Hi On Thu, 4 Nov 2004, Tomasz Kojm wrote:
> Date: Thu, 4 Nov 2004 13:12:24 +0100 > From: Tomasz Kojm <[EMAIL PROTECTED]> > > The attachment is clearly malware (the message looks like a Klez > > Clearly? How do you know that? Do you have a code analyser built into > your eyes? Definitely (I am referring to the HTML code in the message, not the coding of the binary attachment)! Here goes: - code starts (deliberately broken with a few !!! to avoid possible problems) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!!!HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff><br>Delivery Failure - Invalid mail specification <br><br>------------- failed message -------------<br>YK7mL0i1)4..lf;.o(IrVyvmb_BB%.Ihqjv5PE$n.jE8<br>Lp!REzfXnN.)8YImEfJX1gSi|;$Z?T7.n9rw+sV8u3<br>GP&..4so9D6fav5qWRS$?F4FxDexr8c0AZUi&OI(,Dy.T<br>mbP<L#F#:&xy.6wcdFKsh?HtE&.UT8LO+fO+A<br><br>Note: Received message has been sent as a binary file.<br> Or you can view the message at:<br><br> <!!!a href!!!3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0>www.mango.zw/inmail/weeber/mread.php?sessionid-23022</a> <!!!iframe!!!src 3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0><!!!/iframe> <DIV> </DIV></BODY></HTML> - code ends It definitely looks like a virus to me - probably Worm.SomeFool rather than Klez. > The way libclamav works in the case of executable files is: > > 1. check the file against the signature database and stop scanning if > virus is found > > 2. run PE parser (report broken executables; try to guess and unpack > compressed files) > > So it doesn't re-eject files without scanning just because they > seem to be broken. Wouldn't it be possible to specifically detect viruses that generate broken executables such as this one? ie continue to scan it even if it is found to be broken - surely the file would still have a signature that could be recognised? It would then make it easier to decide whether to remove the attachment from the message and pass on the message with a warning (in case some software is simply corrupt) or else if it was labelled as a known virus then it could just be dumped without informing the recipient at all. I use MailScanner with ClamAV, and it looks for the output from clamscan. If the file is detected as Broken.Executable then clearly it needs to be quarantined, but the recipient might be interested in knowing about it just in case it was from a colleague who had sent some broken software. However if it is detected as Worm.SomeFool.P then it needs to be killed on the spot and no one needs to be told about it other than the system administrator. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Tel: (263-4)-334111/304471 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
