Test results for clamAV

Matt hciss at HCIWS.COM
Thu Oct 31 14:07:37 GMT 2002 

Are the virus definitions for ClamAV kept up to date?

Matt

----- Original Message -----
From: "Ivan Mirisola" <ivan at NUCCI.COM.BR>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Wednesday, October 30, 2002 6:31 PM
Subject: Test results for clamAV


> Hi all,
>
> Can anyone think of other ways to test clamAV anti virus software and
> help me to help promoting this open source software to a "supported"
> status by MailScanner?
>
> I am including the test results within this e-mail for appreciation by
> the developers.
>
>
> Best regards,
> Ivan
>
> --------------------------------------------------------------------------
----------------------------------------
>


----------------------------------------------------------------------------
----



1) viruses in zip files
### False.zip containing False.bat with Klez-Virus

Oct 29 12:26:24 nucci sendmail[27059]: g9TFQNn27059:
from=<ivan at nucci.com.br>, size=62675, class=0, nrcpts=1,
msgid=<3DBEA86E.50704 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 12:26:27 nucci MailScanner[24411]: New Batch: Scanning 1 messages,
63086 bytes
Oct 29 12:26:27 nucci MailScanner[24411]: Virus and Content Scanning:
Starting
Oct 29 12:26:28 nucci MailScanner[24411]: Virus Scanning: clamav found 1
infections
Oct 29 12:26:28 nucci MailScanner[24411]: Virus Scanning: Found 1 viruses
Oct 29 12:26:28 nucci MailScanner[24411]: Saved infected "False.zip" to
/var/spool/MailScanner/quarantine/20021029/g9TFQNn27059
Oct 29 12:26:28 nucci MailScanner[24411]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus

2) viruses in zip files which are themselves within zip files
### Teste.zip containing False.zip (above)

Oct 29 12:28:23 nucci sendmail[27407]: g9TFSNn27407:
from=<ivan at nucci.com.br>, size=62855, class=0, nrcpts=1,
msgid=<3DBEA8E5.8040604 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 12:28:24 nucci MailScanner[24487]: New Batch: Scanning 1 messages,
63266 bytes
Oct 29 12:28:24 nucci MailScanner[24487]: Virus and Content Scanning:
Starting
Oct 29 12:28:24 nucci MailScanner[24487]: Virus Scanning: clamav found 1
infections
Oct 29 12:28:24 nucci MailScanner[24487]: Virus Scanning: Found 1 viruses
Oct 29 12:28:24 nucci MailScanner[24487]: Saved infected "Teste.ZIP" to
/var/spool/MailScanner/quarantine/20021029/g9TFSNn27407
Oct 29 12:28:24 nucci MailScanner[24487]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus

3) viruses in files whose name starts or ends in a space
a) ### False.zip containing False.bat with Klez.Virus that begins with
ALT-0160 (space)

Oct 29 12:56:40 nucci sendmail[31978]: g9TFuen31978:
from=<ivan at nucci.com.br>, size=62718, class=0, nrcpts=1,
msgid=<3DBEAF86.7070908 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 12:56:41 nucci MailScanner[24436]: New Batch: Scanning 1 messages,
63129 bytes
Oct 29 12:56:42 nucci MailScanner[24436]: Virus and Content Scanning:
Starting
Oct 29 12:56:43 nucci MailScanner[24436]: Virus Scanning: clamav found 1
infections
Oct 29 12:56:43 nucci MailScanner[24436]: Virus Scanning: Found 1 viruses
Oct 29 12:56:43 nucci MailScanner[24436]: Saved infected "1" to
/var/spool/MailScanner/quarantine/20021029/g9TFuen31978
Oct 29 12:56:43 nucci MailScanner[24436]: Silent: Delivered 1 messages
containing silent viruses

b) ### False.zip containing False.bat with Klez.Virus that ends with
ALT-0160 (space)

Oct 29 12:59:35 nucci sendmail[586]: g9TFxZn00586: from=<ivan at nucci.com.br>,
size=62724, class=0, nrcpts=1, msgid=<3DBEB036.6060909 at nucci.com.br>,
proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 12:59:39 nucci MailScanner[24411]: New Batch: Scanning 1 messages,
63135 bytes
Oct 29 12:59:39 nucci MailScanner[24411]: Virus and Content Scanning:
Starting
Oct 29 12:59:41 nucci MailScanner[24411]: Virus Scanning: clamav found 1
infections
Oct 29 12:59:41 nucci MailScanner[24411]: Virus Scanning: Found 1 viruses
Oct 29 12:59:41 nucci MailScanner[24411]: Saved infected "1" to
/var/spool/MailScanner/quarantine/20021029/g9TFxZn00586
Oct 29 12:59:41 nucci MailScanner[24411]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It
says:
<--------The original e-mail attachment "1"-------->

