anomy-list

Virus mails without the payload

From: Bjarni R. Einarsson (120161@xyz.molar.is)
Date: Tue 23 Mar 2004 - 22:43:44 GMT

  • Next message: Bjarni R. Einarsson: "Re: RE: Announcing sanitizer.pl revision 1.67"

    On 2004-03-23, 17:20:21 (-0500), 120195@xyz.molar.is wrote:
    > AFAIK, this virus should have a .zip attachment (most of the time), which I
    > would (through my configuration), scan, and quarantine (and that would
    > print the msg_file_save in the email), but no message is being displayed,
    > and no files are getting quarantined, when the email is delivered without
    > an attachment.

    I'm not sure exactly how these things happens, but I've gotten lots
    of virus mails without the payloads attached. Sobigs, Mydooms, all
    sorts of things. I get alot of crap mail. :-)

    One theory is that the viruses are buggy.

    Another is that the payloads are getting stripped by stupid mail
    filters, without any notices or warnings getting attached. This
    could easily happen in a company which automatically enforces a "no
    outgoing attachments at all" policy.

    This could also be caused in obscure cases where a machine has
    partial A/V protection - not enough to keep the infection from taking
    place in the forst place, but enought to keep the "build a new
    infected mail" process from succeeding.

    > Could that be causing the sanitizer to get confused, and think that the
    > attachment is just junk data, which gets lost???

    That's remotely possible of course, there are always new bugs to find and
    squash. :-) But I've seen so many of these which haven't been touched by
    Anomy that I don't think it's the most likely explanation.

    -- 
    Bjarni Rúnar Einarsson
     120161@xyz.molar.is
     http://bre.klaki.net/
    

    PGP: 02764305, B7A3AB89



    hosted by molar.is