F-Prot and disinfecting e-mail

[James O'Riley]

After updating F-Prot I discovered one in a folder with 200 e-mails from
2001 (please don't ask). But I don't know how to disinfect it. I've
discussed this problem with their support personnel for the last month
with no resolution.

They keep insisting F-Prot can't disinfect *compressed* e-mail. So, I
pulled a copy of the subject folder from the compressed file and tried
again. F-prot still identifies the virus as "JS/Kak.T (exact)". I've spit
this 4 Meg file down to about 1 Meg in an attempt to find which portion of
the entire file contains that virus.

Their support personnel persist in the same argument. I thought everyone
knew e-mail was simple Text. Could someone please explain how to disinfect
this e-mail and/or why F-Prot can't?

Thanks,
James

 

[Art]

After updating F-Prot I discovered one in a folder with 200 e-mails from
2001 (please don't ask). But I don't know how to disinfect it. I've
discussed this problem with their support personnel for the last month
with no resolution.

They keep insisting F-Prot can't disinfect *compressed* e-mail. So, I
pulled a copy of the subject folder from the compressed file and tried
again. F-prot still identifies the virus as "JS/Kak.T (exact)". I've spit
this 4 Meg file down to about 1 Meg in an attempt to find which portion of
the entire file contains that virus.

Their support personnel persist in the same argument. I thought everyone
knew e-mail was simple Text. Could someone please explain how to disinfect
this e-mail and/or why F-Prot can't?

Email isn't transmitted as plain text. It's in encoded form. The old
KAK worm you received in a message is designed to run and infect
based on a ancient vulnerability in Outlook Express where just reading
the message would be disastrous. You can easily Google up
descriptions.

Simply delete the message. No antivirus product does anything
except alert the user to the existence of dangerous email so
they can then delete from within their email application.

Art
http://home.epix.net/~artnpeg

 

[James O'Riley]

Email isn't transmitted as plain text. It's in encoded form. The old
KAK worm you received in a message is designed to run and infect
based on a ancient vulnerability in Outlook Express where just reading
the message would be disastrous. You can easily Google up
descriptions.

Simply delete the message. No antivirus product does anything
except alert the user to the existence of dangerous email so
they can then delete from within their email application.

Art
http://home.epix.net/~artnpeg

Thanks Art, but how do I find out which message of the 100 remaining in
the last split? Unless I know the signature I don't stand a chance.

The technique you offer is a good one, but what do I do if there's good
critical information contained within the message. Doesn't this address
the question of *how to* disinfect if I want to save the message once I
receive it?

F-Prot support has told me the same thing, and I've asked the same *how
to* question without any success.

I guess I could wait for Mail Washer to add virus scanning to their
program, but meanwhile I still have the same question concerning the files
I already have archived.

James

 

[Jake Dodd]

Search for the string

"String(idd);idn=3Dids.slice(31);fic=3Didn.substring(1,9);kfr=3Dwd+'MENU"

or maybe

"Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=3Dnavigator.user"

without the quotes and see if you can determine the actual email it is in
by reading the surrounding data.

The above strings are in the first kakworm and I'm not quite sure
what F-prot means by the "T" variant so this might not work.

What argument?

Attempts to disinfect within an archive or indexed database file may result
in corruption. Just like a doctor, f-prot's first rule is "do no harm".

Email isn't transmitted as plain text.

Yes it is.

It's in encoded form.

It is binary encoded as ASCII text (a subset of binary) so that email
can remain a text only transmission.

....of course data representation depends on interpretation - the EICAR
string is alphanumeric code in a comfile but just text in a textfile.

The old
KAK worm you received in a message is designed to run and infect
based on a ancient vulnerability in Outlook Express where just reading
the message would be disastrous. You can easily Google up
descriptions.

Simply delete the message. No antivirus product does anything
except alert the user to the existence of dangerous email so
they can then delete from within their email application.

He needs to 'find' the afflicted message in order to delete it - that's
his dilemma.