4) viruses in zip files where either/both of the name of the infected file
or the zip file start or end in a space

a) ### Start.zip containing False.bat with Klez.Virus. Compressed file
begins with ALT-0160 (space)

Oct 29 13:06:25 nucci sendmail[2276]: g9TG6Ln02276:
from=<ivan at nucci.com.br>, size=62544, class=0, nrcpts=1,
msgid=<3DBEB1CB.1000804 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 13:06:28 nucci MailScanner[24436]: New Batch: Scanning 2 messages,
86314 bytes
Oct 29 13:06:29 nucci MailScanner[24436]: Virus and Content Scanning:
Starting
Oct 29 13:06:30 nucci MailScanner[24436]: Virus Scanning: clamav found 1
infections
Oct 29 13:06:30 nucci MailScanner[24436]: Virus Scanning: Found 1 viruses
Oct 29 13:06:30 nucci MailScanner[24436]: Saved infected "start.zip" to
/var/spool/MailScanner/quarantine/20021029/g9TG6Ln02276
Oct 29 13:06:31 nucci MailScanner[24436]: Uninfected: Delivered 1 messages
Oct 29 13:06:31 nucci MailScanner[24436]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It
says:
<--------The original e-mail attachment "1"-------->

b) ### End.zip containing False.bat with Klez.Virus. Compressed file ends
with ALT-0160 (space)

Oct 29 13:08:35 nucci sendmail[2537]: g9TG8Yn02537:
from=<ivan at nucci.com.br>, size=62540, class=0, nrcpts=1,
msgid=<3DBEB251.9060207 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 13:08:39 nucci MailScanner[24504]: New Batch: Scanning 1 messages,
62951 bytes
Oct 29 13:08:39 nucci MailScanner[24504]: Virus and Content Scanning:
Starting
Oct 29 13:08:40 nucci MailScanner[24504]: Virus Scanning: clamav found 1
infections
Oct 29 13:08:41 nucci MailScanner[24504]: Virus Scanning: Found 1 viruses
Oct 29 13:08:41 nucci MailScanner[24504]: Saved infected "end.zip" to
/var/spool/MailScanner/quarantine/20021029/g9TG8Yn02537
Oct 29 13:08:41 nucci MailScanner[24504]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It
says:
<--------The original e-mail attachment "1"-------->

5) viruses in files with various nasty filenames (strange characters,
non-English characters, etc.)

a) ### São.zip containing False.bat with Klez.virus and zip naming contains
latin (brazilian) characters

Oct 29 17:01:00 nucci sendmail[1098]: g9TK0xa01098:
from=<ivan at nucci.com.br>, size=62571, class=0, nrcpts=1,
msgid=<3DBEE8CA.8060607 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 17:01:01 nucci MailScanner[928]: New Batch: Scanning 1 messages,
62981 bytes
Oct 29 17:01:01 nucci MailScanner[928]: Virus and Content Scanning: Starting
Oct 29 17:01:03 nucci MailScanner[928]: Virus Scanning: clamav found 1
infections
Oct 29 17:01:03 nucci MailScanner[928]: Virus Scanning: Found 1 viruses
Oct 29 17:01:03 nucci MailScanner[928]: Saved infected "1" to
/var/spool/MailScanner/quarantine/20021029/g9TK0xa01098
Oct 29 17:01:03 nucci MailScanner[928]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It
says:
<--------The original e-mail attachment "1"-------->

b) ### 1º.zip containing False.bat with Klez.virus and zip naming contains
latin (brazilian) characters

Oct 29 17:06:19 nucci sendmail[1963]: g9TK6Ia01963: from=<ivan at nucci.com.br>
, size=62569, class=0, nrcpts=1, msgid=<3DBEEA0A.8000901 at nucci.com.br>,
proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 17:06:19 nucci MailScanner[946]: New Batch: Scanning 1 messages,
62979 bytes
Oct 29 17:06:20 nucci MailScanner[946]: Virus and Content Scanning: Starting
Oct 29 17:06:20 nucci MailScanner[946]: Virus Scanning: clamav found 1
infections
Oct 29 17:06:21 nucci MailScanner[946]: Virus Scanning: Found 1 viruses
Oct 29 17:06:21 nucci MailScanner[946]: Saved infected "1" to
/var/spool/MailScanner/quarantine/20021029/g9TK6Ia01963
Oct 29 17:06:21 nucci MailScanner[946]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It
says:
<--------The original e-mail attachment "1"-------->

c) ### ¬½¼¡«»¦¦¦¦¦¿®.zip containing False.bat with Klez.virus and zip naming
contains strange characters from

Oct 29 17:11:27 nucci sendmail[2619]: g9TKBRa02619:
from=<ivan at nucci.com.br>, size=62639, class=0, nrcpts=1,
msgid=<3DBEEB3E.1090701 at nucci.com.br>, proto=ESMTP, daemon=MTA,
relay=[192.168.2.4]
Oct 29 17:11:28 nucci sendmail[2622]: g9TK8ta02375:
to=<contrato.bel at tecnocargonet.com.br>, delay=00:02:33, xdelay=00:00:00,
mailer=virtual, pri=121884, relay=tecnocargonet.com.br, dsn=2.0.0, stat=Sent
Oct 29 17:11:29 nucci MailScanner[928]: New Batch: Scanning 1 messages,
63049 bytes
Oct 29 17:11:29 nucci MailScanner[928]: Virus and Content Scanning: Starting
Oct 29 17:11:30 nucci MailScanner[928]: Virus Scanning: clamav found 1
infections
Oct 29 17:11:30 nucci MailScanner[928]: Virus Scanning: Found 1 viruses
Oct 29 17:11:30 nucci MailScanner[928]: Saved infected "1" to
/var/spool/MailScanner/quarantine/20021029/g9TKBRa02619
Oct 29 17:11:30 nucci MailScanner[928]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It
says:
<--------The original e-mail attachment "1"-------->

6) Viruses in forwarded e-mail of type (*.eml) with <IFRAME> from
MS-Outlook[Express]

Oct 29 17:50:39 nucci sendmail[11036]: g9TKoca11036:
from=<ivan at nucci.com.br>, size=146925, class=0, nrcpts=1,
msgid=<001001c27f8d$b0cfcd40$0202a8c0 at nucci.com.br>, proto=SMTP, daemon=MTA,
relay=[192.168.2.2]
Oct 29 17:50:39 nucci MailScanner[902]: New Batch: Scanning 1 messages,
147321 bytes
Oct 29 17:50:40 nucci MailScanner[902]: Virus and Content Scanning: Starting
Oct 29 17:50:41 nucci MailScanner[902]: Virus Scanning: clamav found 1
infections
Oct 29 17:50:41 nucci MailScanner[902]: Virus Scanning: Found 1 viruses
Oct 29 17:50:41 nucci MailScanner[902]: Filename Checks: Possible malicious
batch file script (False.bat)
Oct 29 17:50:41 nucci MailScanner[902]: Other Checks: Found 1 problems
Oct 29 17:50:41 nucci MailScanner[902]: Content Checks: Detected
Microsoft-specific exploits in g9TKoca11036
Oct 29 17:50:41 nucci MailScanner[902]: Content Checks: Found 1 problems
Oct 29 17:50:41 nucci MailScanner[902]: Saved infected "False.bat" to
/var/spool/MailScanner/quarantine/20021029/g9TKoca11036
Oct 29 17:50:41 nucci MailScanner[902]: Saved infected "msg-902-36.html" to
/var/spool/MailScanner/quarantine/20021029/g9TKoca11036
Oct 29 17:50:41 nucci MailScanner[902]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus

7) Viruses within ZIP file attached to e-mail of type (*.eml) from
MS-Outlook[Express] that was forwarded

Oct 30 21:25:09 nucci sendmail[14519]: g9V0P9P14519:
from=<ivan at nucci.com.br>, size=64681, class=0, nrcpts=1,
msgid=<002301c28074$e063e540$0202a8c0 at nucci.com.br>, proto=SMTP, daemon=MTA,
relay=[192.168.2.2]
Oct 30 21:25:12 nucci MailScanner[14255]: New Batch: Scanning 1 messages,
65076 bytes
Oct 30 21:25:12 nucci MailScanner[14255]: Virus and Content Scanning:
Starting
Oct 30 21:25:13 nucci MailScanner[14255]: Virus Scanning: clamav found 1
infections
Oct 30 21:25:13 nucci MailScanner[14255]: Virus Scanning: Found 1 viruses
Oct 30 21:25:13 nucci MailScanner[14255]: Saved infected "False.zip" to
/var/spool/MailScanner/quarantine/20021030/g9V0P9P14519
Oct 30 21:25:13 nucci MailScanner[14255]: Silent: Delivered 1 messages
containing silent viruses

->>> Returns to sender notice about e-mail containing a virus

More information about the MailScanner mailing list