lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mike at sentex.net (Mike Tancsa)
Subject: f-prot not catching mimail ? (now fixed)

This is now fixed with an updated engine. I verified both with my Windows 
Desktop version as well with my FreeBSD version. This gets both versions of 
the virus I have found.

avscan1# f-prot *.zip
Virus scanning report  -  5 August 2003 @ 13:50

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.4

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 4 August 2003
MACRO.DEF created 4 August 2003

Search: message1.zip message4.zip new.zip
Action: Report only
Files: Attempt to identify files
Switches: <none>

/tmp/tmp2/message1.zip->message.html  Infection: W32/Mimail.A@mm
/tmp/tmp2/message4.zip->message.html  Infection: W32/Mimail.A@mm
/tmp/tmp2/new.zip->message1.zip  Not scanned (encrypted)
/tmp/tmp2/new.zip->message4.zip  Not scanned (encrypted)

Results of virus scanning:

Files: 3
MBRs: 0
Boot sectors: 0
Objects scanned: 4
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00


At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote:
> >>I cannot see anything "special" in the MIME structure of Mimail that would
> >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of
> >>the ZIP that f-prot cannot unpack?).
> >
> > I was told its the encoding scheme in the .html file thats the problem.
> > Currently the scanner does not support that type of encoding.
>
>It seems to me that the HTML contains the binary EXE without any encoding:
>
>$ cat -v message.html | fold | head -5
>MIME-Version: 1.0
>Content-Location:File://foo.exe
>Content-Transfer-Encoding: binary
>
>MZM-^P^@^C^@^@^@^D^@^@^@...?M-^?^@^@...^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
>Regardless, f-prot should list the ZIP attachment, and the files contained
>within the ZIP ...
>
>Cheers,
>
>Paul Szabo - psz@...hs.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
>School of Mathematics and Statistics  University of Sydney   2006  Australia

Powered by blists - more mailing lists