 

[Art]

Thanks Art, but how do I find out which message of the 100 remaining in
the last split? Unless I know the signature I don't stand a chance.

The technique you offer is a good one, but what do I do if there's good
critical information contained within the message.

Ok, I looked at your header info and it looks like you're using either
Moz email or Thunderbird. They store user "folders" as text files. The
files can be quite large. When examined using a text editor capable
of handling large files, you'll see all the messages including their
header info all strung out contiguously. Apparently, you decided that
somehow splitting the file into smaller pieces would cut down on your
search problem. I don't see how, though. You might just split the
message as well

Apparently, F-Prot's report didn't give you a clue by including a
portion of the text in the header or message which you can use as a
search string. Not even a date? Didn't you mention you know the
date? Maybe even the time? Can't you use those to search and narrow
it down to just a few possible messages?

Art

http://home.epix.net/~artnpeg

 

[James O'Riley]

Ok, I looked at your header info and it looks like you're using either
Moz email or Thunderbird. They store user "folders" as text files. The
files can be quite large. When examined using a text editor capable
of handling large files, you'll see all the messages including their
header info all strung out contiguously. Apparently, you decided that
somehow splitting the file into smaller pieces would cut down on your
search problem. I don't see how, though. You might just split the
message as well

Apparently, F-Prot's report didn't give you a clue by including a
portion of the text in the header or message which you can use as a
search string. Not even a date? Didn't you mention you know the
date? Maybe even the time? Can't you use those to search and narrow
it down to just a few possible messages?

Art

http://home.epix.net/~artnpeg

F-Prot's report.txt file reported:
C:\Mail.zip\2001\MICR3.ZIP->Trash Infection: JS/Kak.T (exact)

I must have misled you also, the initial file was in a ZIP file so I
extracted just the *Trash* file. It is a collection of e-mail files
from 2001 and the ISP was Micron.net; month was March.

That Trash file was 600K in size and contained about 400 messages for the
Month of March 2001. That's the one I've split, using Vernon Buerg's
List.com, into 3 separate pieces. The final split resulted in a file of
1.2 Megs with probably 100 separate e-mail messages.

With that I put the project on hold and entered the message on this NG.

This explanation was probably to unique for F-Prot to even fathom. I see
you write DOS applications so I don't believe it will be for you.

Thanks for your help Art,
James

 

[kurt wismer]

After updating F-Prot I discovered one in a folder with 200 e-mails from
2001 (please don't ask). But I don't know how to disinfect it. I've
discussed this problem with their support personnel for the last month
with no resolution.

They keep insisting F-Prot can't disinfect *compressed* e-mail. So, I
pulled a copy of the subject folder from the compressed file and tried
again. F-prot still identifies the virus as "JS/Kak.T (exact)". I've
spit this 4 Meg file down to about 1 Meg in an attempt to find which
portion of the entire file contains that virus.

Their support personnel persist in the same argument. I thought everyone
knew e-mail was simple Text. Could someone please explain how to
disinfect this e-mail and/or why F-Prot can't?

you can't necessarily *disinfect* emails... the smart thing to do is to
delete the offending email... if f-prot can't tell you which email it
is, ask their support why not (not being able to give identifying
information about the suspect email is a failing in many products and
it's not going to get fixed until there's a demand for the feature)...

normally what disinfection of email is going to be is the neutering of
attachments, however since js/kak puts itself in the body of the email
instead of an attachment that kind of disinfection won't work...

 

[Art]

F-Prot's report.txt file reported:
C:\Mail.zip\2001\MICR3.ZIP->Trash Infection: JS/Kak.T (exact)

I must have misled you also, the initial file was in a ZIP file so I
extracted just the *Trash* file. It is a collection of e-mail files
from 2001 and the ISP was Micron.net; month was March.

That Trash file was 600K in size and contained about 400 messages for the
Month of March 2001. That's the one I've split, using Vernon Buerg's
List.com, into 3 separate pieces. The final split resulted in a file of
1.2 Megs with probably 100 separate e-mail messages.

