Michael Scheidell wrote the following on 6/15/2007 12:27 PM -0800: > Well, an attachment, a 0 day virus. > > How do we block an exe insite a .doc? > > Maybe hackers/spammers have found a way around Anti-Virus software, or > at least, attachment blocking. > > Spam came in, with a 'proforma invoice' attached. > (if you want to see it, http://www.secnap.com/downloads/proforma.eml) > > > Click on the proforma invoice.doc, ALMOST open it. (or run strings on > it) > > See a self executable zip file (.exe) > > Proforma_Invoice.exe > C:\PROFOR~1.EXE > C:\PROFOR~1.EXE > > > 'file Proforma_Invoice.doc' shows: > > Proforma_Invoice.doc: Microsoft Office Document > > file -i Proforma_Invoice.doc shows: > application/msword > > Clamav and CA didn't see it as a virus. > (Two hours later, after submitting to [EMAIL PROTECTED] and clamav, clam > finds it: > clamdscan Proforma_Invoice.doc > /tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND > Thanks for reporting this one Michael, malware distributors are getting more creative all the time. Just as an FYI, since I am using the recent "$bypass_decode_parts = 1" feature that disables all decoding by amavisd-new and instead passes the raw messages to the virus scanner(s) and relies on the decoding supported by the virus scanner itself. In this case I run both clamd and f-prot, and both were able to detect the trojan inside the .doc file, without any decoding on the part of amavisd-new:
F-Prot: /var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoice.doc->Proforma_Invoice.exe is a security risk named W32/Dropper.ESR ClamD: /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND Thanks again, Mark, for adding the ability to bypass all decoding in amavisd-new, it seems to be working fine for me thus far. Bill ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
