[Mimedefang] Problem: virus Mabutu.a at MM not being detected
Administrador DyR
systemlogs at dyr.es
Mon Oct 25 05:57:33 EDT 2004
El lun, 25-10-2004 a las 11:25 +0200, Jan Pieter Cornet escribió:
> Hmm... curiously enough, I was made aware of another mabutu-A .zip
> file that flew past the virus filters... however, the zipfile was
> so heavily damaged that I needed "zip -FF" to extract anything (and
> even then, the last 30k was missing, according to the info in the
> zipfile). I didn't see any mention of the virus generating malformed
> zip files, in the description of mabutu.
>
> Do you still have access to that email? Have you tried extracting
> the attachment, and then unpacking it?
Yes. From Linux, using unzip, I can extract and unpack it with no errors
at all.
After doing so, I've run 'file *.scr' and it seems a correct executable
Windows file.
> Have you looked at the logfile
> in detail to check wether the virus scanners have reported an error?
> I my case, the virus scanners reported "this is a multipart zip archive".
>
No, it hasn't showed any error message...
> I have yet to try to unpack and run this thing on evil empire
> technology, though, so I have no idea if this was a real damaged virus
> that could do no harm, of if it is a deliberate ploy by the virus to
> bypass filtering (which would be the second way to bypass virusfilters
> using modified zipfiles that I've come across in a short while).
>
I don't know why, but I've just tried to send me a copy of the infected
message, and Mimedefang has blocked it properly now... McAfee hasn't
updated its signature file since some days ago... I haven't touched any
configuration file...
Strange behaviour... Perhaps a mimedefang restart fixed it? I don't
know... :-?
At least, I can't reproduce the problem now...
Greetings.
--
David Marín Carreño <systemlogs at dyr.es>
Desarrollo y Recursos, S.L.
More information about the MIMEDefang
mailing list