#124 Win32/Aliz Passes through

closed-fixed
nobody
None
5
2001-11-23
2001-11-21
Anonymous
No

System Details
Amavis 0.2.1
Sendmail 8.9.3 (Configured for relay)
Macfee uvscan 4.1.40 Dats 4171
Reformime 1.37

Today a mail from Russia containing Win32/Aliz virus
passed through the mail system. This was caused by
reformime not extracting any files See attached
section of log).

xxxxxxxxxxxxxxxxxxWed Nov 21 12:07:41 GMT
2001xxxxxxxxxxxxxxxxxxxxxxx
scanmails (0.2.1) called igor.izvarin<@teleca.ie.>
igor.izvarin@teleca.ie irina_chaika@priocom.com
FROM: irina_chaika@priocom.com
TO: igor.izvarin@teleca.ie
maxlevel: 0
Contents of /var/tmp/scanmails29646/unpacked
/var/tmp/scanmails29646/unpacked:
total 3
drwxr-xr-x 3 root root 1024 Nov 21
12:07 .
drwx------ 3 root root 1024 Nov 21
12:07 ..
drwxr-xr-x 2 root root 1024 Nov 21 12:07
SFX

/var/tmp/scanmails29646/unpacked/SFX:
total 2
drwxr-xr-x 2 root root 1024 Nov 21
12:07 .
drwxr-xr-x 3 root root 1024 Nov 21
12:07 ..
Scanning /var/tmp/scanmails29646/unpacked/*

Summary report on /var/tmp/scanmails29646/unpacked/*
0 files were on the disk.

H+BEDV AntiVir scanstatus0 is: 0
Mcafee scanstatus1 is: 0
Dr. Solomon (old) scanstatus2 is: 0
Dr. Solomon (new) scanstatus3 is: 0
Sophos Sweep scanstatus4 is: 0
NAI Virus Scan 4.x scanstatus5 is: 0
KasperskyLab AVP scanstatus6 is: 0
KasperskyLab AVPDaemonClient scantatus7 is: 0
F-Secure Antivirus scanstatus8 is: 0
Trend Micro FileScanner scanstatus9 is: 0
CyberSoft vfind scanstatus10 is: 0
CAI InoculateIT (inocucmd) scanstatus11 is: 0

No virus found - good

I have also attached raw email data.

I compiled a debug version of reformime and steped
through it. The problem arises from declaration of the
boundary in the header. reformime defines the boundary
as been "bound"X-Priority: 3X-MSMail... until it
reaches a new line. In the message part it is "--
bound" thus is unable to extract parts. When boundary
header definition is placed on a line of its own and
passed through it works.

The amavis scanner is in production mode for the last
18 months, and this is the first incursion.

Can some check if this e-mail would pass through the
perl version ??

One of the devlepors here is going to try and
disassembly the exe file to see if the header is been
delibertely malformed by the exe.
Regards Ger Donohue

Systems Administrator
Teleca Ireland
Mayfield House
Ennis
Co Clare
Ireland.

Discussion

  • Lars Hecking

    Lars Hecking - 2001-11-23
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks