Re: Some Symantec AV engines don't catch re-encoded viruses/worms
From: Geoffrey Moon (gmoon_at_MINDSPRING.COM)
Date: 06/28/04
- Previous message: Jeffrey Thomas: "FWIW - incidents.org inquiring on possible IWAP_WWW account added to recent IIS compromised servers"
- Maybe in reply to: Brian S. Bergin: "Some Symantec AV engines don't catch re-encoded viruses/worms"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jun 2004 10:27:09 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
"... but it could prevent some “too smart for our own good” user
from taking the virus out of the re-encoded portion of the e-mail, using a
MIME decoder to extract the virus in an attempt to see what it does."
This is easier than you might think. Lots of users have a nice MIME decoder already installed - it's called WinZip. Open an eml file with WinZip and voila, up comes a list of files showing the message header and body as .txt files, and all of the decoded attachments.
Not sure how it handles double-encoded files, but it wouldn't surprise me if it decoded those as well.
Geoff
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Jeffrey Thomas: "FWIW - incidents.org inquiring on possible IWAP_WWW account added to recent IIS compromised servers"
- Maybe in reply to: Brian S. Bergin: "Some Symantec AV engines don't catch re-encoded viruses/worms"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
