pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files
Denis Pugnere
Denis.Pugnere at IGH.CNRS.FR
Tue Jul 16 10:17:04 IST 2002
Hello,
Due to the fact that a variant of the "W32 Frethem" virus in the file
decrypt-password.exe has not been stopped by mailscanner 3.10 (with my
configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and
have a pb with near all infected messages :
configuration :
- McAfee Virus Scan (Scan engine v4.1.60 for Linux)
- perl 5.005_03 (Redhat)
- MIME::Base64 : 2.11
- File::Spec : 0.82
- File::Temp : 0.12
- Convert-TNEF-0.17
- IO-stringy-1.211
- MIME-tools-5.411 + patch
- MailTools-1.46
Because of the fresh (J or K) variant of "W32 Frethem" I added the
following line in the filename.rules.conf file :
deny \.exe$ Executables are not allowed directly
In the syslog file, here are the messages from 2 mailscanner outputs
(note the "usr" messages) :
Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in decrypt-password.exe
Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages HAA23830,usr
Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 bytes in 1 seconds
Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/HAA23830
Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/usr
Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message usr from queue
Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 infections
Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus at igh.cnrs.fr about 2 infections
Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee returned 13
Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted attachment decrypt-password.exe
Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted attachment local
...
Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes
Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in decrypt-password.exe
Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages usr,KAA31279
Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015 bytes in 3 seconds
Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/usr
Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/KAA31279
Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message usr from queue
Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 infections
Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus at igh.cnrs.fr about 2 infections
Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee returned 13
Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted attachment local
Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted attachment decrypt-password.exe
the postmaster received the following messages :
************************************************
The following e-mail messages were found to have viruses in them:
Sender:
Recipient:
Subject:
MessageID: usr
Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe Found the W32/Klez.h at MM virus !!!
--
MailScanner
Email Virus Scanner
************************************************
I can't figure out what is the matter.
If you have an idea, I would be very gratefull.
Regards.
--
Denis Pugnère | IGH/CNRS UPR 1142, 141 Rue de la Cardonille
Tel : +33 (0)4 9961.9909 | 34396 Montpellier Cedex 5, France
Fax : +33 (0)4 9961.9901 | http://www.igh.cnrs.fr
More information about the MailScanner
mailing list