Re: broken virus / worm email has attachment not found by grisoft proxy scanner

[Nick FitzGerald <nick () virus-l demon co uk>]

Denis McMahon wrote:

> I've had a couple of suspicious emails this week with headers, blank 
> line, a line of text, mime headers.

And that is _all_ ???

If so, what are you worrying about?

If not, why didn't you describe all the sections in the message 
structure?

> Thunderbird doesn't see the mime attachment due to the broken headers, 

_Which_ headers are broken?

Do you mean there is something "bad" (c.f. the relevant RFCs) in the 
Email headers, or in the MIME headers???

> which is good, but nor does the grisoft email proxy scanner, which is 
> bad, especially as I guess that certain broken applications (no I don't 
> have outlook [express] on my system) might try and be snart and find the
> attachment.

But your description of the structure of these messages above says 
nothing about any "attachments"...

> This might be broken malware sending unusable stuff out, but my worry is
> that somene may have found a technique that will sneak an attachment 
> past some a-v scanners in a "broken" format that certain popular email 
> apps will try and fix, possibly putting active malware on the hard disk.

Are these "attachments" in the ~1.5KB - 2KB size range?

If so, I'd say there is a reasonable chance they are the "IPs I've 
already hit" log-only (aka "corrupted") Mydoom.O messages.  These 
_should_ appear in any of the forms of message Mydoom.O can produce 
which includes attachment-only (blank message part) through various 
"clever" SE message forms to "binary gibberish" messages.  Further, the 
base64 encoded attachment can also be "normal" or "corrupted" (spaces, 
odd line-breaks inserted where they are not allowed by the spec -- 
Outlook and OE (and several other MUAs) happily ignore these "encoding 
errors" and "correctly" decode the intended attachment.

> I tried to talk to grisoft about this, but all I get back is "you have 
> to pay to talk to us cheapskate" ... whilst I can agree that they might 
> not want to provide tech support to users of their free scanner, does 
> anyone have an email address at grisoft for submitting suspicious items 
> that have got past their proxy scanner?

Yes but you'll have to contact me off-list as I won't publish the 
details here.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html