[Mimedefang] sobig virus slipping by mcafee.

Jon R. Kibler Jon.Kibler at aset.com
Fri Sep 5 17:38:01 EDT 2003 

Greetings:

Here is some feedback from NAI regarding SoBig. My original statement to them was "... a large number of SoBig.F files will slip by uvscan if the --mime option is not specified" and their reply was:

> This is actually something we have ran across on different point products other then UNIX flavors as well.  Sobig will actually come in different forms from an attachment to compressed attachment or MIME encoded message.  What you are seeing is actually what will need to be done to catch all variants of Sobig as this is the way the many different variants of this worm are compiled by the writer's.

Thought you may be interested in their comments (which are kinda obvious).

David, about your comment about some MTAs just blindly appending message text...
   1) If that is why some SoBigs slip by uvscan, then:
      a) Why are we not seeing it with other viruses?
      b) Why are other products catching the ones uvscan misses?
   2) I suspect the 'blind append' is some lame procmail script(s) rather than qmail itself. I also suspect that anyone using procmail improperly (which is too many users!) would have problems regardless of the MTA.

Thanks!
Jon Kibler
A.S.E.T., Inc.
Charleston, SC  USA


"David F. Skoll" wrote:
> 
> On Fri, 5 Sep 2003, Stefano McGhee wrote:
> 
> > The message seems to
> > simply have the mime encoded text of the pif file in the body.
> 
> Some MTA's (qmail for one, I believe) blindly append the message text
> to the bounce notification without attempting to create a proper MIME
> message.  MIMEDefang won't see the virus, because it's just random
> stuff inside a text/plain part.  If any Windows MUA is stooopid enough
> to try to decode such a thing, then its authors deserve to be soundly
> whipped. :-)
> 
> Regards,
> 
> David.
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.






==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the MIMEDefang mailing list