Re: [Full-Disclosure] f-prot not catching mimail ? (now fixed)

Tue, 05 Aug 2003 11:37:22 -0700


This is now fixed with an updated engine. I verified both with my Windows Desktop version as well with my FreeBSD version. This gets both versions of the virus I have found.

avscan1# f-prot *.zip
Virus scanning report  -  5 August 2003 @ 13:50

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.4

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 4 August 2003
MACRO.DEF created 4 August 2003

Search: message1.zip message4.zip new.zip
Action: Report only
Files: Attempt to identify files
Switches: <none>

/tmp/tmp2/message1.zip->message.html  Infection: W32/[EMAIL PROTECTED]
/tmp/tmp2/message4.zip->message.html  Infection: W32/[EMAIL PROTECTED]
/tmp/tmp2/new.zip->message1.zip  Not scanned (encrypted)
/tmp/tmp2/new.zip->message4.zip  Not scanned (encrypted)

Results of virus scanning:

Files: 3
MBRs: 0
Boot sectors: 0
Objects scanned: 4
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00


At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote: 
>>I cannot see anything "special" in the MIME structure of Mimail that would
>>cause f-prot to miss the ZIP attachment (or maybe it is the structure of
>>the ZIP that f-prot cannot unpack?).
>
> I was told its the encoding scheme in the .html file thats the problem.
> Currently the scanner does not support that type of encoding.

It seems to me that the HTML contains the binary EXE without any encoding:

$ cat -v message.html | fold | head -5
MIME-Version: 1.0
Content-Location:File://foo.exe
Content-Transfer-Encoding: binary

[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@^@

Regardless, f-prot should list the ZIP attachment, and the files contained
within the ZIP ...

Cheers,

Paul Szabo - [EMAIL PROTECTED]  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to