[Mimedefang] new K-lez.E & K-lez.H variants ?
Stephane Lentz
Stephane.Lentz at ansf.alcatel.fr
Wed Aug 28 08:45:01 EDT 2002
Hi,
I just noticed a message that passed throught Mimedefang and
which was caughed as WORM_KLEZ.E by another machine running
some antivirus (Trend Interscan through Amavis) :
The interesting MIME part was :
--Mes4xJ4183HVS3TKny03g2Zkj8G5
Content-Type: audio/x-wav;
name=accueil_popup;sz=1x1;ord=1008757901370[1].exe
Content-Transfer-Encoding: base64
Content-ID: <X6A08GxIRzH3C77d2>
...
mimedefang.pl -structure < /tmp/virus-20020828-100811-10704
non-leaf: type=multipart/alternative; fname=; disp=inline
leaf: type=text/html; fname=; disp=inline
leaf: type=audio/x-wav; fname=accueil_popup; disp=inline
leaf: type=text/plain; fname=; disp=inline
I don't know if some MUA would interpret
accueil_popup;sz=1x1;ord=1008757901370[1].exe as some EXE file.
One solution to deal with that would be to drop all audio/x-wav attachments
or audio/x-wav attachments with no "." in the name.
In the past I found similar names blocked with another Milter solution :
name=connexion;kw=X;sz=468x60;ord=1012051620040[1].exe
name=Faience;cat=;cat=;cat=;adspot=2;sz=250x20;page=item;ord=1017412680940[1].bat
Maybe the suggested minimum filter should be updated ?
I also noticed some KLEZ.H passing through which had the following structure :
Return-Path: <xml-decid-bounce at xmlfr.org>
Received: ....
Received: ....
Delivered-To: xml-decid at gwparis.dyomedea.com
Received: ...
Received: ...
From: patt <patt at tireme.fr>
To: xml-decid at xmlfr.org
Subject: [xml-decid] 404 Not Found
MIME-Version: 1.0
Content-type: text/plain
Precedence: list
Reply-To: xml-decid at xmlfr.org
X-list: xml-decid
X-Scanned-By: MIMEDefang 2.19 (www . roaringpenguin . com / mimedefang)
--Fbw859V4X304SF
Content-Type: text/html; Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Qnm6cg517B9LL90V height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--Fbw859V4X304SF
Content-Type: audio/x-wav; name=on this.pif
Content-Transfer-Encoding: base64
Content-ID: <Qnm6cg517B9LL90V>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
binary data continued ....
AAAAAAAAAAAAAAAAAAAAAD==
--Fbw859V4X304SF--
--
Devenez redacteur <XML>fr et contribuez au developpement
du xml francophone (http://xmlfr.org/infos/redacteurs) !
Liste de diffusion "xml-decid at xmlfr.org" (http://xmlfr.org).
....
mimedefang.pl -structure < /tmp/virus-20020827-201208-00512
leaf: type=text/plain; fname=; disp=inline
So some message declared as text/plain with several parts with some
MIME separator (Fbw859V4X304SF) not advertised.
I'm not sure such worms would work with Outlook Express (is it so
brilliant ?) or if Interscan is too picky ... Maybe it was just some
broken mailing-list software altering a message ...
Anobody else noticed that ?
SL/
---
Stephane Lentz / Alcanet International - Internet Services
More information about the MIMEDefang
mailing list