Full Disclosure mailing list archives

Re: f-prot not catching mimail ?

From: psz () maths usyd edu au (Paul Szabo)
Date: Tue, 5 Aug 2003 14:29:54 +1000 (EST)

Nick FitzGerald <nick () virus-l demon co uk> wrote:

I cannot see anything "special" in the MIME structure of Mimail that would
cause f-prot to miss the ZIP attachment (or maybe it is the structure of
the ZIP that f-prot cannot unpack?).


I was told its the encoding scheme in the .html file thats the problem. 
Currently the scanner does not support that type of encoding.


It seems to me that the HTML contains the binary EXE without any encoding:

$ cat -v message.html | fold | head -5
MIME-Version: 1.0
Content-Location:File://foo.exe


What's that then?
Moon dust????


Yes :-)
Does not f-prot understand MIME? (Maybe it does MIME but not within MHTML,
that is not without some other headers?)

Regardless, f-prot should list the ZIP attachment, and the files contained
within the ZIP ...


I'm not sure I understand the comment or its relevance.  If F-PROT is 
not listing the ZIP file nor the HTML file it contains, that may be the 
result of some configuration option.  By default, F-PROT only lists 
"infected" files ...


But ... I did use the -LIST option, and normally (for innocent ZIP
archives) I get the files listed, see below (and in my earlier post).

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


---

# In the example below, mimail is a copy of that virus; caraoke is a trojan
# that I trapped a week before mimail started, and has essentially the same
# structure; silly is an innocent(?) message.

$ f-prot silly virus/caraoke virus/mimail
Do: ~/nb/m/f-prot/f-prot/f-prot silly virus/caraoke virus/mimail -ai -archive -packed -list
Virus scanning report  -  5 August 2003 @ 14:25

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.3

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 2 August 2003
MACRO.DEF created 28 July 2003

Search: silly virus/caraoke virus/mimail
Action: Report only
Files: Attempt to identify files
Switches: -ARCHIVE -PACKED -LIST -AI

/usr/users/amstaff/psz/silly->qs.zip->ip.gif
/usr/users/amstaff/psz/silly->qs.zip->qs.chm
/usr/users/amstaff/psz/virus/caraoke->readme.zip->readme.htm  is a security risk or a "backdoor" program
/usr/users/amstaff/psz/virus/caraoke
/usr/users/amstaff/psz/virus/mimail

Results of virus scanning:

Files: 3
MBRs: 0
Boot sectors: 0
Objects scanned: 6
Infected: 0
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00
$
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

f-prot not catching mimail ? Mike Tancsa (Aug 02)
- RE: f-prot not catching mimail ? Curt Purdy (Aug 03)
- Re: f-prot not catching mimail ? dizzy (Aug 13)
- <Possible follow-ups>
- Re: f-prot not catching mimail ? Paul Szabo (Aug 03)
  - Re: f-prot not catching mimail ? Mike Tancsa (Aug 04)
  - RE: f-prot not catching mimail ? Aditya (Aug 05)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
  - Re: f-prot not catching mimail ? Nick FitzGerald (Aug 04)
  - Re: f-prot not catching mimail ? (now fixed) Mike Tancsa (Aug 05)
  - Re: f-prot not catching mimail ? Nik Reiman (Aug 06)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 06)