[AMaViS-user] Someone missed a virus..
Michael Scheidell
How do we block an exe insite a .doc?
Maybe hackers/spammers have found a way around Anti-Virus software, or
at least, attachment blocking.
Spam came in, with a 'proforma invoice' attached.
(if you want to see it, http://www.secnap.com/downloads/proforma.eml)
Click on the proforma invoice.doc, ALMOST open it. (or run strings on
it)
See a self executable zip file (.exe)
Proforma_Invoice.exe
C:\PROFOR~1.EXE
C:\PROFOR~1.EXE
'file Proforma_Invoice.doc' shows:
Proforma_Invoice.doc: Microsoft Office Document
file -i Proforma_Invoice.doc shows:
application/msword
Clamav and CA didn't see it as a virus.
(Two hours later, after submitting to vi...@ca.com and clamav, clam
finds it:
clamdscan Proforma_Invoice.doc
/tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.201 sec (0 m 0 s)
So, I assume clamav can find its way in.
Ca say it is:
"This is to notify you of the results of your submission, issue number
1012270. Please keep this issue number for future reference.
With regards to the file "proforma_invoice.exe" submitted by you on 16
Jun 00:18:00 (Australian Eastern Standard Time), we have added cure
instructions for Win32/Banbot.L to the signature files.
The Windows PE (I386,EXE) file "proforma_invoice.exe" has been
determined to be malicious. Our researchers have analyzed the file and
confirmed the result.
Aliases reported by other AV products are listed here:
(Generic Dropper.p)"
We don't block .doc, but we do block exe's.
We do (I think) block exe's inside zip, but how do we block a .exe
inside a .doc?
Might be my fault, still using the old reg_ne stuff for attachments.
Keep meaning to do the SQL based stuff and haven't.
Relevant configs:
amavisd.conf:
$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types,
rudimentary
### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARHIVES:
# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type
archives
qr'.\.(pif|scr)$'i, # banned extensions -
rudimentary
# qr'^\.zip$', # block zip type
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES:
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these
archives
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# block certain double extensions in filenames
qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]
*$'i,
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
wmf|wsc|wsf|wsh)$'ix, # banned ext - long
qr'.\.(ani|cur|ico)$'i, # banned cursors and icons
filename
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip
vulnerab.
);
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Noel Jones
>Well, an attachment, a 0 day virus.
>
>How do we block an exe insite a .doc?
I believe if you have the 'ripole' tool and uncomment (or add) the
@decoders entry
# 'doc', \&do_ole, 'ripole'
Then the .exe file will be available to the regular banned_filename_* tools.
Haven't tested this lately, but it used to (mostly) work. Sometimes
the ripole tool gets confused, but it seems to work on this particular doc.
ripole can be found at http://www.pldaniels.com/ripole/
--
Noel Jones
Noel Jones
>At 02:27 PM 6/15/2007, Michael Scheidell wrote:
> >Well, an attachment, a 0 day virus.
> >
> >How do we block an exe insite a .doc?
>
>I believe if you have the 'ripole' tool and uncomment (or add) the
>@decoders entry
># 'doc', \&do_ole, 'ripole'
Oops, that's not the whole line for @decoders, it should look like:
['doc', \&do_ole, 'ripole'],
--
Noel Jones
Bill Landry
> Well, an attachment, a 0 day virus.
>
> How do we block an exe insite a .doc?
>
> at least, attachment blocking.
>
> Spam came in, with a 'proforma invoice' attached.
> (if you want to see it, http://www.secnap.com/downloads/proforma.eml)
>
>
> Click on the proforma invoice.doc, ALMOST open it. (or run strings on
> it)
>
> See a self executable zip file (.exe)
>
> Proforma_Invoice.exe
> C:\PROFOR~1.EXE
> C:\PROFOR~1.EXE
>
>
> 'file Proforma_Invoice.doc' shows:
>
> Proforma_Invoice.doc: Microsoft Office Document
>
> file -i Proforma_Invoice.doc shows:
> application/msword
>
> Clamav and CA didn't see it as a virus.
