pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files

Denis Pugnere Denis.Pugnere at IGH.CNRS.FR
Wed Jul 17 07:50:49 IST 2002 

>At 11:18 16/07/2002, you wrote:
>>It seems to think you have a message whose message id is "usr". This is=20
>>presumably being pulled out of the pathname to the file.
>>
>>Is your incoming work directory really at the path given in=20
>>mailscanner.conf, or does the path in mailscanner.conf follow any links to=
>=20
>>get to the directory? You need to put in the real directory path.
>
>If you aren't sure, change sweep.pl so that it says (at line 566)
>         print STDERR "Whole line is \"$lastline\"\n";
>         $lastline =3D~ s/$BaseDir//;
>         print STDERR "Whole line is now \"$lastline\"\n";
>insead of the original line 566 (which should be the same as the middle=20
>line of the 3 above).

Goal !
True Julian,

In order to go back if the upgrade goes bad, I created a symbolic link :
mailscanner -> MailScanner-3.21-1

My conf files refers to the "mailscanner" directory.
That was my fault...

Best regards.
Denis

>
>Then stop and restart MailScanner and you should see the incoming work dir=
>=20
>being removed from the lines output by McAfee.
>
>
>>At 10:17 16/07/2002, you wrote:
>>>Hello,
>>>
>>>Due to the fact that a variant of the "W32 Frethem" virus in the file
>>>decrypt-password.exe has not been stopped by mailscanner 3.10 (with my
>>>configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and
>>>have a pb with near all infected messages :
>>>
>>>configuration :
>>>  - McAfee Virus Scan (Scan engine v4.1.60 for Linux)
>>>  - perl 5.005_03 (Redhat)
>>>  - MIME::Base64 : 2.11
>>>  - File::Spec : 0.82
>>>  - File::Temp : 0.12
>>>  - Convert-TNEF-0.17
>>>  - IO-stringy-1.211
>>>  - MIME-tools-5.411 + patch
>>>  - MailTools-1.46
>>>
>>>Because of the fresh (J or K) variant of "W32 Frethem" I added the
>>>following line in the filename.rules.conf file :
>>>deny    \.exe$          Executables are not allowed directly
>>>
>>>
>>>In the syslog file, here are the messages from 2 mailscanner outputs
>>>(note the "usr" messages) :
>>>
>>>Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in=20
>>>decrypt-password.exe
>>>Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages=20
>>>HAA23830,usr
>>>Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486=20
>>>bytes in 1 seconds
>>>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to=20
>>>/usr/local/mailscanner/var/quarantine/20020716/HAA23830
>>>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to=20
>>>/usr/local/mailscanner/var/quarantine/20020716/usr
>>>Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message=20
>>>usr from queue
>>>Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1=20
>>>infections
>>>Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus at igh.cnrs.fr=
>=20
>>>about 2 infections
>>>Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee=
>=20
>>>returned 13
>>>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted=20
>>>attachment decrypt-password.exe
>>>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted=20
>>>attachment local
>>>...
>>>Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015=
> bytes
>>>Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in=20
>>>decrypt-password.exe
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages=20
>>>usr,KAA31279
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015=20
>>>bytes in 3 seconds
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to=20
>>>/usr/local/mailscanner/var/quarantine/20020716/usr
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to=20
>>>/usr/local/mailscanner/var/quarantine/20020716/KAA31279
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message=20
>>>usr from queue
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1=20
>>>infections
>>>Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus at igh.cnrs.fr=
>=20
>>>about 2 infections
>>>Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee=
>=20
>>>returned 13
>>>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted=20
>>>attachment local
>>>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted=20
>>>attachment decrypt-password.exe
>>>
>>>the postmaster received the following messages :
>>>************************************************
>>>The following e-mail messages were found to have viruses in them:
>>>
>>>    Sender:
>>>Recipient:
>>>   Subject:
>>>MessageID: usr
>>>    Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe=
>=20
>>> Found the W32/Klez.h at MM virus !!!
>>>
>>>--
>>>MailScanner
>>>Email Virus Scanner
>>>************************************************
>>>
>>>I can't figure out what is the matter.
>>>If you have an idea, I would be very gratefull.
>>>Regards.
>>>
>>>--
>>>Denis Pugn=E8re            | IGH/CNRS UPR 1142, 141 Rue de la Cardonille
>>>Tel : +33 (0)4 9961.9909 |     34396 Montpellier Cedex 5, France
>>>Fax : +33 (0)4 9961.9901 |           http://www.igh.cnrs.fr
>>
>>--
>>Julian Field                Teaching Systems Manager
>>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>>Tel. 023 8059 2817          University of Southampton

More information about the MailScanner mailing list