[Mimedefang] new K-lez.E & K-lez.H variants ?
Stephane Lentz
Stephane.Lentz at ansf.alcatel.fr
Wed Aug 28 16:48:00 EDT 2002
Hi David,
On Wed, Aug 28, 2002 at 10:16:47AM -0400, David F. Skoll wrote:
> On Wed, 28 Aug 2002, David F. Skoll wrote:
>
> > MIMEDefang would have caught it if you scanned all the parts with a
> > commercial virus scanner,
>
> And in fact, I got a few MIMEDefang notifications from people who were
> using MIMEDefang in conjunction with a commercial scanner. :-)
> Please don't post real viruses to this list. :-)
=> I apologize. I guess you now know who uses Mimedefang with some
antivirus, and you also noticed some Postfix users with some basic
body_checks :-)
I just found another KLEZ.E variant with the following Mime description
(= replaced with EQUAL to prevent antiviruses firing up).
Content-Type: application/octet-stream;
name EQUAL accueil;cat EQUAL accueil;sz EQUAL 468x60;ord=1022359294[1].pif
This time the Mime type is application/octet-stream.
Mimedefang lets it through because of the ";" and set name as accueil .
Looks like I will have to block any attachment name without "." in it or
add some antivirus.
> One thing I might look at is building code into MIMEDefang to detect
> Windoze executables based on their signature (the first few bytes),
> regardless of filename. It's a cheap way to stop a lot of viruses.
>
=> Using/Looking at some File::Scan code and signature would help I guess.
It is a perl module so it is perfect.
The latest version of File::Scan detected the virus in the "accueil"
attachment correctly :
/usr/bin/virusscan accueil
accueil Infection: W32/Klez.gen at MM
Results of virus scanning:
--------------------------
Objects scanned: 1
Skipped: 0
Suspicious: 0
Infected: 1
Scan Time: 0 wallclock secs ( 0.03 usr + 0.00 sys = 0.03 CPU)
Regards,
SL/
---
Stephane Lentz / Alcanet International - Internet Services
More information about the MIMEDefang
mailing list