Mydoom Virus getting Through

Wed Feb 11 16:32:11 GMT 2004

FYI:  I am experiencing the same thing also.

-----Original Message-----
From: Kyle Harris [mailto:lists at TRCINTL.COM] 
Sent: Wednesday, February 11, 2004 11:09 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Mydoom Virus getting Through

On Wed, 11 Feb 2004 10:50:31 -0500, Michael Dahlberg
<dahlberg at BUCKNELL.EDU> wrote:

>Kyle Harris [lists at TRCINTL.COM] wrote:
>> I have been running MailScanner for quite some time and it has
successfully
>> found literally thousands of e-mail's infected with the Mydoom virus,
as
>> well as many others.  However, I have noticed that every now and then
for
>> whatever reason one seems to slip through MailScanner.  The reason I
know
>> this is that my mail is first scanned with MailScanner (using eTrust
>> Antivirus 7.0) and then it is sent on to another machine running
TrendMicro
>> InterScan VirusWall (I had that in place before MailScanner).
>>
>> On about 4 occasions since the outbreak of Mydoom, a copy of the
virus
has
>> made it through MailScanner undetected and has then been caught by
the
>> TrendMicro product.  I had it happen several times already today.  I
>> checked the e-mail ID and I see in the log on MailScanner where it
passed
>> through without a hitch.
>>
>> I seem to recall someone posting something earlier about this
occuring
>> while using the Sophos antivirus product.  I just thought this might
be
>> something to take note of.  By the way, I am currently using
MailScanner
>> version 4.26.8 and my virus signatures are up to date.  TrendMicro
>> InterScan VirusWall reports the e-mail messages in question as having
>> Mydoom.A.
>
>Kyle:
>
>Did you ever find a fix to this problem?
>
>We're experiencing a similar problem.  A number of messages are
>passing through MailScanner(4.13-3)/Sophos and then are interpreted as
>MyDoom-infected when they reach the client's MUA (Eudora) on a system
>which is running Symantec's Antivirus software.  If these messages are
>intercepted before being downloaded to the client's system, they look
>as if they might have something wrong with the MIME header because
>some MUAs will interpret the message as not having an attachment.
>
>Do you see something similar?
>
>Thanks.

I experienced this at least 10 times yesterday (they seemed to come
relatively close together) and had expierenced it about 3 or 4 times in
days prior to that.  Julian asked if I could send one to him so I
enabled
archiving and as luck would have it, I have not seen another one get
through since.  I had to disable archiving as I had too many mail
messages
building up, but I am keeping a close eye for them and if I see one go
through I am planning on quickly enabling the archive option again to
see
if maybe another will go through that I can catch and send to Julian.

It does sound like you are expierencing what I am though.

Kyle H.