Good News! No virus found in any e-mails from FMLink!
September 08, 2002—The following three letters for FMLink subscribers may be of interest to anyone who received a bulk e-mail sent from FMLink late Thursday, September 5th; the Subject of the e-mail related to registering to win a free TiVo system.
The first letter is an apology from the Publisher, Peter S. Kimmel, for any inconvenience that was caused by problems associated with the mailing. It also describes in detail what had happened, and what action was taken by FMLink to stop the problem as soon as possible.
The second letter, also from the Publisher, describes the most recent developments, namely that comprehensive testing indicated that there was no virus found in any of the mailing sent by FMLink.
The third letter, is from Trend Micro, the company whose software alerted users to a possible virus, certifying that there was no virus after all.
Dear FMLink Subscriber,
I sincerely wish to apologize for any problems caused as a result of a recent e-mailing that some of you received. Based on feedback from our subscribers, several received e-mails indicating that a virus had been detected in the mailing we had sent; also, some received the e-mail multiple times.
We have been studying the situation intensively since the mailing went out and we became aware of the problem. Although we have not yet completed our investigation, we now are confident that there was no virus associated with the mailing. As we hear more during the coming week (from inquiries we have made), we will update this letter. FMLink intends to share all information with its valued readership as soon as we receive it. We fully intend to be up-front and above-board with our readership so that we can maintain the excellent reputation we have established over the years.
What follows below is a detailed account of what happened and why we believe that there is nothing to be concerned about, in terms of a virus. Regardless, FMLink certainly understands the frustration that many people felt after receiving e-mails with such a scare. We also want you to continue to demonstrate the trust you have had in us since our inception in 1995. If at any point in time you wish to contact us about this, you may call me at 301-365-1600 (in Bethesda, Maryland, USA) or write to me at peterk@fmlink.com. I personally will respond to all inquiries.
What happened? On late Thursday, September 5th, FMLink sent out an e-mailing to registrants who had volunteered to be on our e-mail list. The mailing was sponsored by an FMLink advertiser. In the past, we always have sent such messages as plain text e-mail, the same as our newsletter. This time, the advertiser wanted to send it with a Flash piece inside (animated graphics), which we had not done before.
Because the technology is different, a contractor was referred to us in order to develop the Flash presentation and embed it into the e-mail. FMLink also had to make a few changes to the way we normally send out such mailings.
Two independent events then took place. First, e-mails sent to those who have some versions of Trend Micro’s InterScan virus-checking software (http://www.trendmicro.com) notified their users that a virus was detected. The software then sent a return e-mail back to us (the e-mail’s originator), notifying us of its findings. Some responses identified the problem as “Email_Flaw_MIME_Tag_Overflow virus”.
Second, when the e-mails arrived back at FMLink, we had not properly set a switch in our mail program (as a result of our tweaking the program to accommodate the Flash presentation). As a result, instead of the returned e-mails just coming back to us, they were redistributed to the mailing list once again. This established an endless feedback loop so that whenever a message came back, it would be resent. One of the unfortunate effects of this is that the e-mail virus notices were sent to some readers many times.
As soon as we discovered what was happening, we blocked all mail from coming back to that e-mail address, which is how we eventually stopped the loop. From what we could see, the only e-mails with a virus notice came from subscribers with InterScan software; other software products, including the several we use at FMLink, did not detect a virus. The contractor that created the Flash program stated that it is confident that there was no virus in their work.
Why do we believe that there is no virus? First, the only virus reports we received were from those with InterScan software (or those who received e-mails from those with InterScan software). Second, we have not heard reports of any damage caused. And third, two Web sites (one from Trend Micro, developer of InterScan, and one from the Computing Infrastructure Technology Group, which has overall responsibility for the Berkeley Laboratory computing infrastructure) indicate that the type of file sent by FMLink can often cause some software to misread it as a virus. I am providing links to those pages for those who are interested:
- http://www.lbl.gov/ITSD/CIS/CITG/email/Virus-warning.html http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=5187
Each of the two sites indicated that certain versions of InterScan will report that some types of MIME attachments may be infected with an “Email_Flaw_MIME_Tag_Overflow virus”. They state that this can occur with MIME attachments whose name is longer than 200 characters in length, and where the e-mail format is in HTML (both these conditions were met in the mailing sent through FMLink).
