pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files

Denis Pugnere Denis.Pugnere at IGH.CNRS.FR
Tue Jul 16 10:17:04 IST 2002


Hello,

Due to the fact that a variant of the "W32 Frethem" virus in the file
decrypt-password.exe has not been stopped by mailscanner 3.10 (with my
configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and
have a pb with near all infected messages :

configuration :
 - McAfee Virus Scan (Scan engine v4.1.60 for Linux)
 - perl 5.005_03 (Redhat)
 - MIME::Base64 : 2.11
 - File::Spec : 0.82
 - File::Temp : 0.12
 - Convert-TNEF-0.17
 - IO-stringy-1.211
 - MIME-tools-5.411 + patch
 - MailTools-1.46

Because of the fresh (J or K) variant of "W32 Frethem" I added the
following line in the filename.rules.conf file :
deny    \.exe$          Executables are not allowed directly


In the syslog file, here are the messages from 2 mailscanner outputs
(note the "usr" messages) :

Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in decrypt-password.exe
Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages HAA23830,usr
Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 bytes in 1 seconds
Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/HAA23830
Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/usr
Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message usr from queue
Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 infections
Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus at igh.cnrs.fr about 2 infections
Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee returned 13
Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted attachment decrypt-password.exe
Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted attachment local
...
Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes
Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in decrypt-password.exe
Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages usr,KAA31279
Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015 bytes in 3 seconds
Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/usr
Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/KAA31279
Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message usr from queue
Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 infections
Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus at igh.cnrs.fr about 2 infections
Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee returned 13
Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted attachment local
Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted attachment decrypt-password.exe

the postmaster received the following messages :
************************************************
The following e-mail messages were found to have viruses in them:

   Sender:
Recipient:
  Subject:
MessageID: usr
   Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe        Found the W32/Klez.h at MM virus !!!

--
MailScanner
Email Virus Scanner
************************************************

I can't figure out what is the matter.
If you have an idea, I would be very gratefull.
Regards.

--
Denis Pugnère            | IGH/CNRS UPR 1142, 141 Rue de la Cardonille
Tel : +33 (0)4 9961.9909 |     34396 Montpellier Cedex 5, France
Fax : +33 (0)4 9961.9901 |           http://www.igh.cnrs.fr



More information about the MailScanner mailing list