Mydoom Virus getting Through

Michael Dahlberg dahlberg at BUCKNELL.EDU
Wed Feb 11 17:00:48 GMT 2004

> Michael
> the latest 3.78d from Sophos seems to have picked up one that ClamAV
> 0.66 didn't....
> may I suggest you upgrade your sophos to 3.78d.
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300


Thanks for the suggestion.   I initially thought that the problem was
with Sophos and called them to discuss the problem.  They also
recommended that I upgrade to 3.78(d), which I did.  Unfortunately,
this did not solve the problem.

My knowledge of MIME encoding/decoding is limited, but it looks as if
the message might have an incomplete MIME header.  MailScanner (or the
perl modules that handle MIME encoding) analyze the message and
determine that there is no MIME-encoded attachment, and as a result
delivers the message.  The message is received by Eudora (or Outlook),
which may be a bit more aggressive in detecting MIME-encoded
attachments, and passes the attachment with the incomplete MIME header
to NAV and it reports the MyDoom virus.

This is just a guess by me from reading other posts on this list and
looking at some representative messages.

Thanks for the suggestion.


More information about the MailScanner mailing list