lsi wrote:
..is done by filtering for the following string:
YmVnaW4gNj
This string appears as the first ten bytes of the first line of a BHX
file encoded in MIME (eg. as it appears in an email). So all BHX files
can be filtered by searching for that string.
Well, actually, no...
You see, technically, .BHX files are (semi-conventionally) BinHex 4.0
encoded files. .HQX is _the_ conventional extension for BinHex 4.0
encoded files, but .BHX is used as well...
Now, by definition -- say :
http://docs.info.apple.com/article.html?artnum=18499
(I imagine Apple should know a little about what BinHex files should
look like) -- BinHex 4.0 files _must_ start with the line:
(This file must be converted with BinHex 4.0)
(without the illustrative indentation used above), followed by a blank
line, followed by a line beginning with a ":" (the BinHex'ed data
stream within a BinHex file is surrounded with ":" characters). In
practice you do find BinHex files with leading blank lines and other
stuff before the "required" starting comment, and occasionally without
the blank line separating the comment from the encoded data stream, but
we'll ignore those possibilities as technically a BinHex decoder would
be correct to barf on such _reputed_ BinHex files...
So, if you really want to block all Base64 encoded (conformant)
.BHX/.HQX/BinHex 4.0 file attachments you would block Base64 MIME
components that start:
KFRoaXMgZmlsZSBtdXN0IGJlIGNvbnZlcnRlZCB3aXRoIEJpbkhleCA0LjAp
(The BinHex 4.0 identifier string only, Base64 encoded.)
I forward this info as I've seen some BHX files come in recently
attached to fake bounce messages, ...
Well, actually, no...
The Base64 snippet you presented above decodes to:
begin 6
which means that the encoded files you've been seeing are almost surely
UUencoded files.
Your rule will not filter all Base64'ed UUencoded files because, in the
UUencoding format, that "6" is the first octal value in the Unix-ish
file mode value that follows the UUencoding "begin " marker and
precedes the filename.
... I presume its a virus of some kind but
I didn't bother to open one so I couldn't be sure ...
I suspect that what you've been seeing is Blackmal.F (CME-24; aka
Blackmal.E, Grew.A, Kapser.A, MyWife.D, Nyxem.D, Nyxem.E, Tearec.A,
etc). It (mis)uses the .BHX extension and others supported by WinZip
(and probably other popular Windows archive-handling programs) and the
encoding schemes it auto-detects. Thus, it may UUencode its .EXE into
a file with a .BHX, .HQX or other extension. These will then be Base64
encoded as an attachment to the Email the virus sends out.
... of course if
you/your users have a use for BHX attachments, don't block them.
In this case, your filter rule would not have that effect, but will
likely upset anyone deliberately using UUencoded files as MIME
attachments...
This technique is a variation of that used to block all EXEs, ZIPs and
WMFs previously detailed in this forum and also on the web at various
places, including here:
http://www.spampalforums.org/phpBB2/viewtopic.php?t=6286
Sadly though, you got it wrong (but then, so have some of the previous
such posts to this list, so I guess you really are following others'
precedents...).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
