Well, an attachment, a 0 day virus. How do we block an exe insite a .doc?
Maybe hackers/spammers have found a way around Anti-Virus software, or at least, attachment blocking. Spam came in, with a 'proforma invoice' attached. (if you want to see it, http://www.secnap.com/downloads/proforma.eml) Click on the proforma invoice.doc, ALMOST open it. (or run strings on it) See a self executable zip file (.exe) Proforma_Invoice.exe C:\PROFOR~1.EXE C:\PROFOR~1.EXE 'file Proforma_Invoice.doc' shows: Proforma_Invoice.doc: Microsoft Office Document file -i Proforma_Invoice.doc shows: application/msword Clamav and CA didn't see it as a virus. (Two hours later, after submitting to [EMAIL PROTECTED] and clamav, clam finds it: clamdscan Proforma_Invoice.doc /tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.201 sec (0 m 0 s) So, I assume clamav can find its way in. Ca say it is: "This is to notify you of the results of your submission, issue number 1012270. Please keep this issue number for future reference. With regards to the file "proforma_invoice.exe" submitted by you on 16 Jun 00:18:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Banbot.L to the signature files. The Windows PE (I386,EXE) file "proforma_invoice.exe" has been determined to be malicious. Our researchers have analyzed the file and confirmed the result. Aliases reported by other AV products are listed here: (Generic Dropper.p)" We don't block .doc, but we do block exe's. We do (I think) block exe's inside zip, but how do we block a .exe inside a .doc? Might be my fault, still using the old reg_ne stuff for attachments. Keep meaning to do the SQL based stuff and haven't. Relevant configs: amavisd.conf: $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARHIVES: # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary # qr'^\.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES: ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES: # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # block certain double extensions in filenames qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s] *$'i, qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| wmf|wsc|wsf|wsh)$'ix, # banned ext - long qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. ); _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
