Re: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 08/03/04

  • Next message: Wehner, Paul (wehnerpl): "RE: [Full-Disclosure] Key loggers and Anti Key loggers"
    To: fd <full-disclosure@lists.netsys.com>
    Date: Wed, 04 Aug 2004 01:30:28 +1200
    
    

    Denis McMahon wrote:

    > I've had a couple of suspicious emails this week with headers, blank
    > line, a line of text, mime headers.

    And that is _all_ ???

    If so, what are you worrying about?

    If not, why didn't you describe all the sections in the message
    structure?

    > Thunderbird doesn't see the mime attachment due to the broken headers,

    _Which_ headers are broken?

    Do you mean there is something "bad" (c.f. the relevant RFCs) in the
    Email headers, or in the MIME headers???

    > which is good, but nor does the grisoft email proxy scanner, which is
    > bad, especially as I guess that certain broken applications (no I don't
    > have outlook [express] on my system) might try and be snart and find the
    > attachment.

    But your description of the structure of these messages above says
    nothing about any "attachments"...

    > This might be broken malware sending unusable stuff out, but my worry is
    > that somene may have found a technique that will sneak an attachment
    > past some a-v scanners in a "broken" format that certain popular email
    > apps will try and fix, possibly putting active malware on the hard disk.

    Are these "attachments" in the ~1.5KB - 2KB size range?

    If so, I'd say there is a reasonable chance they are the "IPs I've
    already hit" log-only (aka "corrupted") Mydoom.O messages. These
    _should_ appear in any of the forms of message Mydoom.O can produce
    which includes attachment-only (blank message part) through various
    "clever" SE message forms to "binary gibberish" messages. Further, the
    base64 encoded attachment can also be "normal" or "corrupted" (spaces,
    odd line-breaks inserted where they are not allowed by the spec --
    Outlook and OE (and several other MUAs) happily ignore these "encoding
    errors" and "correctly" decode the intended attachment.

    > I tried to talk to grisoft about this, but all I get back is "you have
    > to pay to talk to us cheapskate" ... whilst I can agree that they might
    > not want to provide tech support to users of their free scanner, does
    > anyone have an email address at grisoft for submitting suspicious items
    > that have got past their proxy scanner?

    Yes but you'll have to contact me off-list as I won't publish the
    details here.

    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Wehner, Paul (wehnerpl): "RE: [Full-Disclosure] Key loggers and Anti Key loggers"

    Relevant Pages

    • [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner
      ... I've had a couple of suspicious emails this week with headers, ... line, a line of text, mime headers. ... which is good, but nor does the grisoft email proxy scanner, which is ...
      (Full-Disclosure)
    • Re: slrn for Dummies??
      ... mime headers is to set "use_mime" to zero. ... slrn using MIME at all. ... When I post an article containing an 8-bit character, ...
      (news.software.readers)
    • Re: +net help line.
      ... Your eMail Client *should* have not shown you the MIME Headers, ... well I didn't post the whole lot cos it went on quite a bit ... *that* View should Interpret the Headers & not show the Headers ...
      (uk.people.silversurfers)
    • RE: [Full-Disclosure] Re: Filtering sobig with postfix
      ... >> which can identify MIME headers, so he can easily stop this worm. ... You might want to reject all .pif files, ... To discard all those messages originating from improperly configured MTA's, ...
      (Full-Disclosure)
    • Re: View url links in email headers as html?
      ... I recently ditched Eudora for Outlook 2007. ... In some email headers we receive, ... How may i enable viewing url links in email headers as html links? ...
      (microsoft.public.outlook.general)