would
    > >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of
    > >>the ZIP that f-prot cannot unpack?).
    > >
    > > I was told its the encoding scheme in the .html file thats the problem.
    > > Currently the scanner does not support that type of encoding.
    >
    >It seems to me that the HTML contains the binary EXE without any encoding:
    >
    >$ cat -v message.html | fold | head -5
    >MIME-Version: 1.0
    >Content-Location:file://foo.exe
    >Content-Transfer-Encoding: binary
    >
    >MZM-^P^@^C^@^@^@^D^@^@^@M-^?M-^?^@^@M-8^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@
    >
    >Regardless, f-prot should list the ZIP attachment, and the files contained
    >within the ZIP ...
    >
    >Cheers,
    >
    >Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    >School of Mathematics and Statistics University of Sydney 2006 Australia

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Martin Ekendahl: "Re: [Full-Disclosure] Full Disclosure Awards"