message.zip notification of email address expiry

  • Thread starter Thread starter James Egan
  • Start date Start date
J

James Egan

I got two copies of an email this morning telling me my email address
was about to expire, read attachment for details.

The attachment (message.zip) contains message.html which when opened
by a hex editor looks like it contains a function called malware() and
drops an executable called foo.exe

It isn't detected by the latest f-prot definitions from www.f-prot.com

Has anyone else had this?


Jim.
 
from the said:
I got two copies of an email this morning telling me my email address
was about to expire, read attachment for details.

The attachment (message.zip) contains message.html which when opened
by a hex editor looks like it contains a function called malware() and
drops an executable called foo.exe

It isn't detected by the latest f-prot definitions from www.f-prot.com
Click to expand...

Yes, it's a know trojan/keylogger/whatever, and it has been discussed
here within the last week. Don't open it (you'll notice it appear to
come from your own domain, if you have a 'domain type' email address
setup).
 
James Egan said:
I got two copies of an email this morning telling me my email address
was about to expire, read attachment for details.

The attachment (message.zip) contains message.html which when opened
by a hex editor looks like it contains a function called malware() and
drops an executable called foo.exe
Click to expand...

Old news -- started sometime on Friday (depending on your timezone...).
It isn't detected by the latest f-prot definitions from www.f-prot.com
Click to expand...

What precisely is not detected by F-PROT?

Scanning the ZIP file? Won't be detected.

Scanning the HTML inside the ZIP? Won't be detected.

Scanning the EXE after extracting it from the HTML? Should be detected.

There is an issue with the F-PROT engine's handling of the HTML which means
that the embedded EXE is not seen, so not scanned. Of course, to get bit by
this the EXE has to be extracted and executed, so most "typical users" of
F-PROT are actually "protected" so long as they have the latest SIGN*.DEFs.

I expect you'll see an engine rev in a few days once some QA is completed
(I think the Linux (beta?) scanner has already been updated to handle this
HTML issue).
Has anyone else had this?
Click to expand...

MessageLabs has seen ~51,000 over the weekend:

http://www.messagelabs.com/viruseye/threats/list/default.asp

which is approximately a third more instances than it has seen of the
long-staying Klez.H in the same time...
 
What precisely is not detected by F-PROT?

Scanning the ZIP file? Won't be detected.

Scanning the HTML inside the ZIP? Won't be detected.

Scanning the EXE after extracting it from the HTML? Should be detected.

There is an issue with the F-PROT engine's handling of the HTML which means
that the embedded EXE is not seen, so not scanned. Of course, to get bit by
this the EXE has to be extracted and executed, so most "typical users" of
F-PROT are actually "protected" so long as they have the latest SIGN*.DEFs.
Click to expand...

But F-Prot Dos or FWin on-demand will miss it, I presume. Since bugs
like this, temporary or quite permanent, are not all that uncommon,
this situation is a good example of one of the many reasons why it's
unwise to use just a single scanner. Not that the use of several
scanners on demand isn't frought with difficulties, since it's not
always clear whether or not sfx files (for example) are actually being
decompressed and the archived files "within" scanned. KAVDOS is
particularly good at displaying "running results" so the user can see
the decompressed files actually being scanned.

Art
http://www.epix.net/~artnpeg
 
Back
Top