Hidden viruses can circumvent server-based protection

E-mail viruses can circumvent server-based antivirus protection and attack users of certain Microsoft e-mail clients when part of the malicious code is hidden in the header of an e-mail message, a Dutch expert said last week.

"The affected e-mail clients are flawed in the way they handle the headers, allowing the attacker to hide and deliver a virus," said Valentijn Sessink, a consultant at Linux company Open Office VOF in Amsterdam.

The problem has been proven on Outlook Express 5.5 and 6.0, Sessink said. Other versions of Outlook and Outlook Express are likely affected, he said. The most recent version of Outlook Express is 6.0, which comes with Internet Explorer 6.0. Outlook Express for the Macintosh appears not to be affected.

Affected Outlook clients will interpret the manipulated code as a command to display an attachment, while clients that don't have the bug will only display a couple of squares in the subject field and indecipherable code in the body of the message. Server-based virus scanners that only scan attachments won't catch the virus because it, technically speaking, is not an attachment, but a malformed header, Sessink said.

Users relying on server-based protection, for example in a company or at home where certain Internet service providers offer e-mail scanning, are at risk. Desktop antivirus protection will still catch the virus when the attachment is opened, Sessink said.

Alex Shipp, senior antivirus technologist at MessageLabs Ltd., which operates an e-mail virus scanning service, said that although his service would catch a virus hidden in the way described by Sessink, it is possible that other services wouldn't.

"Most of the antivirus vendors follow the Internet standards for e-mail when they develop their e-mail parsers. But Microsoft doesn't follow the standards. That means it is possible to create an especially crafted e-mail that will not be detected by all antivirus scanners, but it will be displayed by Outlook," he said.

Marius van Oers, virus research engineer with antivirus software vendor Network Associates Inc., agreed. Whether the hidden virus is caught depends on the configuration of the e-mail gateway scanner. If the system is set to scan every byte of the message, then even a hidden virus should be stopped, he said.

Sessink disclosed the bug on his Web site and in a publication on the Bugtraq mailing list, because Microsoft wouldn't acknowledge him, he said. Sessink details his findings on

"I would have much preferred it if Microsoft had picked this up and solved the problem. Now I have to explain what is wrong with the software," he said, adding that he sent Microsoft several e-mail messages and also called once. Microsoft was first informed on Jan. 31, he said.

Microsoft is investigating the report made by Sessink, a spokesman said last Friday.