[Avcheck] Eicar detection by different antivirus software

Michael Tokarev mjt@tls.msk.ru
Sun, 13 Jan 2002 23:43:08 +0300 

This is quite interesting, to me at least.

avp detects eicar only if content-type is NOT text/plain.
It detects eicar with e.g. text/html mime type, or text/mjt,
or any other application/*, audio/* etc.  Regardless of filename --
be it .com, .txt or w/o filename at all.  But ONLY if eicar
is within standard MIME structure.  Well, all we know about
recent outlook/msie viruses that works around M$ "protection",
when access rights determined by MIME type but an action to
do with content determined by a file extension.  Almost all
recent viruses was done this way -- e.g. encoding an executable
(with .exe suffix) as audio/waw MIME type.  I don't know if
there is an exploit for text/plain MIME type already exists
or not (when .exe file goes with text/plain type), but I will
not be surprized if such exploit will be discovered in a near
future -- this is M$, after all.

But this is not all.  I just checked "I-Worm.MTX" (avp) aka
"Win95.Matrix.9216" (drweb) virus.  Avp happily detects this
virus if encoded with *any* content type, including text/plain.
So I can't say that avp skips any text/plain attachments for
whatether reason (e.g. to speedup process).  So, granted,
any virus that will target text/plain + .exe exploit will be
detected by avp (having recent virusbases).

For drweb, the case is different.  It will detect eicar regardless
of MIME type, including text/plain.  It correctly will not detect
it if I'll place some additional characters before that eicar body,
leaving intact all other MIME structure, e.g.

--boundary
Content-type...

some random text
eicar body
--boundary

Obviously, this is not EICAR.

Drweb *will* detect this "virus" if I'll exchange the above two line,
making virus body first and random line second.  The resulting file,
if saved to disk, will be a valid .com file that will do what original
eicar does. (the same is about avp -- both works correctly here).

But in addition to this, drweb will detect this file in nested "structure",
like was posted by "RaBL" and was rejected by our mailserver.  That was
text/plain message, contained another message inside that plaintext,
that actually was a message with eicar.  If you'll quote another message
inside a plaintext email, that internal message shouldn't be interpreted
as separate email, yes?  Anyone can see this drweb's false positive --
this was Message-ID: <3C41D853.4000108@underworld.blansko.cz>, from
From: RaBL <blaha@underworld.blansko.cz>, where he posted two log
excerpts and an original "infected by eicar" message, replacing eicar
body with something else (this last step allowed that message to actually
come on).

Sergey, Vladislav, can you look into this?  I placed a complete copy
of rejected message at

 ftp://ftp.corpit.ru/home/mjt/drweb-false-alarm

That was original message from RaBL that was rejected by drweb.  This is
certainly a bug in drweb, but I was unable to reproduce it with other
structure -- there should be something specific.  E.g. If I prepend standard
email headers to eicar.msg file as distributed with avcheck, drweb will
not detect eicar in it, and this is correct.

Regards,
 Michael.