On Wed, 28 Jan 2004 12:34:31 -0800,
They are sent by a good friend of mine and they are
harmless as far as I can determine. At least a McAffee
virus scan is negative.
Two aspects to this.
Firstly, malware is *usually* from "someone you know" (specifically; a
PC that has your email address on it). So make sure your friend types
message text that makes non-generic reference to all attached files -
else he fails the Turing Test and gets deleted unread.
Secondly, an av may not be able to "see" content hidden within
containrer files, for various reasons:
- not set to scan all files, only "program" files etc.
- offsets differ when content is contained
- scan is skipped because file appears to be wrong type
- content is scrabled or encrypted by the container
The middle two require some explanation.
For example, lets say Virus A always adds the bytes "I am a VIRUS!!"
at offset 13 in the .exe files it infects.
A scanner may look for a signature string that is known to occur at a
certain offset within the file, and miss it when that offset changes.
When this file is in the fifth attachment in your .eml or .email file,
that signature string is no longer at offset 13, it's more like 56521.
If the scanner only looks for that string from offset 13, it will miss
A scanner may perform certain signature checks for certain file types.
If Virus A is known to infect only .EXE files, or Win32PE files (that
start with MZ at a specific offset at the start of the file) then the
container file is not checked for Virus A, either because it isn't an
..exe file, or because it doesn't have an MZ marker as expected.
Both of the above may apply even if av is set to "scan all files".
Bottom line: Mailboxes and encapsulated messages are HIGH-RISK files!
..eml have already been used as primary attack files for this reason.
--------------- ----- ---- --- -- - - -
Dreams are stack dumps of the soul
