pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files

Julian Field mailscanner at ecs.soton.ac.uk
Tue Jul 16 11:24:48 IST 2002


At 11:18 16/07/2002, you wrote:
>It seems to think you have a message whose message id is "usr". This is 
>presumably being pulled out of the pathname to the file.
>
>Is your incoming work directory really at the path given in 
>mailscanner.conf, or does the path in mailscanner.conf follow any links to 
>get to the directory? You need to put in the real directory path.

If you aren't sure, change sweep.pl so that it says (at line 566)
         print STDERR "Whole line is \"$lastline\"\n";
         $lastline =~ s/$BaseDir//;
         print STDERR "Whole line is now \"$lastline\"\n";
insead of the original line 566 (which should be the same as the middle 
line of the 3 above).

Then stop and restart MailScanner and you should see the incoming work dir 
being removed from the lines output by McAfee.


>At 10:17 16/07/2002, you wrote:
>>Hello,
>>
>>Due to the fact that a variant of the "W32 Frethem" virus in the file
>>decrypt-password.exe has not been stopped by mailscanner 3.10 (with my
>>configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and
>>have a pb with near all infected messages :
>>
>>configuration :
>>  - McAfee Virus Scan (Scan engine v4.1.60 for Linux)
>>  - perl 5.005_03 (Redhat)
>>  - MIME::Base64 : 2.11
>>  - File::Spec : 0.82
>>  - File::Temp : 0.12
>>  - Convert-TNEF-0.17
>>  - IO-stringy-1.211
>>  - MIME-tools-5.411 + patch
>>  - MailTools-1.46
>>
>>Because of the fresh (J or K) variant of "W32 Frethem" I added the
>>following line in the filename.rules.conf file :
>>deny    \.exe$          Executables are not allowed directly
>>
>>
>>In the syslog file, here are the messages from 2 mailscanner outputs
>>(note the "usr" messages) :
>>
>>Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in 
>>decrypt-password.exe
>>Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages 
>>HAA23830,usr
>>Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 
>>bytes in 1 seconds
>>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to 
>>/usr/local/mailscanner/var/quarantine/20020716/HAA23830
>>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to 
>>/usr/local/mailscanner/var/quarantine/20020716/usr
>>Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message 
>>usr from queue
>>Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 
>>infections
>>Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus at igh.cnrs.fr 
>>about 2 infections
>>Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee 
>>returned 13
>>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted 
>>attachment decrypt-password.exe
>>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted 
>>attachment local
>>...
>>Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes
>>Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in 
>>decrypt-password.exe
>>Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages 
>>usr,KAA31279
>>Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015 
>>bytes in 3 seconds
>>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to 
>>/usr/local/mailscanner/var/quarantine/20020716/usr
>>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to 
>>/usr/local/mailscanner/var/quarantine/20020716/KAA31279
>>Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message 
>>usr from queue
>>Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 
>>infections
>>Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus at igh.cnrs.fr 
>>about 2 infections
>>Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee 
>>returned 13
>>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted 
>>attachment local
>>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted 
>>attachment decrypt-password.exe
>>
>>the postmaster received the following messages :
>>************************************************
>>The following e-mail messages were found to have viruses in them:
>>
>>    Sender:
>>Recipient:
>>   Subject:
>>MessageID: usr
>>    Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe 
>> Found the W32/Klez.h at MM virus !!!
>>
>>--
>>MailScanner
>>Email Virus Scanner
>>************************************************
>>
>>I can't figure out what is the matter.
>>If you have an idea, I would be very gratefull.
>>Regards.
>>
>>--
>>Denis Pugnère            | IGH/CNRS UPR 1142, 141 Rue de la Cardonille
>>Tel : +33 (0)4 9961.9909 |     34396 Montpellier Cedex 5, France
>>Fax : +33 (0)4 9961.9901 |           http://www.igh.cnrs.fr
>
>--
>Julian Field                Teaching Systems Manager
>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>Tel. 023 8059 2817          University of Southampton
>                             Southampton SO17 1BJ
>

-- 
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ




More information about the MailScanner mailing list