Full Disclosure mailing list archives

Re: f-prot not catching mimail ? (now fixed)

From: Mike Tancsa <mike () sentex net>
Date: Tue, 05 Aug 2003 13:56:38 -0400

This is now fixed with an updated engine. I verified both with my WindowsDesktop version as well with my FreeBSD version. This gets both versions ofthe virus I have found.


avscan1# f-prot *.zip
Virus scanning report  -  5 August 2003 @ 13:50

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.4

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 4 August 2003
MACRO.DEF created 4 August 2003

Search: message1.zip message4.zip new.zip
Action: Report only
Files: Attempt to identify files
Switches: <none>

/tmp/tmp2/message1.zip->message.html  Infection: W32/Mimail.A@mm
/tmp/tmp2/message4.zip->message.html  Infection: W32/Mimail.A@mm
/tmp/tmp2/new.zip->message1.zip  Not scanned (encrypted)
/tmp/tmp2/new.zip->message4.zip  Not scanned (encrypted)

Results of virus scanning:

Files: 3
MBRs: 0
Boot sectors: 0
Objects scanned: 4
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00


At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote:

>>I cannot see anything "special" in the MIME structure of Mimail that would
>>cause f-prot to miss the ZIP attachment (or maybe it is the structure of
>>the ZIP that f-prot cannot unpack?).
>
> I was told its the encoding scheme in the .html file thats the problem.
> Currently the scanner does not support that type of encoding.

It seems to me that the HTML contains the binary EXE without any encoding:

$ cat -v message.html | fold | head -5
MIME-Version: 1.0
Content-Location:File://foo.exe
Content-Transfer-Encoding: binary

MZM-^P^@^C^@^@^@^D^@^@^@M-^?M-^?^@^@M-8^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@

Regardless, f-prot should list the ZIP attachment, and the files contained
within the ZIP ...

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

f-prot not catching mimail ? Mike Tancsa (Aug 02)
- RE: f-prot not catching mimail ? Curt Purdy (Aug 03)
- Re: f-prot not catching mimail ? dizzy (Aug 13)
- <Possible follow-ups>
- Re: f-prot not catching mimail ? Paul Szabo (Aug 03)
  - Re: f-prot not catching mimail ? Mike Tancsa (Aug 04)
  - RE: f-prot not catching mimail ? Aditya (Aug 05)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
  - Re: f-prot not catching mimail ? Nick FitzGerald (Aug 04)
  - Re: f-prot not catching mimail ? (now fixed) Mike Tancsa (Aug 05)
  - Re: f-prot not catching mimail ? Nik Reiman (Aug 06)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 04)
- Re: f-prot not catching mimail ? Paul Szabo (Aug 06)