[Avcheck] Gibe & DrWeb [was: Test]
Michael Tokarev
mjt@tls.msk.ru
Fri, 15 Mar 2002 02:41:50 +0300
Oh well... Content filters is ON at many sites... ;)
Snipped irrelevant parts and changed the text somewhat so this
email will reach those who uses body_checks... ;)
(name changed to XaXe and filename to XiXeXaXe)
Richard Harvey Chapman wrote:
>
> Anyway, I have to run right now, but I'll post a weird avcheck problem
> later. In a nutshell, received the Win32.Gibe virus twice with no
> errors. I've been testing with that virus all day yesterday and it
> caught every one. Then, I forwarded the message that got through back to
> myself and it got caught. Weird.
Check if those uncatched emails contains leading spaces in the first
line of attached .exe. Like this:
---(begin part of gibe virus)---
...
If in doubt, please ask for assistance. ATSI, Inc. scans all email with the lat
est "NAI" software for KNOWN viruses.
--NextPart_000235
Content-Type: application/x-msdownload;
XaXe="q216309.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
XiXeXaXe="q216309.exe"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAuAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
...
---(end of gibe sample)--
(note 3 spaces before TVqQ... in pre-last line). If this is the case (I suspect
it is), the answer is simple: DrWeb wan't detect this. I don't know why. I
already sent this variant to support@drweb.ru at mar-12, but received nothing
so far).
Regards,
Michael.