error occurred while reading archive

Discussion in 'NOD32 version 2 Forum' started by Undecidable, Oct 23, 2005.

Thread Status:
Not open for further replies.
  1. Undecidable

    Undecidable Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    12
    Location:
    Hong Kong
    When doing an on-demand scan,
    I am getting some unexpected errors when scanning emails.

    Some emails that are saved to disk as .eml files
    cause entries in the scan log such as:

    D:\xxx\yyy.eml »MIME »part000.txt - error occurred while reading archive

    and some emails that are in my Outlook Express .dbx files cause the same problem:

    K:\OE Mail\xxx.dbx »DBX »from: "name" <name@yyy.com> to: "MC" <me@myemail.com> with subject The Subject dated Sat, 12 Apr 2003 20:40:26 +0800 »MIME »part000.txt - error occurred while reading archive

    Only a small percentage, say about 100 emails, have this problem.
    An those emails appear to have nothing untoward about them: they open fine, they read fine, they look fine, they discuss praiseworthy subjects.
    Also, it always fails on the same emails - so not an access issue.

    Why would NOd32 fail to open them?

    Any clues or insights?
     
  2. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I experienced this problem when NOD32 found a worm in DBX file. Then NOD32 on-demand scanner added this error to the scanning log...
     
  3. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    Just out of curiosity, does NOD hilite the message in red ? In the first post its an error, in the second post the same message appears when its a worm o_O
     
  4. Undecidable

    Undecidable Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    12
    Location:
    Hong Kong
    Not in red.
    + I am sure I do not have any worms. And certainly not in 100 of several thousand emails.
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    It could be that it simply can't read the archive.
    Maybe it's damaged, maybe it's repacked [easy way to fool NOD] or some other stuff.
     
  6. Undecidable

    Undecidable Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    12
    Location:
    Hong Kong
    Brain
    thanks for the thought - in fact these are not archives. As mentioned at the top they are either emails that are saved to disk as individual .eml files, or emails that are in my Outlook Express .dbx stores. They do not appear to be damaged: as mentioned they they open (by double clicking), read and look fine. Those that have attachments, the attachments open just fine as well.

    Mover
    Am sure it is not a worm. Highlight is blue. Pls the same files have been scanned by NAV and KAV. Also several are 2 years old - unlikley a two year old worm would be unflagged.

    Does nobody else get these messages?

    Am beginning to suspect a nod32 bug.
     
  7. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I have gotten a few of these messages, so I know what you are talking about. My guess is that these are malformed MIME attachments. NOD32 expects a correct MIME attachment, so when it encounters a malformed one, it cannot decode it. Hence, the error message.

    Is this a potential way a virus to sneak through via e-mail? Yes, it is. Virus writers are known to do this on purpose. However, if the e-mail program does decode the malformed MIME attachment, NOD32 will still be able to scan it using AMON. :)
     
  8. Undecidable

    Undecidable Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    12
    Location:
    Hong Kong
    Alglove

    Agree they are malformed mime attachments.
    Tried to put one in a zip file and winzip gave me the message:
    Warning: Boundary expected on Multipart message but found EOF

    However the email client reads OK, and the attachment is save-able and executable.

    Take your point about this could be done on purpose to conceal malware. So Nod32 should scan even if it finds a structural error.

    Will add to suggestions thread.

    mc
     
Thread Status:
Not open for further replies.