- Elsewhere on the Trend Micro’s site, it says that it has dropped the malware from its pattern file. On another page of the site, it says that its software mistakenly treats such long file names as a virus: http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=11589. The site then gives a workaround so its users don’t get the virus message again.
What is FMLink still doing to complete its assessment? We have sent a description of the situation along with the Flash file to both Trend Micro and to the Computing Infrastructure Technology Group and have asked them to test the file for viruses and to let us know if it is likely that certain versions of the InterScan software may be misdiagnosing the situation. As we get more information, we will post it to this page on FMLink.
In closing, I was very encouraged by the numerous e-mails of support we received by many of our readers, who recognized that FMLink did not intentionally send out such a mailing. Several even indicated that they realized that these things happen and that they hope that we can get to the bottom of it as soon as possible. I am most appreciative of this type of support from our readers, and will try to ensure with every means in my power that something like this does not happen again.
Best wishes,
Peter S. Kimmel, IFMA Fellow
Publisher, FMLink
Dear FMLink Subscriber,
On Sunday, September 7, we sent the original FMLink mailing to both Trend Micro (the only company whose software flagged a virus) and to the Computing Infrastructure Technology Group and asked them to test the file for viruses and to let us know if it is likely that certain versions of the InterScan software may be misdiagnosing the situation.
This morning, the two companies completed their diagnosis and stated that FMLink’s mailing was indeed virus free, as we had suspected. I have included the letter from Trend Micro below.
Although we at FMLink are most thankful that there were no virus problems associated with the mailing, we fully appreciate the nuisance experienced by some of our subscribers. We are implementing measures to help ensure that these types of mailings will not happen again.
Our humblest apologies for all inconveniences.
Sincerely,
Peter S. Kimmel, IFMA Fellow
Publisher, FMLink
X-Really-To: <peterk@fmlink.com>
From: <av_query@support.trendmicro.Com>
To: <peterk@fmlink.com>, <av_query@support.trendmicro.Com>,
<James_Payongayong@support.trendmicro.com>
Subject: SOLUTION: [TICK] -USA-P3-CaseID 0910020029 – File to Verify-PH60555
Date: Wed, 11 Sep 2002 14:02:45 0800
X-OriginalArrivalTime: 11 Sep 2002 06:02:45.0696 (UTC)
FILETIME=[D944E400:01C25958]
Dear VIRUS_DOCTOR@SUPPORT.TRENDMICRO.COM,
Greetings!
Thank you for contacting TrendLabs HQ!
We have received your email, which contained the attachment (CAMP22.txt – 5,781 Bytes).
We have analyzed the file and found it to be non-malicious.
MindArrow’s initial analysis of the problem is correct.
Older versions of some mail client software had a security issue where an attachment with a file name greater than 200 characters could cause a buffer overflow, and compromise the machine where the mail client software is installed.
To safeguard against such an attack, InterScan VirusWall was provided with a feature to detect email messages containing attachments with file names exceeding 200 characters.
However, there is a known issue to this feature. Due to the formatting of some emails, a portion of the email code might be incorrectly interpreted as being the attachments filename, thus exceeding 200 characters.
For complete details regarding this issue with InterScan VirusWall please visit:
http://solutionbank.antivirus.com/solutions/solutiondetail.asp?solutionID=5187
Since this is a product related case, should you have any other concerns regarding this matter, please send an email to support@support.trendmicro.com. They will be happy to assist you in any way they can.
Have a nice day.
For inquiries and follow-ups please retain the subject
heading of this e-mail notification as it will serve as
the case-ID reference for this case.
James Payongayong
AntiVirus Group
TrendLabs HQ, Trend Micro, Inc.
http://www.antivirus.com
