Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread Maxim Britov 
On Tue, 08 Feb 2005 16:32:41 +
Francis Stevens [EMAIL PROTECTED] wrote:

 Trog wrote:
 
  BTW, all the false positives I've seen so far are also reported as
  broken by the showriff utility, which was written specifically to check
  these files.
  
  For example:
  
  $ showriff virus-2005-02-08-n0009134
  Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes):
  
 
 All the problem files I've had are Powerpoint and Word files. For the 
 Powerpoint files it was a common background image.

P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav: Exploit.W32.MS05-002 
FOUND
p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND



-- 
Maxim Britov

GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com
Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB
GnuPG-ru Team;   xmpp:[EMAIL PROTECTED]   ICQ 198171258
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread Scott Ryan 
On Wednesday 09 February 2005 15:56, Maxim Britov shaped the electrons to say:
 On Tue, 08 Feb 2005 16:32:41 +

 Francis Stevens [EMAIL PROTECTED] wrote:
  Trog wrote:
   BTW, all the false positives I've seen so far are also reported as
   broken by the showriff utility, which was written specifically to check
   these files.
  
   For example:
  
   $ showriff virus-2005-02-08-n0009134
   Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes):
 
  All the problem files I've had are Powerpoint and Word files. For the
  Powerpoint files it was a common background image.

 P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
 p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav:
 Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND

'Stealing Music?' tut tut ;)
-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread Maxim Britov 
BTW, all the false positives I've seen so far are also reported as
broken by the showriff utility, which was written specifically to check
these files.
For example:
$ showriff virus-2005-02-08-n0009134
Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes):

   All the problem files I've had are Powerpoint and Word files. For the
   Powerpoint files it was a common background image.

  P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
  p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav:
  Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND

 'Stealing Music?' tut tut ;)

I don't know, but size is ~50-100KB.


-- 
Maxim Britov

GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com
Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB
GnuPG-ru Team;   xmpp:[EMAIL PROTECTED]   ICQ 198171258
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread Chris Conn 

P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav: Exploit.W32.MS05-002 
FOUND
p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND

Hello,
I don't suppose these files were submitted for analysis by the clamav 
developers?

Chris
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread jef moskot 
On Wed, 9 Feb 2005, Maxim Britov wrote:
   P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
 I don't know, but size is ~50-100KB.

If they're tiny files, are you sure they're actually wavs?

Maybe someone downloaded these things and instead of funky beats, they're
full of Greek soldiers?

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread Chris Meadors 
On Wed, 2005-02-09 at 11:51 -0500, jef moskot wrote:
 On Wed, 9 Feb 2005, Maxim Britov wrote:
P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
  I don't know, but size is ~50-100KB.
 
 If they're tiny files, are you sure they're actually wavs?
 
 Maybe someone downloaded these things and instead of funky beats, they're
 full of Greek soldiers?

WAV files don't just have to be PCM audio.  I've seen (from the I Love
Bees site) MPEG Audio Layer-III data inside a WAV RIFF wrapper.  Since
these files were triggering the malformed RIFF scanner, this could very
well be the case.

-- 
Chris

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-09 Thread Peter Bonivart 
jef moskot wrote:
On Wed, 9 Feb 2005, Maxim Britov wrote:
P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
I don't know, but size is ~50-100KB.
If they're tiny files, are you sure they're actually wavs?
My guess is they are ring signals for the Sony Ericsson P900 mobile phone.
--
/Peter Bonivart
--Unix lovers do it in the Sun
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Randal, Phil 
Francis Stevens wrote:

 I'm seeing several false positives for Exploit.W32.MS05-002 
 since I upgraded to 0.82 yesterday.  I've posted samples to 
 the submission website but would like to do something about 
 this.  Using sigtool -l 
 doesn't list Exploit.W32.MS05-002 as a signature in the 
 database, is there any way I can disable this check?  I tried 
 reverting to 0.81 but that didn't help.
 
 FAS

Seen it here too.

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Francis Stevens 
Francis Stevens wrote:
I'm seeing several false positives for Exploit.W32.MS05-002 since I 
upgraded to 0.82 yesterday.  I've posted samples to the submission 
website but would like to do something about this.  Using sigtool -l 
doesn't list Exploit.W32.MS05-002 as a signature in the database, is 
there any way I can disable this check?  I tried reverting to 0.81 but 
that didn't help.

Finally worked out how to (correctly) revert to 0.81, had to remove the 
libraries in /usr/local/lib before doing the make install for 0.81. 
I'm no longer getting the false positives, just the WARNING message from 
freshclam - which I'm happy to ignore until the other issue is dealt with.

Am I right that the MS05-002 check is built into the clamscan executable 
(libclamav) an is not a true signature?