> (Two hours later, after submitting to vi...@ca.com and clamav, clam
> finds it:
> clamdscan Proforma_Invoice.doc
> /tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND
>
more creative all the time. Just as an FYI, since I am using the recent
"$bypass_decode_parts = 1" feature that disables all decoding by
amavisd-new and instead passes the raw messages to the virus scanner(s)
and relies on the decoding supported by the virus scanner itself. In
this case I run both clamd and f-prot, and both were able to detect the
trojan inside the .doc file, without any decoding on the part of
amavisd-new:
F-Prot:
/var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoice.doc->Proforma_Invoice.exe
is a security risk named W32/Dropper.ESR
ClamD:
/var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND
Thanks again, Mark, for adding the ability to bypass all decoding in
amavisd-new, it seems to be working fine for me thus far.
Bill
Michael Scheidell
Yes, but you only got that because I reported it to clamav at CA:
(I use clamav, and at the time, it wasn't in the file:
If you had checked that earlier (before daily/3430) you would have
missed it.
-------- Original Message --------
Subject: Your submission to ClamAV
Date: Fri, 15 Jun 2007 19:22:27 +0000 (GMT)
From: ClamAV <mailer...@clamav.net>
To: sche...@secnap.net
Dear ClamAV user,
The following submissions have been processed and published:
- 1213966 Trojan.Dropper-1046
See http://cvdpedia.clamav.net/daily/3430
--
Best regards,
The ClamAV team
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Michael Scheidell
> -----Original Message-----
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Noel Jones
> Sent: Friday, June 15, 2007 3:45 PM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
> >
> >How do we block an exe insite a .doc?
>
> add) the @decoders entry
> # 'doc', \&do_ole, 'ripole'
> banned_filename_* tools.
> Haven't tested this lately, but it used to (mostly) work.
> Sometimes the ripole tool gets confused, but it seems to work
> on this particular doc.
>
> ripole can be found at http://www.pldaniels.com/ripole/
I think there was some talk about problems with ripole, Mark???
I think that is why its disabled by default:
grep ripole /usr/local/etc/amavisd.conf
# ['doc', \&do_ole, 'ripole'],
Bill Landry
>> -----Original Message-----
>> From: amavis-us...@lists.sourceforge.net
>> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
>> Of Bill Landry
>> Sent: Friday, June 15, 2007 3:51 PM
>> To: amavi...@lists.sourceforge.net
>> Subject: Re: [AMaViS-user] Someone missed a virus..
>>
>> Thanks for reporting this one Michael, malware distributors
>> are getting more creative all the time. Just as an FYI,
>> since I am using the recent "$bypass_decode_parts = 1"
>> feature that disables all decoding by amavisd-new and instead
>> passes the raw messages to the virus scanner(s) and relies on
>> the decoding supported by the virus scanner itself. In this
>> case I run both clamd and f-prot, and both were able to
>> detect the trojan inside the .doc file, without any decoding
>> on the part of
>> amavisd-new:
>>
>> F-Prot:
>> /var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoice.doc
>>
> ->Proforma_Invoice.exe
>
>> is a security risk named W32/Dropper.ESR
>>
>> ClamD:
>> /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND
>>
>> Thanks again, Mark, for adding the ability to bypass all
>> decoding in amavisd-new, it seems to be working fine for me thus far.
>>
>
> Yes, but you only got that because I reported it to clamav at CA:
>
> (I use clamav, and at the time, it wasn't in the file:
>
> If you had checked that earlier (before daily/3430) you would have
> missed it.
>
scanners now support mime decoding and file unpacking themselves and
thus the decoding feature of amavisd-new can be disabled (meaning no
need to install and use unpackers within amavisd.conf, like ripole),
which also possibly removes the requirement to try and work around files
embedded in other files or mis-labeled file formats within amavisd.conf.
Anyway, it was simply an observation on my part.
Bill
Michael Scheidell
> Michael Scheidell wrote the following on 6/15/2007 12:54 PM -0800:
> I don't disagree. My comment was more toward the fact that many virus
> scanners now support mime decoding and file unpacking themselves and
> thus the decoding feature of amavisd-new can be disabled (meaning no
> need to install and use unpackers within amavisd.conf, like ripole),
> which also possibly removes the requirement to try and work around
> files embedded in other files or mis-labeled file formats within
> amavisd.conf.
>
> Anyway, it was simply an observation on my part.
>
> Bill
>
I was hoping to block (use amavisd-new banned quarantine) on any .doc
with an embedded .exe in it.
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Noel Jones
> >
>I don't disagree. My comment was more toward the fact that many virus
>scanners now support mime decoding and file unpacking themselves and
>thus the decoding feature of amavisd-new can be disabled (meaning no
>need to install and use unpackers within amavisd.conf, like ripole),
Amavisd-new cannot detect doc files with embedded executables without
performing the decoding and running ripole. Skipping the
decoding/unpacking greatly reduces the effectiveness of the
banned_filenames feature of amavisd-new.
Clamav can scan for malware in document files, but it must already
have a signature.
--
Noel Jones
Noel Jones
>I think there was some talk about problems with ripole, Mark???
>
>I think that is why its disabled by default:
>
> grep ripole /usr/local/etc/amavisd.conf
># ['doc', \&do_ole, 'ripole'],
Sometimes ripole gets confused and reports an error (used to coredump
sometimes, but haven't seen that lately). This doesn't seem to
affect amavisd-new operation.
So while ripole may not be 100% stable and reliable, it has never
been known to pose a security risk or to break amavisd-new.
I've been using ripole with amavisd-new for quite some time with no
apparent problems. I would recommend using the -devel version of
ripole (apparently last updated 2005-12-31) if you're interested.
Michael Scheidell
> -----Original Message-----
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Noel Jones
> Sent: Friday, June 15, 2007 4:16 PM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
> At 02:56 PM 6/15/2007, Michael Scheidell wrote:
> >I think there was some talk about problems with ripole, Mark???
> >
> >I think that is why its disabled by default:
> >
> > grep ripole /usr/local/etc/amavisd.conf
> ># ['doc', \&do_ole, 'ripole'],
>
> Sometimes ripole gets confused and reports an error (used to
> coredump sometimes, but haven't seen that lately). This
> doesn't seem to affect amavisd-new operation.
Yep, it saw it:
ripole -v -i Proforma_Invoice.doc -d /tmp
Decoding filename=Proforma_Invoice.exe
Mark: I googled looking for why ripole is commented out.
Any comments?
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Mark Martinec
> Mark: I googled looking for why ripole is commented out.
I forgot the details. Mostly because it crashes from time to time
(which is a signal for security-conscious mind), and is inable
to decode many OLE documents.
Mark
Michael Scheidell
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Mark Martinec
> Sent: Friday, June 15, 2007 5:09 PM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
>
> > Mark: I googled looking for why ripole is commented out.
>
> I forgot the details. Mostly because it crashes from time to
> time (which is a signal for security-conscious mind), and is
> inable to decode many OLE documents.
So I guess a patch to enable it and require ripole for the FreeBsd ports
is a bad idea !
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Michael Scheidell
> -----Original Message-----
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Noel Jones
> Sent: Friday, June 15, 2007 4:11 PM
> To: Amavis-User Mail List
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
> > >
> >I don't disagree. My comment was more toward the fact that
> many virus
> >scanners now support mime decoding and file unpacking themselves and
> >thus the decoding feature of amavisd-new can be disabled (meaning no
> >need to install and use unpackers within amavisd.conf, like ripole),
>
I am not sure it works as expected:
Jun 15 18:01:02 smtp1 amavis[35096]: (35096-07) Passed CLEAN,
[204.89.241.173] <sche...@secnap.net> -> <jla...@454.com>,
Message-ID: <B3BCAF4246A8A84983A...@secnap2.secnap.com>,
mail_id: fnMl3GaRqFpe, Hits: -, size: 625100, queued_as: 90DAB50242F,
1371 ms
I am whitelisted at that location, but should not affect banned
attachments.
In amavisd.conf:
['doc', \&do_ole, 'ripole'],
grep ripole /var/log/maillog:
Jun 15 17:44:23 smtp1 amavis[33994]: Found decoder for .doc at
/usr/local/bin/ripole
Send an email with an embedded 'package' (exe) in it:
ripole -v -i this\ is\ a\ openvpn\ gui.doc -d /tmp
Decoding filename=openvpn_2.0.1ms1.exe
Email at http://www.secnap.com/downloads/withdoc.eml
Noel Jones
>I am not sure it works as expected:
>
>Jun 15 18:01:02 smtp1 amavis[35096]: (35096-07) Passed CLEAN,
>[204.89.241.173] <sche...@secnap.net> -> <jla...@454.com>,
>Message-ID: <B3BCAF4246A8A84983A...@secnap2.secnap.com>,
>mail_id: fnMl3GaRqFpe, Hits: -, size: 625100, queued_as: 90DAB50242F,
>1371 ms
>
>I am whitelisted at that location, but should not affect banned
>attachments.
Hmm, just tested it here, didn't catch it for me either. I could
have sworn this worked before...
Ah, here's the problem...
# file test_document_with_EXE.doc
test_document_with_EXE.doc: Microsoft Installer
Eh??? Sure enough, file(1) reports all .doc files I tested (even
without embedded stuff) as "Microsoft Installer".
(file-4.21 from FreeBSD ports)
Quick edit to /usr/local/sbin/amavisd...
--- amavisd.2.5.1 Fri Jun 15 18:02:10 2007
+++ amavisd Fri Jun 15 18:07:31 2007
@@ -983,4 +983,5 @@
[qr/^Rich Text Format data\b/ => 'rtf'],
[qr/^Microsoft Office Document\b/i => 'doc'], # OLE2: doc,
ppt, xls, ...
+ [qr/^Microsoft Installer\b/i => 'doc'], # OLE2: doc, ppt, xls, ...
[qr/^ms-windows meta(file|font)\b/i => 'wmf'],
[qr/^LaTeX\b.*\bdocument text\b/ => 'lat'],
And now it blocks it...
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1 Content-Type:
multipart/mixed
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1
Content-Type: text/plain, size: 14 B, name:
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2
Content-Type: application/msword, size: 216576 B, name:
test_document_with_EXE.doc
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path BANNED:1
njo...@mgate2.vbhcs.org: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with_EXE.doc
| P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe",
matching_key="(?-xism:^\\.(exe-ms|dll)$)"
--
Noel Jones
Michael Scheidell
>
> Hmm, just tested it here, didn't catch it for me either. I could have
> sworn this worked before...
>
> Ah, here's the problem...
> # file test_document_with_EXE.doc
> test_document_with_EXE.doc: Microsoft Installer
>
> Eh??? Sure enough, file(1) reports all .doc files I tested (even
> without embedded stuff) as "Microsoft Installer".
>
test cases I linked to earlier)
Noel: can you check these two files?
is this REALLY a word document? (the original WAS a real word document),
with an embedded 'package'.
this is the original virus: http://www.secnap.com/downloads/virus.eml:
file -i Proforma_Invoice.doc
Proforma_Invoice.doc: application/msword
file Proforma_Invoice.doc
Proforma_Invoice.doc: Microsoft Office Document
this is the one I made in word today (without a real virus, but has an
embedded .exe)
http://www.secnap.com/downloads/withdoc.eml
file -i this*
this is a openvpn gui.doc: application/msword
> (file-4.21 from FreeBSD ports)
>
> Quick edit to /usr/local/sbin/amavisd...
> --- amavisd.2.5.1 Fri Jun 15 18:02:10 2007
> +++ amavisd Fri Jun 15 18:07:31 2007
> @@ -983,4 +983,5 @@
> [qr/^Rich Text Format data\b/ => 'rtf'],
> [qr/^Microsoft Office Document\b/i => 'doc'], # OLE2: doc, ppt,
> xls, ...
> + [qr/^Microsoft Installer\b/i => 'doc'], # OLE2: doc, ppt, xls, ...
> [qr/^ms-windows meta(file|font)\b/i => 'wmf'],
> [qr/^LaTeX\b.*\bdocument text\b/ => 'lat'],
>
> And now it blocks it...
> Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1 Content-Type:
> multipart/mixed
> Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1
> Content-Type: text/plain, size: 14 B, name:
> Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2
> Content-Type: application/msword, size: 216576 B, name:
> test_document_with_EXE.doc
> Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path BANNED:1
> njo...@mgate2.vbhcs.org: "P=p003,L=1,M=multipart/mixed |
> P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with_EXE.doc |
> P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe",
> matching_key="(?-xism:^\\.(exe-ms|dll)$)"
>
>
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Noel Jones
>Noel Jones wrote:
>>Eh??? Sure enough, file(1) reports all .doc files I tested (even
>>without embedded stuff) as "Microsoft Installer".
>for me, I see all doc files as... well, doc files. (these are the
>two test cases I linked to earlier)
>Noel: can you check these two files?
>is this REALLY a word document? (the original WAS a real word
>document), with an embedded 'package'.
>
>Proforma_Invoice.doc: application/msword
IIRC, amavisd-new does not use the -i flag on file(1). I believe it
calls file with no flags and parses the returned text.
# file *doc
this is a openvpn gui.doc: Microsoft Installer
# file -i *doc
this is a openvpn gui.doc: application/msword
Apply my little patch to sbin/amavisd and try again... That was what
fixed it for me.
--
Noel Jones
Mark Martinec
> IIRC, amavisd-new does not use the -i flag on file(1). I believe it
> calls file with no flags and parses the returned text.
True. Intentionally.
The mime type as returned by file(1) is usually less
selective than the default output.
> # file *doc
> this is a openvpn gui.doc: Microsoft Installer
>
> # file -i *doc
> this is a openvpn gui.doc: application/msword
>
> Apply my little patch to sbin/amavisd and try again... That was what
> fixed it for me.
Seems the -i works better for this particular file,
although generally it is the other way around in my experience.
Mark
Noel Jones
>Seems the -i works better for this particular file,
>although generally it is the other way around in my experience.
On my system file(1) (file-4.21 from FreeBSD ports) classifies *all*
MS Word and Excel documents as "Microsoft Installer", not just this
one example.
If everyone gets this same result, I would call it a bug in file(1).
--
Noel Jones
MrC
A PowerPoint document shows up as Microsoft Installer. The reason for this
is that the magic data file has this magic string commented out because of
false positives with powerpoint:
# False positive with PPT
#0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer
...
But later in the file, it is alive and well:
0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer
Immediately following it is:
0 string \320\317\021\340\241\261\032\341 Microsoft Office
Document
which when converted to hex :
0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1 Microsoft Office
Document
is exactly the same initial 8 bytes as the previous entry.
All three test files (empty word .doc, empty powerpoint.ppt, and the
virus-laden Proforma_Invoice.doc file) match the Microsoft Installer entry.
I presume the second entry should have been commented out as well. I've
reported the findings to Christos Zoulas.
As an aside, only 5 of the scanners at virus.org noted detection.
Virus Found:
ArcaVir 1.0.4 Trojan.Dropper.Delf.Aem
ClamAV 0.90/3436 Trojan.Dropper-1047
F-PROT 4.6.7 W32/Dropper.ESR
F-Secure 1.02 Trojan-Dropper.Win32.Delf.aem [AVP]
Trend Micro 8.310-1002 TROJ_DROPPER.HKZ
No Virus Found:
avast! 3.0.0
AVG Anti Virus 7.5.47
BitDefender 7.1
CAT QuickHeal 9.00
Dr. Web 4.33.0
H+BEDV AntiVir 2.1.10-47
McAfee Virusscan 5.10.0
NOD32 2.51.1
Norman Virus Control 5.70.01
Panda 9.00.00
Sophos Sweep 4.17.0
VBA32 3.12.0.2
VirusBuster 1.3.3
MrC
> -----Original Message-----
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Noel Jones
> Sent: Friday, June 15, 2007 5:54 PM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
Michael Scheidell
> -----Original Message-----
> From: Noel Jones [mailto:njo...@megan.vbhcs.org]
> Sent: Friday, June 15, 2007 7:39 PM
> To: Michael Scheidell
> Cc: Amavis-User Mail List
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
>
> >Noel Jones wrote:
> >>Eh??? Sure enough, file(1) reports all .doc files I tested (even
> >>without embedded stuff) as "Microsoft Installer".
> >for me, I see all doc files as... well, doc files. (these are the
> >two test cases I linked to earlier)
> >Noel: can you check these two files?
> >is this REALLY a word document? (the original WAS a real word
> >document), with an embedded 'package'.
> >
> >file -i Proforma_Invoice.doc
> >Proforma_Invoice.doc: application/msword
>
> calls file with no flags and parses the returned text.
>
> this is a openvpn gui.doc: Microsoft Installer
Then your copy of file is corrupted.
Mine (and everyone elses?
Says this:
file *doc
this is a openvpn gui.doc: Microsoft Office Document
>
> Apply my little patch to sbin/amavisd and try again... That was what
> fixed it for me.
No, fix file.
My problem must be something else.
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Michael Scheidell
> -----Original Message-----
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf Of MrC
> Sent: Saturday, June 16, 2007 12:18 AM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
>
Yes, looks like its whatever version of file you are running.
But, freebsd 'file' (/usr/bin/file) from distro was right, the ports
file was wrong.
/usr/bin/file *doc
this is a openvpn gui.doc: Microsoft Office Document
file --version
file-4.10
magic file from /usr/share/misc/magic
which file
/usr/bin/file
Guess we have a path problem:
ls -l /usr/local/bin/file
-r-xr-xr-x 1 root wheel 11232 Jun 1 07:36 /usr/local/bin/file
fl# ls -l /usr/bin/file
-r-xr-xr-x 1 root wheel 10300 Nov 8 2006 /usr/bin/file
But, amavisd-new will use /usr/local/bin/file first?
tail -200 /var/log/maillog | grep file
Jun 16 07:34:44 fl amavis[15952]: Found $file at
/usr/local/bin/file
/usr/local/bin/file *doc
this is a openvpn gui.doc: Microsoft Installer
So, we patch amavisd or file?
Mark Martinec
> Guess we have a path problem:
> -r-xr-xr-x 1 root wheel 11232 Jun 1 07:36 /usr/local/bin/file
> -r-xr-xr-x 1 root wheel 10300 Nov 8 2006 /usr/bin/file
>
> But, amavisd-new will use /usr/local/bin/file first?
> Jun 16 07:34:44 fl amavis[15952]: Found $file at /usr/local/bin/file
Yes, intentionally. Often the one installed by user is fresher that
the one bundled with a system. But this is under user's control,
the default $path variable in amavisd is empty, it is always
explicitly assigned to in amavisd.conf, e.g.
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
> So, we patch amavisd or file?
If file(1) gives wrong result, it needs to be fixed or replaced.
I doubt there is anything in amavisd in this regard.
