RE: [Declude.Virus] Patch.exe Going through

Mon, 18 Mar 2002 19:48:23 -0800 


>I'm glad that you have been able to nail this.  Thank you for once again
>action so quickly.
>
>Would this have shown as one of those "premature" EOF log entries?

No, it would not have (at least with the samples we have seen).

>Given that we have seen two viruses sneak by, I feel you should make it a
>priority that we can BLOCK the "premature EOF" mime attachments.

That's an unrelated issue.

Both the Gibe and FBound had abnormalities in the way that MIME segments 
were encoded, but the MIME segments were placed properly within the 
E-mail.  The EOF warning occurs if the MIME segments are not placed 
properly -- and if it does occur, the data up until that point will still 
be scanned.

So a normal E-mail might appear as:

         E-mail headers

         MIME segment #1 [text] headers
         MIME attachment #1 ("quoted-printable" encoding)

         MIME segment #2 [attachment] headers
         MIME attachment #2 ("base64" encoded)

         MIME "End of E-mail" EOF marker

These viruses had instead:

         E-mail headers

         MIME segment #1 [text] headers
         MIME attachment #1 ("quoted-printable" encoding)

         MIME segment #2 [attachment] headers
         MIME attachment #2 (improperly "base64" encoded)

         MIME "End of E-mail" EOF marker

Whereas a virus without the EOF marker would look like:

         E-mail headers

         MIME segment #1 [text] headers
         MIME attachment #1 ("quoted-printable" encoding)

         MIME segment #2 [attachment] headers
         MIME attachment #2 ("base64" encoded)

>You ALREADY detect and log these situations in the VIRUS.log and you
>acknowledged that, at best, these are SPAM messages sent by broken clients -
>what's preventing you from letting us "BANMIMEFAILURE" pronto and
>"BADBOGUSURL" right now?

Because there is no advantage to it, except for the spam issue.  It 
wouldn't have stopped the malformed versions of the Gibe or FBound viruses, 
or any other previous viruses that we are aware of.

Although it is likely that a new virus will appear that doesn't have the 
EOF marker, Declude will still scan the E-mail -- so if a mail client can 
save the attachment, Declude will be able to scan it.
                             -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Reply via email to