Full Disclosure mailing list archives
Re: f-prot not catching mimail ?
From: psz () maths usyd edu au (Paul Szabo)
Date: Tue, 5 Aug 2003 14:29:54 +1000 (EST)
Nick FitzGerald <nick () virus-l demon co uk> wrote:
I cannot see anything "special" in the MIME structure of Mimail that would cause f-prot to miss the ZIP attachment (or maybe it is the structure of the ZIP that f-prot cannot unpack?).I was told its the encoding scheme in the .html file thats the problem. Currently the scanner does not support that type of encoding.It seems to me that the HTML contains the binary EXE without any encoding: $ cat -v message.html | fold | head -5 MIME-Version: 1.0 Content-Location:File://foo.exeWhat's that then? Moon dust????
Yes :-) Does not f-prot understand MIME? (Maybe it does MIME but not within MHTML, that is not without some other headers?)
Regardless, f-prot should list the ZIP attachment, and the files contained within the ZIP ...I'm not sure I understand the comment or its relevance. If F-PROT is not listing the ZIP file nor the HTML file it contains, that may be the result of some configuration option. By default, F-PROT only lists "infected" files ...
But ... I did use the -LIST option, and normally (for innocent ZIP archives) I get the files listed, see below (and in my earlier post). Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- # In the example below, mimail is a copy of that virus; caraoke is a trojan # that I trapped a week before mimail started, and has essentially the same # structure; silly is an innocent(?) message. $ f-prot silly virus/caraoke virus/mimail Do: ~/nb/m/f-prot/f-prot/f-prot silly virus/caraoke virus/mimail -ai -archive -packed -list Virus scanning report - 5 August 2003 @ 14:25 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 2 August 2003 MACRO.DEF created 28 July 2003 Search: silly virus/caraoke virus/mimail Action: Report only Files: Attempt to identify files Switches: -ARCHIVE -PACKED -LIST -AI /usr/users/amstaff/psz/silly->qs.zip->ip.gif /usr/users/amstaff/psz/silly->qs.zip->qs.chm /usr/users/amstaff/psz/virus/caraoke->readme.zip->readme.htm is a security risk or a "backdoor" program /usr/users/amstaff/psz/virus/caraoke /usr/users/amstaff/psz/virus/mimail Results of virus scanning: Files: 3 MBRs: 0 Boot sectors: 0 Objects scanned: 6 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 $ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- f-prot not catching mimail ? Mike Tancsa (Aug 02)
- RE: f-prot not catching mimail ? Curt Purdy (Aug 03)
- Re: f-prot not catching mimail ? dizzy (Aug 13)
- <Possible follow-ups>
- Re: f-prot not catching mimail ? Paul Szabo (Aug 03)
- Re: f-prot not catching mimail ? Mike Tancsa (Aug 04)
- RE: f-prot not catching mimail ? Aditya (Aug 05)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Nick FitzGerald (Aug 04)
- Re: f-prot not catching mimail ? (now fixed) Mike Tancsa (Aug 05)
- Re: f-prot not catching mimail ? Nik Reiman (Aug 06)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 06)