Sorry, but your explanation here isn't clear to me. When you say
"initial file", am I to understand that MICR3.ZIP arrived as a email
attachment? Is that what you mean? What is the C:\Mail.zip
folder? Something you created along with the \2001 subdirectory
with the Trash "folder" (file) copied to it? And then F-Prot finds
KAK in that copied Trash file while naming the enclosed ZIP?

How can you take a 600K file and split it and wind up with 1.2
meg pieces?

I also don't understand your insistence on saying the email is text
since zip files are binaries, as is the contained malware.

With that I put the project on hold and entered the message on this NG.

This explanation was probably to unique for F-Prot to even fathom. I see
you write DOS applications so I don't believe it will be for you.

Don't blame them. You're confusing me too The simplest way to get
rid of the offending email attackment is to simply delete it within
your email app. There's nothing there of any interest to you. In fact,
just delete all unsolicited email attackments. That's "safe hex".

Thanks for your help Art,

Let me tell you what I've learned the hard way about Moz and T-bird
and tons of folders and tons of email. Don't trust them. We've lost
everything by trusting them. The whole folder structure and all that's
in them can be lost for some unknown reason.

I've set up mirror folders on my hard drive. Anything I want to keep,
I use "Save As" and copy the message as a file to a appropriate mirror
folder. That way all messages are individual files. These mirrored
files and folders are backed up daily to a separate backup drive.
This approach also avoids the kind of problem you're having now ...
which is related to having tons of messages (and attackments) in
one long contiguous file. Solicited attachments such as a picture
image file of a relative or friend are Saved to data folders on the
drive and deleted from the email app. So no attachments are
ever "lost" in some email "folder" somewhere.

Now, that's the real solution to your problem Start from scratch.
It's work at first but it really pays off in the long run.

Art
http://home.epix.net/~artnpeg

 

[James O'Riley]

Sorry, but your explanation here isn't clear to me. When you say
"initial file", am I to understand that MICR3.ZIP arrived as a email
attachment? Is that what you mean? What is the C:\Mail.zip
folder? Something you created along with the \2001 subdirectory
with the Trash "folder" (file) copied to it? And then F-Prot finds
KAK in that copied Trash file while naming the enclosed ZIP?

How can you take a 600K file and split it and wind up with 1.2
meg pieces?

I also don't understand your insistence on saying the email is text
since zip files are binaries, as is the contained malware.


Don't blame them. You're confusing me too The simplest way to get
rid of the offending email attackment is to simply delete it within
your email app. There's nothing there of any interest to you. In fact,
just delete all unsolicited email attackments. That's "safe hex".


Let me tell you what I've learned the hard way about Moz and T-bird
and tons of folders and tons of email. Don't trust them. We've lost
everything by trusting them. The whole folder structure and all that's
in them can be lost for some unknown reason.

I've set up mirror folders on my hard drive. Anything I want to keep,
I use "Save As" and copy the message as a file to a appropriate mirror
folder. That way all messages are individual files. These mirrored
files and folders are backed up daily to a separate backup drive.
This approach also avoids the kind of problem you're having now ...
which is related to having tons of messages (and attackments) in
one long contiguous file. Solicited attachments such as a picture
image file of a relative or friend are Saved to data folders on the
drive and deleted from the email app. So no attachments are
ever "lost" in some email "folder" somewhere.

Now, that's the real solution to your problem Start from scratch.
It's work at first but it really pays off in the long run.

Art
http://home.epix.net/~artnpeg

Hi Art,

I've used Netscape since I first got on the Internet in 1996 and simply
stuck with it since then. I kinda felt it was like the difference between
DOS and Windows, simple and easy to work with. TB and FF are much more
complex. For security reasons they have Profiles for your working
elements, Bookmarks, address books, etc. FWIK the e-mail structure is
different than OE but easier to access the raw messages, headers/body/etc.
I often edit messages to remove all the AOL HTML crap, to change
Subject lines, etc. for my genealogy work; many people write with a
Subject of "Hey" which really doesn't reflect the message contents.

