Scan for virus without opening document

[andy smart]

I've started to get spam coming though my wife's home account, which I'm
pretty sure is virus infected. We use OE (with the preview pane turned
off) and using properties I can see that the address is spoofed and that
one of them is carrying an attachment called document.zip. If I go to
the webmail interface and open the mail, then save the attachment it
saves as an html file, which when opened in a text editor shows, among
the garbage references to pif file and dll - OK so there's little doubt
its a virus/trojan of some kind.

However I'd like to know which one, I have my suspicions as to which of
her pals might be the sending victim here, but I really don't want to
open it! Sophos scans the inbox file and finds it clean, and it's
normally pretty good at finding stuff. Is there any way I can scan this
attachment without risking payload activation?

 

[andy smart]

I've started to get spam coming though my wife's home account, which I'm
pretty sure is virus infected. We use OE (with the preview pane turned
off) and using properties I can see that the address is spoofed and that
one of them is carrying an attachment called document.zip. If I go to
the webmail interface and open the mail, then save the attachment it
saves as an html file, which when opened in a text editor shows, among
the garbage references to pif file and dll - OK so there's little doubt
its a virus/trojan of some kind.

However I'd like to know which one, I have my suspicions as to which of
her pals might be the sending victim here, but I really don't want to
open it! Sophos scans the inbox file and finds it clean, and it's
normally pretty good at finding stuff. Is there any way I can scan this
attachment without risking payload activation?

After some research it looks like on of the varients of the MyDoom
virus, both in terms of what we got and the way it might have
'persuaded' the person I think it is to have opened it LOL But my
question about how to scan in these circumstances stands if anybody has
ideas?

 

[Roger Wilco]

I've started to get spam coming though my wife's home account, which I'm
pretty sure is virus infected. We use OE (with the preview pane turned
off) and using properties I can see that the address is spoofed and that
one of them is carrying an attachment called document.zip. If I go to
the webmail interface and open the mail, then save the attachment it
saves as an html file, which when opened in a text editor shows, among
the garbage references to pif file and dll - OK so there's little doubt
its a virus/trojan of some kind.

However I'd like to know which one, I have my suspicions as to which of
her pals might be the sending victim here, but I really don't want to
open it! Sophos scans the inbox file and finds it clean, and it's
normally pretty good at finding stuff. Is there any way I can scan this
attachment without risking payload activation?

Have you tried the File - Save-as - whatever.eml on the desktop and
scanning the entire e-mail? Your scanner should be able to do the rest
(detaching, decoding, etc...). This is the way to extract the e-mail
from the inbox (or whateverbox). If you are unsure about the safety of
the .eml file save it as .txt).

 

[Sir Nigel Puke-Fuui]

Document.zip is a frequent visitor to my computer via e-mail. My
immediate response is to kick it out un-opened.

 

[andy smart]

Have you tried the File - Save-as - whatever.eml on the desktop and
scanning the entire e-mail? Your scanner should be able to do the rest
(detaching, decoding, etc...). This is the way to extract the e-mail
from the inbox (or whateverbox). If you are unsure about the safety of
the .eml file save it as .txt).

I'll give it a go!
We've been very free from this kind of stuff at home till now, HoHum!

 

[What's in a Name?]

I've started to get spam coming though my wife's home account, which I'm
pretty sure is virus infected. We use OE (with the preview pane turned
off) and using properties I can see that the address is spoofed and that
one of them is carrying an attachment called document.zip. If I go to
the webmail interface and open the mail, then save the attachment it
saves as an html file, which when opened in a text editor shows, among
the garbage references to pif file and dll - OK so there's little doubt
its a virus/trojan of some kind.

However I'd like to know which one, I have my suspicions as to which of
her pals might be the sending victim here, but I really don't want to
open it! Sophos scans the inbox file and finds it clean, and it's
normally pretty good at finding stuff. Is there any way I can scan this
attachment without risking payload activation?

A couple of suggestions:
1.Use Thunderbird as your e-mail client.
2.ClamWin has a plug-in for Outlook + OE.
3.Sysclean from Trend would be good to use for a backup scanner.
4.you could use a number of online scanners.
5.A^2 free is another stand-alone scanner.
I have links to all on my site
-max

 

[Roger Wilco]

I'll give it a go!
We've been very free from this kind of stuff at home till now, HoHum!

Use "save as" and leave 'save as type' as .eml and use a name with the
..txt extension - otherwise Windows will be its usual helpful self and
save only the e-mail's body. If you then open it with notepad and change
the "filename =" to a safer named extension you can use OE to decode and
detach by renaming the e-mail back to .eml and opening the e-mail. Be
careful though with this last suggestion because I don't know how an OE
autoexecution exploit (audio/x-wav and filename.exe) would treat this
because I don't have any of those available to test with.