message.zip notification of email address expiry

[James Egan]

I got two copies of an email this morning telling me my email address
was about to expire, read attachment for details.

The attachment (message.zip) contains message.html which when opened
by a hex editor looks like it contains a function called malware() and
drops an executable called foo.exe

It isn't detected by the latest f-prot definitions from www.f-prot.com

Has anyone else had this?


Jim.

 

[Ward Pyper]

Sounds like you've had W32/Mimail@MM sent to you.
Check out http://vil.nai.com/vil/content/v_100523.htm for more information

It's currently rated as medium risk by Network Associates and they have
realeased an extra.dat

Ward

 

[James Egan]

Isn't it this which has been discussed here?:

Yes, that's the one. I didn't pick up on the earlier thread.


Jim.

 

[David H. Lipman]

EXTRA.DAT and v4282 DAT files.

Dave

 

[GSV Three Minds in a Can]

I got two copies of an email this morning telling me my email address
was about to expire, read attachment for details.

The attachment (message.zip) contains message.html which when opened
by a hex editor looks like it contains a function called malware() and
drops an executable called foo.exe

It isn't detected by the latest f-prot definitions from www.f-prot.com

Yes, it's a know trojan/keylogger/whatever, and it has been discussed
here within the last week. Don't open it (you'll notice it appear to
come from your own domain, if you have a 'domain type' email address
setup).

 

[Nick FitzGerald]

I got two copies of an email this morning telling me my email address
was about to expire, read attachment for details.

The attachment (message.zip) contains message.html which when opened
by a hex editor looks like it contains a function called malware() and
drops an executable called foo.exe

Old news -- started sometime on Friday (depending on your timezone...).

It isn't detected by the latest f-prot definitions from www.f-prot.com

What precisely is not detected by F-PROT?

Scanning the ZIP file? Won't be detected.

Scanning the HTML inside the ZIP? Won't be detected.

Scanning the EXE after extracting it from the HTML? Should be detected.

There is an issue with the F-PROT engine's handling of the HTML which means
that the embedded EXE is not seen, so not scanned. Of course, to get bit by
this the EXE has to be extracted and executed, so most "typical users" of
F-PROT are actually "protected" so long as they have the latest SIGN*.DEFs.

I expect you'll see an engine rev in a few days once some QA is completed
(I think the Linux (beta?) scanner has already been updated to handle this
HTML issue).

Has anyone else had this?

MessageLabs has seen ~51,000 over the weekend:

http://www.messagelabs.com/viruseye/threats/list/default.asp

which is approximately a third more instances than it has seen of the
long-staying Klez.H in the same time...

 

[null]

What precisely is not detected by F-PROT?

Scanning the ZIP file? Won't be detected.

Scanning the HTML inside the ZIP? Won't be detected.

Scanning the EXE after extracting it from the HTML? Should be detected.

There is an issue with the F-PROT engine's handling of the HTML which means
that the embedded EXE is not seen, so not scanned. Of course, to get bit by
this the EXE has to be extracted and executed, so most "typical users" of
F-PROT are actually "protected" so long as they have the latest SIGN*.DEFs.

But F-Prot Dos or FWin on-demand will miss it, I presume. Since bugs
like this, temporary or quite permanent, are not all that uncommon,
this situation is a good example of one of the many reasons why it's
unwise to use just a single scanner. Not that the use of several
scanners on demand isn't frought with difficulties, since it's not
always clear whether or not sfx files (for example) are actually being
decompressed and the archived files "within" scanned. KAVDOS is
particularly good at displaying "running results" so the user can see
the decompressed files actually being scanned.

Art
http://www.epix.net/~artnpeg