FAS
FAS
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Ralf Hildebrandt 
* Francis Stevens [EMAIL PROTECTED]:

 Finally worked out how to (correctly) revert to 0.81, had to remove the 
 libraries in /usr/local/lib before doing the make install for 0.81. 
 I'm no longer getting the false positives, just the WARNING message from 
 freshclam - which I'm happy to ignore until the other issue is dealt with.
 
 Am I right that the MS05-002 check is built into the clamscan executable 
 (libclamav) an is not a true signature?

Same here, what is the fix?

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)  [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Francis Stevens 
Ralf Hildebrandt wrote:
* Francis Stevens [EMAIL PROTECTED]:

Finally worked out how to (correctly) revert to 0.81, had to remove the 
libraries in /usr/local/lib before doing the make install for 0.81. 
I'm no longer getting the false positives, just the WARNING message from 
freshclam - which I'm happy to ignore until the other issue is dealt with.

Am I right that the MS05-002 check is built into the clamscan executable 
(libclamav) an is not a true signature?

Same here, what is the fix?
My fix was to go back to 0.81.  Hopefully the ClamAV team will be able 
to suggest a better one

FAS
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Ralf Hildebrandt 
* Francis Stevens [EMAIL PROTECTED]:

 My fix was to go back to 0.81.  Hopefully the ClamAV team will be able 
 to suggest a better one

My point exactly.

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)  [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Trog 
On Tue, 2005-02-08 at 15:31 +, Francis Stevens wrote:

  
  Same here, what is the fix?
  
 
 My fix was to go back to 0.81.  Hopefully the ClamAV team will be able 
 to suggest a better one
 

You can apply the enclosed patch if you want less stringent checking.

-trog

--- libclamav/special.c	5 Feb 2005 15:50:18 -	1.8
+++ libclamav/special.c	8 Feb 2005 14:47:06 -	1.9
@@ -224,6 +224,12 @@
 		return 0;
 	}
 
+	if (memcmp(form_type, ACON, 4) != 0) {
+		/* Only scan MS animated icon files */
+		/* There is a *lot* of broken software out there that produces bad RIFF files */
+		return 0;
+	}
+
 	chunk_size = riff_endian_convert_32(chunk_size, big_endian);
 
 	do {
@@ -234,6 +240,6 @@
 
 	if (offset  chunk_size) {
 		retval = 2;
-	};
+	}
 	return retval;
 }


signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Ralf Hildebrandt 
* Trog [EMAIL PROTECTED]:

 You can apply the enclosed patch if you want less stringent checking.

Is that in the CVS as well?

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)  [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Francis Stevens 
Trog wrote:

You can apply the enclosed patch if you want less stringent checking.
Tried the patch and it fixes the problem for all the false positives 
I've seen so far, so it looks good to me. Will this make it into 0.83?

Thanks for the rapid response.
FAS
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Trog 
On Tue, 2005-02-08 at 16:11 +, Francis Stevens wrote:

 
 Tried the patch and it fixes the problem for all the false positives 
 I've seen so far, so it looks good to me. Will this make it into 0.83?
 
 Thanks for the rapid response.
 

Yes, I would expect so.

BTW, all the false positives I've seen so far are also reported as
broken by the showriff utility, which was written specifically to check
these files.

For example:

$ showriff virus-2005-02-08-n0009134
Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes):

(0x)   ID:RIFF   Size: 0x49e6
   Form Type = CDR8
(0x000c)   ID:vrsn   Size: 0x0002
(0x0016)   ID:DISP   Size: 0x282c
(0x284a)   ID:LIST   Size: 0x0114
   List Type = INFO
(0x2856)   ID:IKEY   Size: 0x0080
(0x28de)   ID:ICMT   Size: 0x0080
(0x2966)   ID:LIST   Size: 0x046c
   List Type = cmpr
(0x2972)   ID:   Size: 0x0f6c
(0x2dda)   ID:LIST   Size: 0x1bd7
   List Type = cmpr
(0x2de6)   ID:t   Size: 0x53dc
  *  Error: Chunk exceeds file


-trog



signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Francis Stevens 
Trog wrote:
BTW, all the false positives I've seen so far are also reported as
broken by the showriff utility, which was written specifically to check
these files.
For example:
$ showriff virus-2005-02-08-n0009134
Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes):
All the problem files I've had are Powerpoint and Word files. For the 
Powerpoint files it was a common background image.

FAS
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Sean Doherty 
On Tue, 2005-02-08 at 16:32 +, Francis Stevens wrote:
 All the problem files I've had are Powerpoint and Word files. For the 
 Powerpoint files it was a common background image.

Is it wise to update to clamav 0.82 given the large number 
of false positives been reported? 

Regards,
- Sean

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Ralf Hildebrandt 
* Francis Stevens [EMAIL PROTECTED]:

 All the problem files I've had are Powerpoint and Word files. For the 
 Powerpoint files it was a common background image.

Same here!

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)  [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users