Mailing List Archive: [clamav-users] Email payload in .img container

[clamav-users] Email payload in .img container

Feb 17, 2020, 10:56 AM

Post #1 of 4 (491 views)

This was a new one that I have not seen before.

I uploaded the payload inside to VirusTotal, and it's not caught there
either:

https://www.virustotal.com/gui/file/368906d50bd279e9576aaa3d6dea269515410a5f
74cd93112767eb4bac310d1d/detection

My question is since this was in a disk image container would it have even
been caught anyways, even if it was detected?

Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

Re: [clamav-users] Email payload in .img container [ In reply to ]

clamav-users at lists

Feb 17, 2020, 5:02 PM

Post #2 of 4 (491 views)

Permalink

How big is the img file? ClamAV has a 4 GB (2**32-1) size limit (alas),
maybe others do too.

On Mon, 17 Feb 2020 13:56:32 -0500
"Eric Tykwinski" <eric-list@truenet.com> wrote:

> This was a new one that I have not seen before.
>
>
>
> I uploaded the payload inside to VirusTotal, and it's not caught there
> either:
>
> https://www.virustotal.com/gui/file/368906d50bd279e9576aaa3d6dea269515410a5f
> 74cd93112767eb4bac310d1d/detection
>
>
>
> My question is since this was in a disk image container would it have
> even been caught anyways, even if it was detected?
>
>
>
> Sincerely,
>
>
>
> Eric Tykwinski
>
> TrueNet, Inc.
>
> P: 610-429-8300
>
>
>
>
>
>
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Email payload in .img container [ In reply to ]

steveb_clamav at sanesecurity

Feb 18, 2020, 3:10 AM

Post #3 of 4 (491 views)

Permalink

On 2020-02-18 02:02, Paul Kosinski via clamav-users wrote:
> How big is the img file? ClamAV has a 4 GB (2**32-1) size limit (alas),
> maybe others do too.
>
Here's 3 samples from a few days ago, so vary in size but not near 4
GB...

7z l *.img

Path = DOC_9862833__.img
Type = Iso
Physical Size = 122880
Created = 2020-02-14 10:41:32
Modified = 2020-02-14 10:41:32

Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------
------------------------
2020-02-14 08:25:01 ..... 61440 61440 DOC_9862833 .exe
------------------- ----- ------------ ------------
------------------------
2020-02-14 08:25:01 61440 61440 1 files

Listing archive: INVOICE88889.IMG

--
Path = INVOICE88889.IMG
Type = Udf
Physical Size = 1245184
Comment = INVOICE88889
Cluster Size = 2048
Created = 2020-02-14 06:52:20

Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------
------------------------
2020-02-14 06:43:22 ..... 114688 114688 INVOICE88889.exe
------------------- ----- ------------ ------------
------------------------
2020-02-14 06:43:22 114688 114688 1 files

Listing archive: Purchase_Order_LPO141223.img

--
Path = Purchase_Order_LPO141223.img
Type = Iso
Physical Size = 118784
Created = 2020-02-14 07:15:20
Modified = 2020-02-14 07:15:20

Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------
------------------------
2020-02-14 07:10:15 ..... 57344 57344 Purchase Order
LPO141223.exe
------------------- ----- ------------ ------------
------------------------
2020-02-14 07:10:15 57344 57344 1 files

------------------- ----- ------------ ------------
------------------------
2020-02-14 08:25:01 233472 233472 3 files

Archives: 3
Volumes: 3
Total archives size: 1486848

clamscan --database=foxhole_filename.cdb *.img

DOC_9862833__.img: Sanesecurity.Foxhole.Iso_fs1729.UNOFFICIAL FOUND
INVOICE88889.img: Sanesecurity.Foxhole.Iso_fs1493.UNOFFICIAL FOUND
Purchase_Order_LPO141223.img: Sanesecurity.Foxhole.Iso_fs1146.UNOFFICIAL
FOUND

clamscan --database=foxhole_all.cdb *.img
DOC_9862833__.img: Sanesecurity.Foxhole.Iso_exe.UNOFFICIAL FOUND
INVOICE88889.img: Sanesecurity.Foxhole.Iso_exe.UNOFFICIAL FOUND
Purchase_Order_LPO141223.img: Sanesecurity.Foxhole.Iso_exe.UNOFFICIAL
FOUND

--
Cheers,

Steve
Sanesecurity

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Email payload in .img container [ In reply to ]

eric-list at truenet

Feb 18, 2020, 3:43 AM

Post #4 of 4 (491 views)

Permalink

> On Feb 18, 2020, at 6:10 AM, Steve Basford <steveb_clamav@sanesecurity.com> wrote:
>
> On 2020-02-18 02:02, Paul Kosinski via clamav-users wrote:
>> How big is the img file? ClamAV has a 4 GB (2**32-1) size limit (alas),
>> maybe others do too.
> Here's 3 samples from a few days ago, so vary in size but not near 4 GB…
>

Pretty much on par with size, a little bit bigger: 1.19 MB
I’ve decided to just block them by extension for now, as I don’t think many of my customers will be emailing out ISOs or disk images directly at least.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml