[Mimedefang] Virus File getting through...

renaud pascal renaud.pascal at atosorigin.com
Fri Feb 29 12:21:23 EST 2008

Le vendredi 29 février 2008, Kevin A. McGrail a écrit :
> I've seen a new attack vector where a PDF file (from outward appearances) 
> contains a trojan called downloader BUT the pdf is embedded in a Word 
> Document.
> This vector bypasses McAfee and Symantec for the word document but seemingly 
> catches the PDF file directly.
> I've placed this file on a website:
> http://www.peregrinehw.com/html/downloads/junk/word_document_with_virus-trojan-downloader.doc

 Hey, that's three times you say it's a .doc!

> **** 
> Anyone have any thoughts about how to block this?

 Yes, but not so practical in a PHB environment, add it to the $bad_exts

> I think ClamAV catches it  
> and I'm testing that but I'm looking for something more elegant if this 
> explodes as a new delivery method.

 That may well be the time we all were waiting, panting, the time we
could explain to the users and they would understand, why the hell
sending a .doc (and akin) is just not evil but simply plain stupid ;-)

 That may even be the time to eradicate a few related irating stuff,
just a couple of ideas;
$ awk 'NR>3{exit} /Msft/{print "FOOT AIM SHOOT"}'
$ awk 'NR>3{exit} /contains an embedded object/{print "KILLME"}'

 Ah! I'll have to HUP this mail now as I see my PHB's coming fast
on here, looks weird, as a BBerry in one hand and doing strange
moves with the others ;->

More information about the MIMEDefang mailing list