[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] f-prot not catching mimail ?

To: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] f-prot not catching mimail ?
From: "Aditya" <aditya@mail15.com>
Date: Mon, 4 Aug 2003 17:01:08 +0530

hi all,

fprot is catching the virus all right, but only the exe file then the virus signatures are only for the exe file and not for the zip or the htm - the only logical conclusion i could come to.

if you have f-prot on your desktop then you will catch the vieus just before executing and on the mailserver just add this address to the blocked senders list -

- hope that helped 

Aditya 

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Paul Szabo
Sent: Monday, August 04, 2003 3:07 AM
To: full-disclosure@lists.netsys.com; mike@sentex.net
Subject: Re: [Full-Disclosure] f-prot not catching mimail ?

Mike Tancsa <mike@sentex.net> wrote:

> I have a few copies of the mimail virus from yesterday that f-prot even 
> with its latest updates do not catch.  Both the Windows and FreeBSD version 
> fail to identify the two main variants I have got sent my way.

I found the same lack of detection, on Linux.

Normally I save the suspect email message as a "UNIX mbox" file and feed
that to f-prot; it then finds the attached ZIP within, and the files
contained within the ZIP. However with Mimail, it does not detect the ZIP
within the message. If I unpack the ZIP from the message, then the HTM from
the ZIP, and finally the EXE from the HTM, then f-prot seems to skip all
those except for the EXE, which it detects correctly.

I cannot see anything "special" in the MIME structure of Mimail that would
cause f-prot to miss the ZIP attachment (or maybe it is the structure of
the ZIP that f-prot cannot unpack?).

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

---

$ f-prot virus/mimail -ai -archive -packed -list
Virus scanning report  -  4 August 2003 @ 7:26

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.3

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 2 August 2003
MACRO.DEF created 28 July 2003

Search: virus/mimail
Action: Report only
Files: Attempt to identify files
Switches: -ARCHIVE -PACKED -LIST -AI

/usr/users/amstaff/psz/virus/mimail

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1

Time: 0:00

No viruses or suspicious files/boot sectors were found.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Reacting to a server compromise
Next by Date: RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
Prev by thread: Re: Re: [Full-Disclosure] Reacting to a server compromise
Next by thread: Re: [Full-Disclosure] f-prot not catching mimail ?
Index(es):
- Date
- Thread