[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.2.0.9.0.20030805135119.04ea3440@209.112.4.2>
From: mike at sentex.net (Mike Tancsa)
Subject: f-prot not catching mimail ? (now fixed)
This is now fixed with an updated engine. I verified both with my Windows
Desktop version as well with my FreeBSD version. This gets both versions of
the virus I have found.
avscan1# f-prot *.zip
Virus scanning report - 5 August 2003 @ 13:50
F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.4
VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 4 August 2003
MACRO.DEF created 4 August 2003
Search: message1.zip message4.zip new.zip
Action: Report only
Files: Attempt to identify files
Switches: <none>
/tmp/tmp2/message1.zip->message.html Infection: W32/Mimail.A@mm
/tmp/tmp2/message4.zip->message.html Infection: W32/Mimail.A@mm
/tmp/tmp2/new.zip->message1.zip Not scanned (encrypted)
/tmp/tmp2/new.zip->message4.zip Not scanned (encrypted)
Results of virus scanning:
Files: 3
MBRs: 0
Boot sectors: 0
Objects scanned: 4
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0
Time: 0:00
At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote:
> >>I cannot see anything "special" in the MIME structure of Mimail that would
> >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of
> >>the ZIP that f-prot cannot unpack?).
> >
> > I was told its the encoding scheme in the .html file thats the problem.
> > Currently the scanner does not support that type of encoding.
>
>It seems to me that the HTML contains the binary EXE without any encoding:
>
>$ cat -v message.html | fold | head -5
>MIME-Version: 1.0
>Content-Location:File://foo.exe
>Content-Transfer-Encoding: binary
>
>MZM-^P^@^C^@^@^@^D^@^@^@...?M-^?^@^@...^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
>Regardless, f-prot should list the ZIP attachment, and the files contained
>within the ZIP ...
>
>Cheers,
>
>Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
>School of Mathematics and Statistics University of Sydney 2006 Australia
Powered by blists - more mailing lists