[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41103C34.27787.7E2BAA96@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: broken virus / worm email has attachment not
found by grisoft proxy scanner
Denis McMahon wrote:
> I've had a couple of suspicious emails this week with headers, blank
> line, a line of text, mime headers.
And that is _all_ ???
If so, what are you worrying about?
If not, why didn't you describe all the sections in the message
structure?
> Thunderbird doesn't see the mime attachment due to the broken headers,
_Which_ headers are broken?
Do you mean there is something "bad" (c.f. the relevant RFCs) in the
Email headers, or in the MIME headers???
> which is good, but nor does the grisoft email proxy scanner, which is
> bad, especially as I guess that certain broken applications (no I don't
> have outlook [express] on my system) might try and be snart and find the
> attachment.
But your description of the structure of these messages above says
nothing about any "attachments"...
> This might be broken malware sending unusable stuff out, but my worry is
> that somene may have found a technique that will sneak an attachment
> past some a-v scanners in a "broken" format that certain popular email
> apps will try and fix, possibly putting active malware on the hard disk.
Are these "attachments" in the ~1.5KB - 2KB size range?
If so, I'd say there is a reasonable chance they are the "IPs I've
already hit" log-only (aka "corrupted") Mydoom.O messages. These
_should_ appear in any of the forms of message Mydoom.O can produce
which includes attachment-only (blank message part) through various
"clever" SE message forms to "binary gibberish" messages. Further, the
base64 encoded attachment can also be "normal" or "corrupted" (spaces,
odd line-breaks inserted where they are not allowed by the spec --
Outlook and OE (and several other MUAs) happily ignore these "encoding
errors" and "correctly" decode the intended attachment.
> I tried to talk to grisoft about this, but all I get back is "you have
> to pay to talk to us cheapskate" ... whilst I can agree that they might
> not want to provide tech support to users of their free scanner, does
> anyone have an email address at grisoft for submitting suspicious items
> that have got past their proxy scanner?
Yes but you'll have to contact me off-list as I won't publish the
details here.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists