New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online.
image
Prime Choice
· Head Lines
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!
· Ian T's (AR 18)
· Marcia's (QA2)
· Bill G's (CO4)
· Paul's (AR 5)
· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search (Topics)
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
Which Anti-Virus product do you use?
Computer Associates
Eset (NOD32)
F-Secure
Frisk (F-Prot)
Grisoft (AVG)
Kaspersky
Network Associates (McAfee)
Panda
Sophos
Symantec (NAV)
Trend Micro
Other



Results
Polls

Votes: 18313
Comments: 152
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

mimail virus in a zip file attachment

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Benign - Troubleshooting
View previous topic :: View next topic  
Author Message
hamster

Firetrust Host
Firetrust Host



Joined: Mar 27, 2003
Posts: 74
Location: New_Zealand
PostPosted: Mon Nov 17, 2003 7:50 pm    Post subject: mimail virus in a zip file attachment
Reply with quote
Hi all B9'ers
I have had a few inquires about Benign and the Mimail virus which poses as a PayPal e-mail
There are variants of this virus that use zip file attachments to fool some folk http://www.f-secure.com/v-descs/mimail.shtml
This article says the email is using a zip file attachment.
(Latest variants also use file extensions scr and Benign does include scr file extensions by default. In Benign click Tools>>Options>>Security Profiles to view the file extensions.

By default Benign does not block or rename compression files. We are going to include compression file type attachments I.e. zip tar sit, in future versions of Benign.
You can add these file extensions manually if you wish and this is the reason for my announcement. Have a look at my tutorial on how to add to Benign
http://www.computercops.biz/postt7307.html

Any feedback on this is, as always, welcome.

Many regards
Hamish
Firetrust
Back to top
View users profile Send private message Send email Visit posters website
Perry

Lieutenant
Lieutenant



Joined: Oct 19, 2003
Posts: 291
Location: USA
PostPosted: Tue Nov 18, 2003 12:14 am    Post subject: Re: mimail virus in a zip file attachment
Reply with quote
hamster wrote:
By default Benign does not block or rename compression files. We are going to include compression file type attachments I.e. zip tar sit, in future versions of Benign.
You can add these file extensions manually if you wish and this is the reason for my announcement. Have a look at my tutorial on how to add to Benign
http://www.computercops.biz/postt7307.html

Any feedback on this is, as always, welcome.

Many regards
Hamish
Firetrust


Another file to include may be *.cpl.

Perry.
Back to top
View users profile Send private message Visit posters website
TimeGhost

Captain
Captain



Joined: Apr 11, 2003
Posts: 648
Location: USA
PostPosted: Tue Nov 18, 2003 12:07 pm    Post subject:
Reply with quote
...and midi files.

I had suggested that B9 "look inside" compressed files and take action on the attachment based on what it contains.

Thanks, Hamster, for the warning!
Back to top
View users profile Send private message
Perry

Lieutenant
Lieutenant



Joined: Oct 19, 2003
Posts: 291
Location: USA
PostPosted: Tue Nov 18, 2003 4:01 pm    Post subject:
Reply with quote
TimeGhost wrote:
...and midi files.

I had suggested that B9 "look inside" compressed files and take action on the attachment based on what it contains.

Thanks, Hamster, for the warning!


Haven't tried this yet with my copy of B9 since I am not currently using it, but wonder what occurs if it encounters something like:

virusfile.zip.vbs

Perry
Back to top
View users profile Send private message Visit posters website
Ikeb

General
General
Premium Member
Premium Member


Joined: Apr 20, 2003
Posts: 3062
Location: Ottawa, Ontario, Canada
PostPosted: Tue Nov 18, 2003 10:06 pm    Post subject:
Reply with quote
Perry wrote:
Haven't tried this yet with my copy of B9 since I am not currently using it,

Tisk, tisk .... Razz

Got too many proxies going there Perry? Confused
Perry wrote:
but wonder what occurs if it encounters something like:

virusfile.zip.vbs

I expect that this would act however B9 is configured to behave for .vbs extensions -- by default; block them.
_________________
Ikester

I like SPAM .... on my sandwich!
Back to top
View users profile Send private message Send email
Guest
PostPosted: Tue Nov 18, 2003 10:37 pm    Post subject:
Reply with quote
Ikeb wrote:
Perry wrote:
Haven't tried this yet with my copy of B9 since I am not currently using it,

Tisk, tisk .... Razz

Got too many proxies going there Perry? Confused
Perry wrote:
but wonder what occurs if it encounters something like:

virusfile.zip.vbs

I expect that this would act however B9 is configured to behave for .vbs extensions -- by default; block them.


Actually only have one proxy currently on each machine, but could string them together. I am not using it because my other spam proxy has this (HTML stripping) ability built in.

The above example is a common virus attachment method. On older versions of Outlook for example it would only display the .zip part part of the above attachment and the user may be tempted to launch it not realizing that they had a vbs. It was common to put a jpeg extension first to take advantage of the display.

I'll have to try this to make sure it parses correctly.

Perry
Back to top
mcullet

Corporal
Corporal



Joined: Oct 29, 2003
Posts: 64
Location: Australia
PostPosted: Wed Feb 11, 2004 5:23 pm    Post subject:
Reply with quote
Ikeb wrote:
Perry wrote:
Haven't tried this yet with my copy of B9 since I am not currently using it,

Tisk, tisk .... Razz

Got too many proxies going there Perry? Confused
Perry wrote:
but wonder what occurs if it encounters something like:

virusfile.zip.vbs

I expect that this would act however B9 is configured to behave for .vbs extensions -- by default; block them.

Hi Ikeb!

I hope you are well.

Your question (tongue in cheek maybe) about having too many proxies got my attention. I'm not at all skilled / educated on proxy stuff ... I have seen heaps of attachments that look just life the one you described (usual variations (greatpicture.gif.vbs or MyResume.DOC.vbs) all infected stuff of course. But if I understand what you are saying, proxies can do this sort of thing - change file extensions? Where could you suggest I go to look at a good but to the point tutorial on proxies so I have a better understanding about them?

I don't know if B9 does rename these though ... I will try to send a 'safe' file like this to myself just to see. ZAPRO does pick it up straight away and renames it safely.

Which brings me to another question - when we have two products that have similar features / functions (like renaming an dangerous extension) whcih has priority and does it matter anyway? With ZAPRO I think it renames the file to be something like this - myvirus.DOC.ZLP . And then when I want to I can scan it with an antivirus program (assuming the attachment was not scanned during download ... then I can open it and somehow ZAPRO seems able to know exacly the right program to call even though the extensions are all the same (ZLP or whatever).

So much to learn ... either learn fast, or learn how to repair a stuffed up system fast. But learn fast either way.

Keep well,

Mike
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Benign - Troubleshooting All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
Home · Topics · Submit News · Top 10
This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved.
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Acceptable Use Policy. Use signifies your agreement.
Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member.
Paul Laudanski, Member of Computer Cops, LLC
Server Load: 785 pages served in previous 5 minutes. Page Generation: 0.662 seconds.