Re: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
To: fd <firstname.lastname@example.org> Date: Wed, 04 Aug 2004 01:30:28 +1200
Denis McMahon wrote:
> I've had a couple of suspicious emails this week with headers, blank
> line, a line of text, mime headers.
And that is _all_ ???
If so, what are you worrying about?
If not, why didn't you describe all the sections in the message
> Thunderbird doesn't see the mime attachment due to the broken headers,
_Which_ headers are broken?
Do you mean there is something "bad" (c.f. the relevant RFCs) in the
Email headers, or in the MIME headers???
> which is good, but nor does the grisoft email proxy scanner, which is
> bad, especially as I guess that certain broken applications (no I don't
> have outlook [express] on my system) might try and be snart and find the
But your description of the structure of these messages above says
nothing about any "attachments"...
> This might be broken malware sending unusable stuff out, but my worry is
> that somene may have found a technique that will sneak an attachment
> past some a-v scanners in a "broken" format that certain popular email
> apps will try and fix, possibly putting active malware on the hard disk.
Are these "attachments" in the ~1.5KB - 2KB size range?
If so, I'd say there is a reasonable chance they are the "IPs I've
already hit" log-only (aka "corrupted") Mydoom.O messages. These
_should_ appear in any of the forms of message Mydoom.O can produce
which includes attachment-only (blank message part) through various
"clever" SE message forms to "binary gibberish" messages. Further, the
base64 encoded attachment can also be "normal" or "corrupted" (spaces,
odd line-breaks inserted where they are not allowed by the spec --
Outlook and OE (and several other MUAs) happily ignore these "encoding
errors" and "correctly" decode the intended attachment.
> I tried to talk to grisoft about this, but all I get back is "you have
> to pay to talk to us cheapskate" ... whilst I can agree that they might
> not want to provide tech support to users of their free scanner, does
> anyone have an email address at grisoft for submitting suspicious items
> that have got past their proxy scanner?
Yes but you'll have to contact me off-list as I won't publish the
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html