MyDoom.O sneaking through!... SOLVED!

Chris Yuzik chris at FRACTALWEB.COM
Wed Aug 4 20:23:56 IST 2004


<x-flowed>
Dan Hollis wrote:

>Looks like its a new mydoom variant where they doubly zip the virus. Eg
>they zip the zipfile.
>
Yes, that's right. The zip file is named using the recipient's email
address with a "-2.zip" appended to the end. Inside that archive is
another zip file with a similar name (the recipient's email address with
a ".zip" appended to the end. Inside that is the actual virus named
using the recipient's email address with a ".txt" appended and a ton of
spaces, then a ".pif" (etc.).

For example, I have one here named
  john at someserver.com-2.zip
and inside that is
  john at someserver.com.zip
and inside that is

john at someserver.com.txt
.pif (except there are many more spaces)

I've tried saving this message and sending it back to myself, and
MailScanner does catch it.

After grepping log files galore, I have discovered that some messages
were coming through as "unscanned". Upon further analysis of
MailScanner.conf and the "Virus Scanning" setting, it seems that this
person's domain was set to not scan for viruses. I'm going to hunt down
and boot the person that did that...but there you go.

Thanks to Dan and Peter for their help on this issue. Hope this helps
someone else in the future.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>



More information about the MailScanner mailing list