[Mimedefang] MD 2.43 - Missing Viruses

Albert Whale aewhale at ABS-CompTech.com
Sun May 30 23:44:00 EDT 2004


I've noticed the several Viruses are getting through my mimedefang 
Filter.  One sample is a copy of Bounce message including the Headers, 
and Multi part MIME Attachments Containing the .  The Virus is 
detectable with Clamscan, but not with antivir.  I am not certain if 
this is an issue with the message structure, or MD 2.43.  Since May 
10th, I have received six viruses which were not detected with MD 2.43 
(previously I had no issues with MD virus detection).

Has anyone else received a virus coming through their installation 
lately?  I realize that the message is actually a resend of a 'original' 
(or better yet, spoofed) message.  But the Attachment Type (message.scr) 
is still not permitted.  Is it because of the the obfuscation of the 
message, or is there more filtering that was required in order to 
capture this email?

While I can repeat this one message getting through the MD Scanner 
(although it is correctly detected as spam) and receive a warning from 
my PC Scanner, I don't want to rely on my Laptop's AntiVirus Scanner.  I 
am wondering if the assortment of  Mime-Types is the Latest formula from 
our friends the Hackers.  Here is part of the original message for the 
formatting information:

 From - Sat May 29 01:26:26 2004
X-UIDL: 40b81caf0000001a
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <MAILER-DAEMON at ns.ABS-CompTech.com>
Received: from server43.totalchoicehosting.com 
(server43.totalchoicehosting.com
[209.51.157.42])
        by ns.ABS-CompTech.com (8.12.10/8.12.10) with ESMTP id 
i4T5Kvvp010138
        for <blocklisted at abs-comptech.com>; Sat, 29 May 2004 01:20:58 -0400
Received: from mailnull by server43.totalchoicehosting.com with local 
(Exim 4.34
)
        id 1BTpey-00073b-Pf
        for blocklisted at abs-comptech.com; Fri, 28 May 2004 18:17:04 -0400
X-Failed-Recipients: webmaster at timebrush.com
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon at server43.totalchoicehosting.com>
To: blocklisted at abs-comptech.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1BTpey-00073b-Pf at server43.totalchoicehosting.com>
Date: Fri, 28 May 2004 18:17:04 -0400
X-AntiAbuse: This header was added to track abuse, please include it 
with any ab
use report
X-AntiAbuse: Primary Hostname - server43.totalchoicehosting.com
X-AntiAbuse: Original Domain - abs-comptech.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
X-SPAM-Checked-by: www.No-JunkMail.com
X-SPAM-Checked-by: The SPAM Zapper tm
Status:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  webmaster at timebrush.com
    This message has been rejected because it has
    a potentially executable attachment "message.scr"
    This form of attachment has been used by
    recent viruses or other malware.
    If you meant to send this file then please
    package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <blocklisted at abs-comptech.com>
Received: from [66.153.141.82] (helo=timebrush.com)
        by server43.totalchoicehosting.com with esmtp (Exim 4.34)
        id 1BTpev-0006u4-0R
        for webmaster at timebrush.com; Fri, 28 May 2004 18:17:04 -0400
From: blocklisted at abs-comptech.com
To: webmaster at timebrush.com
Subject: Mail Delivery (failure webmaster at timebrush.com)
Date: Fri, 28 May 2004 18:17:03 -0400
MIME-Version: 1.0
Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: multipart/alternative;
        boundary="----=_NextPart_001_001C_01C0CA80.6B015D10"

------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br>
follow the link to read the delivered message.<br><br>
Received message is available at:<br>
<a href=3Dcid:031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re height=3D0 
width=3D0>ww
w.timebrush.com/inbox/webmaster/read.php?sessionid-27050</a>
<iframe
src=3Dcid:031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re height=3D0 
width=3D0></ifra
me>
<DIV> </DIV></BODY></HTML>

------=_NextPart_001_001C_01C0CA80.6B015D10--

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: audio/x-wav;
        name="message.scr"
Content-Transfer-Encoding: base64
Content-ID:<031401Mfdab4$3f3dL780$73387018 at 57W81fa70Re>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<snip>
Vp96R29mUudzUXVyY582Tzqpaw1iYWQWEElpbrZueko9dE2+ZClsXbMiRvFweUlSm+R0RkTA
JFfBa293c0TfPuRj+ep5pTmgLRROYW1MhlBy8PJk45xMc2p2H0xpYjtTLz5UUJNDz+5uNA0Y
TGG8RXLcXOvFjE11CHjMTgMAAAAAAAAAAAAAAAAA

------=_NextPart_000_001B_01C0CA80.6B015D10--





-- 
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard




More information about the MIMEDefang mailing list