Mark
Michael Scheidell
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Mark Martinec
> Sent: Saturday, June 16, 2007 9:17 AM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
>
>
> > Guess we have a path problem:
> > -r-xr-xr-x 1 root wheel 11232 Jun 1 07:36 /usr/local/bin/file
> > -r-xr-xr-x 1 root wheel 10300 Nov 8 2006 /usr/bin/file
> >
> > But, amavisd-new will use /usr/local/bin/file first?
> > Jun 16 07:34:44 fl amavis[15952]: Found $file at /usr/local/bin/file
>
> Yes, intentionally. Often the one installed by user is
> fresher that the one bundled with a system. But this is under
> user's control, the default $path variable in amavisd is
> empty, it is always explicitly assigned to in amavisd.conf, e.g.
>
> $path =
> '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
>
> > So, we patch amavisd or file?
>
> If file(1) gives wrong result, it needs to be fixed or
> replaced. I doubt there is anything in amavisd in this regard.
Noel 'hacked' amavisd and got it to work (well, workaround).
Not that I SUGGEST this, would this hurt anything?
Just adding a [qr/^Microsoft Installer\b/i => 'doc'], line under
office?
Quick edit to /usr/local/sbin/amavisd...
--- amavisd.2.5.1 Fri Jun 15 18:02:10 2007
+++ amavisd Fri Jun 15 18:07:31 2007
@@ -983,4 +983,5 @@
[qr/^Rich Text Format data\b/ => 'rtf'],
[qr/^Microsoft Office Document\b/i => 'doc'], # OLE2: doc, ppt,
xls, ...
+ [qr/^Microsoft Installer\b/i => 'doc'], # OLE2: doc, ppt, xls,
+ ...
[qr/^ms-windows meta(file|font)\b/i => 'wmf'],
[qr/^LaTeX\b.*\bdocument text\b/ => 'lat'],
And now it blocks it...
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1 Content-Type:
multipart/mixed
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1
Content-Type: text/plain, size: 14 B, name:
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2
Content-Type: application/msword, size: 216576 B, name:
test_document_with_EXE.doc
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path BANNED:1
njo...@mgate2.vbhcs.org: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with_EXE.doc
| P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe",
matching_key="(?-xism:^\\.(exe-ms|dll)$)"
--
Noel Jones
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Noel Jones
> >
> > > So, we patch amavisd or file?
> >
> > If file(1) gives wrong result, it needs to be fixed or
> > replaced. I doubt there is anything in amavisd in this regard.
>
>Noel 'hacked' amavisd and got it to work (well, workaround).
>
>Not that I SUGGEST this, would this hurt anything?
>Just adding a [qr/^Microsoft Installer\b/i => 'doc'], line under
>office?
I doubt that adding that line to amavisd will break anything; the
file type "Microsoft Installer" isn't used otherwise. Note that
amavisd must recognize the file(1) type to call the proper decoder -
the file name extension is intentionally ignored.
That said, it's certainly more appropriate to fix file(1) rather than
adding a workaround to amavisd.
To patch file(1), comment out the "Microsoft Installer" line in the
magic file, then run "file -m magic -C" in the same directory where
the magic file lives.
("file -v" shows the path to the magic file)
Or just wait for a updated version of file(1).
--
Noel Jones
MrC
> At 09:34 AM 6/16/2007, Michael Scheidell wrote:
> > >
> > > > So, we patch amavisd or file?
> > >
> > > If file(1) gives wrong result, it needs to be fixed or
> replaced. I
> > > doubt there is anything in amavisd in this regard.
> >
> >Noel 'hacked' amavisd and got it to work (well, workaround).
> >
> >Not that I SUGGEST this, would this hurt anything?
> >Just adding a [qr/^Microsoft Installer\b/i => 'doc'], line under
> >office?
>
> I doubt that adding that line to amavisd will break anything;
> the file type "Microsoft Installer" isn't used otherwise.
> Note that amavisd must recognize the file(1) type to call the
> proper decoder - the file name extension is intentionally ignored.
