Full Disclosure mailing list archives
Re: broken virus / worm email has attachment not found by grisoft proxy scanner
From: "Andrew R. Reiter" <arr () watson org>
Date: Tue, 3 Aug 2004 10:56:09 -0400 (EDT)
I've seen binaries that resemble this situation lately as well. If you `strings` the binary, it has some strings that would lead you to believe it's a PE file, ie. it contains UPX0 & UPX1 strings which are commonly used as tghe section labels for PE files that are UPX packed. However, if you try to analyze the binary as a PE, even if you took the new executable offset found in the DOS header as being valid, the values one would read at the offset are bogus... just completely bogus. I haven't done anymore investigation than this and apologize if this is old info. On Tue, 3 Aug 2004, Denis McMahon wrote: :Hmm : :I've had a couple of suspicious emails this week with headers, blank :line, a line of text, mime headers. : :Thunderbird doesn't see the mime attachment due to the broken headers, :which is good, but nor does the grisoft email proxy scanner, which is :bad, especially as I guess that certain broken applications (no I don't :have outlook [express] on my system) might try and be snart and find the :attachment. : :This might be broken malware sending unusable stuff out, but my worry is :that somene may have found a technique that will sneak an attachment :past some a-v scanners in a "broken" format that certain popular email :apps will try and fix, possibly putting active malware on the hard disk. : :I tried to talk to grisoft about this, but all I get back is "you have :to pay to talk to us cheapskate" ... whilst I can agree that they might :not want to provide tech support to users of their free scanner, does :anyone have an email address at grisoft for submitting suspicious items :that have got past their proxy scanner? : :Denis : :_______________________________________________ :Full-Disclosure - We believe in it. :Charter: http://lists.netsys.com/full-disclosure-charter.html : : -- Andrew R. Reiter arr () watson org arr () FreeBSD org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- broken virus / worm email has attachment not found by grisoft proxy scanner Denis McMahon (Aug 03)
- Re: broken virus / worm email has attachment not found by grisoft proxy scanner Nick FitzGerald (Aug 03)
- Re: broken virus / worm email has attachment not found by grisoft proxy scanner Andrew R. Reiter (Aug 03)
- Re: broken virus / worm email has attachment not found by grisoft proxy scanner Justin Lundy (Aug 03)
- RE: broken virus / worm email has attachment not found by grisoft proxy scanner Todd Towles (Aug 03)