Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Symantec decomposer rar bypass allowed malicious content. - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Symantec decomposer rar bypass allowed malicious content.

ScottT of Blue Cross Blue Shield submitted the following information and a
rar file that bypassed his Symantec decomposer on his SMTP gateway.

“We received over 30 of these emails containing infected rar files.
Symantec detected them, but somehow these emails evaded our email
gateway and spam filter. The body text contained blocked words so it should
have been dumped by the spam filter. Our email gateway strips rar and scr
attachments, so the attachments should have been stripped.

We sent test emails with the offensive body text and the spam filter dumped
them. We also sent test emails with rar files attached, and the emails
arrived with the attachment stripped.

This has us stumped. It seems our systems are functioning properly, but
these emails are beating them.”

This was in the message headers of the email he forwarded to us.
“This message has been processed by Symantec AntiVirus.
screen.scr is still infected with the malicious virus Downloader because the
Symantec decomposer cannot modify its container.“

The text of the message implies you will see Paris Hilton undress if you open the attachment.

VirusTotal recognized screen.rar as a trojan downloader.

Sending screen.scr to produced a good analysis.
Short version is it is a version of SDBOT.
Nitty-Gritty details available here:

Symantec has suggested some changes to Scott's SMTP gateway configuration that may prevent further bypasses. The version of zip I have under cygwin also reported this rar as "damaged or invalid".


206 Posts
Apr 22nd 2008

Sign Up for Free or Log In to start participating in the conversation!