I also like TB's ability to display ;-) as a graphics emoticons to
reflect the writers intent; or * to *bold* to emphasize a word or phrase.
Also, I need an active speller for e-mail! TB V1.5 now has that. I like
the idea of Extensions, add-ons to the basic nature of FF.

On the other hand I have to admit it's tendency to screw up things like
the e-mail index files that can cause you to lose messages as you
indicated. All you have to do is to delete the associated MSF file to
cure that, but who knows that? :-( Same is true of other features of TB
and FF with the Profile. When that folder screws up or "becomes
contaminated" almost everything goes to pot. I'm not ignorant but I still
can't understand how to recover a Profile from the Help files.

I'll quit this Off Topic message and reply to the rest of you message in
another reply.

I hope the *excuses* I've offered will help a bit.

James

 

[James O'Riley]

Sorry, but your explanation here isn't clear to me. When you say
"initial file", am I to understand that MICR3.ZIP arrived as a email
attachment? Is that what you mean? What is the C:\Mail.zip
folder? Something you created along with the \2001 subdirectory
with the Trash "folder" (file) copied to it? And then F-Prot finds
KAK in that copied Trash file while naming the enclosed ZIP?

How can you take a 600K file and split it and wind up with 1.2
meg pieces?

I also don't understand your insistence on saying the email is text
since zip files are binaries, as is the contained malware.


Don't blame them. You're confusing me too The simplest way to get
rid of the offending email attackment is to simply delete it within
your email app. There's nothing there of any interest to you. In fact,
just delete all unsolicited email attackments. That's "safe hex".

Hi again Art,

I tried to make it as simple as I knew how, but I do things differently
than most people, according to many, and that probably makes it confusing.

I edit incoming raw messages to eliminate all the HTML junk that comes
from people using HTML coding in messages. I then archive each month's
messages by compressing them with either PKZIP (1997-2004) or RAR (2005+).
All that seems to be what people don't understand.

They also don't understand how I can get 300 messages a month asking for
help with genealogy questions, they don't know that I also have had over
50,000 hits on my NICKELL Web Page in 6 years, or have over 35,000 people
in one NICKELL database (there are two lines in America). (James O'Riley
is munged.)

The virus is contained in one month's ZIP file of 2001. I don't know about
OE, but TB has Text e-mail messages and *not* compressed messages. I've
heard that's different than OE's format.

All that yadda yadda above was to explain the confusion concerning this
problem.

I hope that helps in understanding.

Sincerely,
Don Nickell
http://nickell.tierranet.com

<snip portion of message replied to an few minutes ago>

 

[Art]

I'll quit this Off Topic message and reply to the rest of you message in
another reply.

I just want to mention that KAVDOS32 is useful for locating malware
in Moz/T-bird folders via date/time info. Here's a snippet of its
report on the inbox of a machine that I use which has such low
email volume that I haven't bothered to even delete attackments.
In fact, I was planning to Save the attackment as a malware sample
when I get around to it. Two personal addys are munged:
********************************************************
c:\download\INBOX/[From Virus Bulletin <[email protected]>][Date
Mon, 23 Jan 2006 15:12:41 +0000]/text/[From Art
<[email protected]>][Date Tue, 07 Feb 2006 15:32:45 -0500]/text/[From
"name deleted" <[email protected]>][Date Wed, 8 Feb 2006
09:26:00 -0500]/UNNAMED/[From Art <[email protected]>][Date Wed, 08 Feb
2006 18:13:22 -0500]/text/[From (e-mail address removed) (Mail
Delivery System) ... /doc.htm .pif
infected: Net-Worm.Win32.Mytob.cg
********************************************************
Note all the info KAVDOS32 provides making it easy to locate via date,
time zone and times in the email app itself. Just have messages sorted
by date.

Art
http://home.epix.net/~artnpeg