[TOOL] PYthon MAil VIrus Scanner
From: SecuriTeam (support_at_securiteam.com)
Date: 03/31/04
- Previous message: SecuriTeam: "[UNIX] MPlayer Encoded URL Heap Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 Mar 2004 10:42:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PYthon MAil VIrus Scanner
------------------------------------------------------------------------
SUMMARY
DETAILS
pymavis is an email parser, similar to the old amavis (or amavis-perl).
The primary goal is to retrieve all attachments from an email, and then
run various virus scanners over them. The parser can deal with
damaged/truncated messages, non-RFC compliant or broken MIME syntax
headers, inline (non-MIME) attachments, can decode base64,
quoted-printable, uuencoded and binhex 4.0 (hqx) encodings.
The reason this software created is that the email parsing function of
most virus scanners are very limited (mostly they can parse only
RFC-compliant MIME messages), or broken. Also, by doing the email parsing
ourselves, we are able to find other signs of viruses and other malware,
like various MIME exploits or tricks not found in normal legal emails.
Starting of v0.7 it does partial content checking too, as of now it is
able to list ZIP and RAR files (and check filenames/sizes inside the
archive, even if it's encrypted) and recognize EXE files (Win32 PE files
are parsed for DLL dependencies too, enabling us to detect most internet
worms without using any virus scanner).
Some heuristic checking is done to distinguish between normal email and
malware, so there are intermediate states between 'clean' and 'virus
infected': 'suspicious' (may be virus, not sure) and 'blocked' (content is
not likely a legitimate mail, for example PIF/BAT/CMD file with EXE
content, or small Win32 exe file using internet-related DLLs, or file
names longer than 120 chars). Emails identified as 'suspicious' should be
delivered to recipient(s), but either the attachments should be renamed,
or at least the subject should be changed to show the potential infection.
ADDITIONAL INFORMATION
The information has been provided by <mailto:arpi@mplayerhq.hu> A'rpi.
The tool can be downloaded from: <http://www.mplayerhq.hu/~arpi/pymavis/>
http://www.mplayerhq.hu/~arpi/pymavis/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] MPlayer Encoded URL Heap Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
