[Mimedefang] Problem: virus Mabutu.a at MM not being detected

Mon Oct 25 05:25:24 EDT 2004

On Mon, Oct 25, 2004 at 10:13:09AM +0200, Administrador DyR wrote:
> I've just received an email with a suspicious .zip attachment. After
> inspecting it, these are its contents, as they are shown by :
> 
> "INTRODUCCIón AL SOFTWARE LIBRE.TXT\n\n                 .SCR"
> 
> The two '\n' are, currently, two new-line characters.
> 
> I've run "uvscan -u --mime suspicious-file.zip" and McAfee has found the
> W32/Mabutu.a at MM virus.
> 
> However, it seems Mimedefang is not detecting it. 
> 
> I've tested Mimedefang sending me a message with EICAR test attached,
> and it was correctly blocked, so I think my setup is OK (watching the
> logs, the mail server keeps on blocking messages with virus).
> 
> I've got Mimedefang 2.44, with SpamAssassin 3.0 and
> MIME-tools-5.411a-RP-Patched-02.
> 
> Perhaps a bug in MIME-tools or Mimedefang?

Hmm... curiously enough, I was made aware of another mabutu-A .zip
file that flew past the virus filters... however, the zipfile was
so heavily damaged that I needed "zip -FF" to extract anything (and
even then, the last 30k was missing, according to the info in the
zipfile). I didn't see any mention of the virus generating malformed
zip files, in the description of mabutu.

Do you still have access to that email? Have you tried extracting
the attachment, and then unpacking it? Have you looked at the logfile
in detail to check wether the virus scanners have reported an error?
I my case, the virus scanners reported "this is a multipart zip archive".

I have yet to try to unpack and run this thing on evil empire
technology, though, so I have no idea if this was a real damaged virus
that could do no harm, of if it is a deliberate ploy by the virus to
bypass filtering (which would be the second way to bypass virusfilters
using modified zipfiles that I've come across in a short while).

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet