pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files
Julian Field
mailscanner at ecs.soton.ac.uk
Tue Jul 16 11:18:45 IST 2002
It seems to think you have a message whose message id is "usr". This is
presumably being pulled out of the pathname to the file.
Is your incoming work directory really at the path given in
mailscanner.conf, or does the path in mailscanner.conf follow any links to
get to the directory? You need to put in the real directory path.
At 10:17 16/07/2002, you wrote:
>Hello,
>
>Due to the fact that a variant of the "W32 Frethem" virus in the file
>decrypt-password.exe has not been stopped by mailscanner 3.10 (with my
>configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and
>have a pb with near all infected messages :
>
>configuration :
> - McAfee Virus Scan (Scan engine v4.1.60 for Linux)
> - perl 5.005_03 (Redhat)
> - MIME::Base64 : 2.11
> - File::Spec : 0.82
> - File::Temp : 0.12
> - Convert-TNEF-0.17
> - IO-stringy-1.211
> - MIME-tools-5.411 + patch
> - MailTools-1.46
>
>Because of the fresh (J or K) variant of "W32 Frethem" I added the
>following line in the filename.rules.conf file :
>deny \.exe$ Executables are not allowed directly
>
>
>In the syslog file, here are the messages from 2 mailscanner outputs
>(note the "usr" messages) :
>
>Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in
>decrypt-password.exe
>Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages
>HAA23830,usr
>Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 bytes
>in 1 seconds
>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to
>/usr/local/mailscanner/var/quarantine/20020716/HAA23830
>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to
>/usr/local/mailscanner/var/quarantine/20020716/usr
>Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message usr
>from queue
>Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 infections
>Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus at igh.cnrs.fr
>about 2 infections
>Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee
>returned 13
>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted
>attachment decrypt-password.exe
>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted
>attachment local
>...
>Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes
>Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in
>decrypt-password.exe
>Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages
>usr,KAA31279
>Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015
>bytes in 3 seconds
>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to
>/usr/local/mailscanner/var/quarantine/20020716/usr
>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to
>/usr/local/mailscanner/var/quarantine/20020716/KAA31279
>Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message usr
>from queue
>Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 infections
>Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus at igh.cnrs.fr
>about 2 infections
>Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee
>returned 13
>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted
>attachment local
>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted
>attachment decrypt-password.exe
>
>the postmaster received the following messages :
>************************************************
>The following e-mail messages were found to have viruses in them:
>
> Sender:
>Recipient:
> Subject:
>MessageID: usr
> Report:
> /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe
> Found the W32/Klez.h at MM virus !!!
>
>--
>MailScanner
>Email Virus Scanner
>************************************************
>
>I can't figure out what is the matter.
>If you have an idea, I would be very gratefull.
>Regards.
>
>--
>Denis Pugnère | IGH/CNRS UPR 1142, 141 Rue de la Cardonille
>Tel : +33 (0)4 9961.9909 | 34396 Montpellier Cedex 5, France
>Fax : +33 (0)4 9961.9901 | http://www.igh.cnrs.fr
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list