RE: f-prot not catching mimail ?

["Aditya" <aditya () mail15 com>]

hi all,

fprot is catching the virus all right, but only the exe file then the virus signatures are only for the exe file and 
not for the zip or the htm - the only logical conclusion i could come to.

if you have f-prot on your desktop then you will catch the vieus just before executing and on the mailserver just add 
this address to the blocked senders list -

- hope that helped 

Aditya 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul Szabo
Sent: Monday, August 04, 2003 3:07 AM
To: full-disclosure () lists netsys com; mike () sentex net
Subject: Re: [Full-disclosure] f-prot not catching mimail ?


Mike Tancsa <mike () sentex net> wrote:

> I have a few copies of the mimail virus from yesterday that f-prot even 
> with its latest updates do not catch.  Both the Windows and FreeBSD version 
> fail to identify the two main variants I have got sent my way.

I found the same lack of detection, on Linux.

Normally I save the suspect email message as a "UNIX mbox" file and feed
that to f-prot; it then finds the attached ZIP within, and the files
contained within the ZIP. However with Mimail, it does not detect the ZIP
within the message. If I unpack the ZIP from the message, then the HTM from
the ZIP, and finally the EXE from the HTM, then f-prot seems to skip all
those except for the EXE, which it detects correctly.

I cannot see anything "special" in the MIME structure of Mimail that would
cause f-prot to miss the ZIP attachment (or maybe it is the structure of
the ZIP that f-prot cannot unpack?).

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


---

$ f-prot virus/mimail -ai -archive -packed -list
Virus scanning report  -  4 August 2003 @ 7:26

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.3

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 2 August 2003
MACRO.DEF created 28 July 2003

Search: virus/mimail
Action: Report only
Files: Attempt to identify files
Switches: -ARCHIVE -PACKED -LIST -AI

/usr/users/amstaff/psz/virus/mimail

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1

Time: 0:00

No viruses or suspicious files/boot sectors were found.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html