>
> That said, it's certainly more appropriate to fix file(1)
> rather than adding a workaround to amavisd.
>
> To patch file(1), comment out the "Microsoft Installer" line
> in the magic file, then run "file -m magic -C" in the same
> directory where the magic file lives.
> ("file -v" shows the path to the magic file)
>
> Or just wait for a updated version of file(1).
>
> --
> Noel Jones
Christos has applied the fix, so it should be available in the next release.
Noel: I get a curious bounce from your system:
Sender address rejected: spam support services
bogus_ns.pcre (in reply to DATA command)
I'm curious how your system is classifing a bogus namesever? [oflist reply,
if you care to]
Mike
Michael Scheidell
> -----Original Message-----
> From: Mike Cappella [mailto:mi...@mikecappella.com] On Behalf Of MrC
> Sent: Saturday, June 16, 2007 12:23 PM
> To: amavi...@lists.sourceforge.net
> Cc: Michael Scheidell; 'Noel Jones'
> Subject: RE: [AMaViS-user] Someone missed a virus..
>
>
>
> > At 09:34 AM 6/16/2007, Michael Scheidell wrote:
>
> Christos has applied the fix, so it should be available in
> the next release.
>
> Noel: I get a curious bounce from your system:
>
> Sender address rejected: spam support services
> bogus_ns.pcre (in reply to DATA command)
>
> I'm curious how your system is classifing a bogus namesever?
> [oflist reply,
> if you care to]
>
Mailserver looks fine here:
Received: from glacier.mikecappella.com (glacier.mikecappella.com
[204.11.230.89])
host mikecappella.com
mikecappella.com has address 204.11.230.89
mikecappella.com mail is handled by 10 glacier.mikecappella.com
host 204.11.230.89
89.230.11.204.in-addr.arpa domain name pointer glacier.mikecappella.com.
Mx records look fine, reverse and fwd dns looks fine.
You don't publish SPF, so that can't fail.
You name servers look fine here:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com
dns1.name-services.com has address 69.25.142.1
dns2.name-services.com has address 216.52.184.230
dns3.name-services.com has address 63.251.92.193
dns4.name-services.com has address 64.74.96.242
dns5.name-services.com has address 70.42.37.1
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Michael Scheidell
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf Of MrC
> Sent: Saturday, June 16, 2007 12:23 PM
> To: amavi...@lists.sourceforge.net
> Cc: Michael Scheidell; 'Noel Jones'
> Subject: Re: [AMaViS-user] Someone missed a virus..
>
>
>
> > At 09:34 AM 6/16/2007, Michael Scheidell wrote:
>
> Christos has applied the fix, so it should be available in
> the next release.
Patches anyone? Without it, file fails on .doc files, .doc files can
have exe's in them.
(we have seen them)
I googled for the distro and tried to find the fixes and gave up.
Noel Jones
> > Christos has applied the fix, so it should be available in
> > the next release.
>
>Patches anyone? Without it, file fails on .doc files, .doc files can
>have exe's in them.
>(we have seen them)
>
>I googled for the distro and tried to find the fixes and gave up.
Official home is here:
ftp://ftp.astron.com/pub/file
as listed in the file(1) man page, but it doesn't look as if the new
update has been published yet. Yes, googling for "file" is not too helpful...
I described earlier how to patch the 4.21 magic file.
--
Noel Jones
Mark Martinec
> >Not that I SUGGEST this, would this hurt anything?
> >Just adding a [qr/^Microsoft Installer\b/i => 'doc'], line under
> >office?
>
> I doubt that adding that line to amavisd will break anything; the
> file type "Microsoft Installer" isn't used otherwise. Note that
> amavisd must recognize the file(1) type to call the proper decoder -
> the file name extension is intentionally ignored.
It probably wouldn't hurt anyone to add mapping
of 'Microsoft Installer' to 'doc'.
Mark