COMMAND InterScan VirusWall SYSTEMS AFFECTED Trend Micro's InterScan VirusWall version 3.0.1 for Solaris. PROBLEM Following is based on Alcatel Security Advisory. The NewApt Worm is currently exploiting this bug to avoid detection. By sending an SMTP message with a malformed attachment, it is possible for malicious code to avoid detection by Trend Micro's InterScan SMTP scanner version 3.0.1 for Solaris. Other versions may be affected as well, but were not tested. RFC2045 describes the number of padding characters needed at the end of a base64 encoded MIME attachment. InterScan VirusWall does not properly handle incorrectly padded attachments. Upon receiving such an attachment, InterScan fails to scan the attachment properly and the message is allowed to pass through; however, InterScan does log the following message to its system logs: base64: Unexpected EOF seen Note: This modification of the padding does not appear to affect mail clients such as Netscape Communicator. Alcatel noticed this bug while testing the product with live viruses. The NewApt Worm replicates by replying to emails in the victim's mailbox. The above error message was a clear indication that this particular attachment was problematic. It was determined that an extra "=" character at the end of the base64 encoding was the cause of the problem. Further investigation revealed that if the correct number of "=" characters (as per RFC2045) were not present, InterScan failed to catch the virus. This was tested with several other viruses such as Melissa and Shankar. To exploit this vulnerability, create a new message with the virus of your choice attached. Save this message to your local disk. Edit the message and add any number of "=" characters to the end of the base64 encoded attachment. This message will now pass through the InterScan VirusWall, and the virus will remain undetected and intact. John Lampe added following. Along a similar vein numbers 1 through 3 below will also allow virus-infected attachements to pass right by Interscan Viruswall. 1) adding a "-" to the end of base64 message 2)changing content-type application type in the header Example, Content-type: Application/FOO; name="whatever.doc" 3) Adding an extra "-" at end of base64 boundary 3 methods above were tested and verified on NT running the latest engine from Trend Micro, along with the latest patch. At least one of the methods above (Number 1) was tested and verified on a Solaris box by Kris Herrin (the original poster). 3 methods above were chosen *at random* from RFC 2045. Vendor was notified. SOLUTION Trend Micro has posted a fix for this bug. The patch is can be downloaded from the following URL: http://www.antivirus.com/download/patches.htm The patch is titled isvwsol301a_u2.tar.