Re: f-prot not catching mimail ?

[psz () maths usyd edu au (Paul Szabo)]

Mike Tancsa <mike () sentex net> wrote:

> I have a few copies of the mimail virus from yesterday that f-prot even 
> with its latest updates do not catch.  Both the Windows and FreeBSD version 
> fail to identify the two main variants I have got sent my way.

I found the same lack of detection, on Linux.

Normally I save the suspect email message as a "UNIX mbox" file and feed
that to f-prot; it then finds the attached ZIP within, and the files
contained within the ZIP. However with Mimail, it does not detect the ZIP
within the message. If I unpack the ZIP from the message, then the HTM from
the ZIP, and finally the EXE from the HTM, then f-prot seems to skip all
those except for the EXE, which it detects correctly.

I cannot see anything "special" in the MIME structure of Mimail that would
cause f-prot to miss the ZIP attachment (or maybe it is the structure of
the ZIP that f-prot cannot unpack?).

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


---

$ f-prot virus/mimail -ai -archive -packed -list
Virus scanning report  -  4 August 2003 @ 7:26

F-PROT ANTIVIRUS
Program version: 4.1.1
Engine version: 3.13.3

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 2 August 2003
MACRO.DEF created 28 July 2003

Search: virus/mimail
Action: Report only
Files: Attempt to identify files
Switches: -ARCHIVE -PACKED -LIST -AI

/usr/users/amstaff/psz/virus/mimail

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1

Time: 0:00

No viruses or suspicious files/boot sectors were found.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html