Mydoom Virus getting Through

Plant, Dean dean.plant at ROKE.CO.UK
Wed Feb 11 17:32:11 GMT 2004 

Im not sure if this is the same problem but the info might be useful.

We are running Trend, Clamav and F-prot on our MailScanner server and find that the MS exchange server that we pass mail onto, running Trend, is picking up the WORM_MyDoom.DAM. This version of the virus passes straight through our MailScanner without being detected even though we are running the same version Trend definitions.

Dean Plant

-----Original Message-----
From: Martin Hepworth [mailto:martinh at SOLID-STATE-LOGIC.COM]
Sent: 11 February 2004 17:18
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Mydoom Virus getting Through


Michael Dahlberg wrote:
>
> Martin:
>
> Thanks for the suggestion.   I initially thought that the problem was
> with Sophos and called them to discuss the problem.  They also
> recommended that I upgrade to 3.78(d), which I did.  Unfortunately,
> this did not solve the problem.
>
> My knowledge of MIME encoding/decoding is limited, but it looks as if
> the message might have an incomplete MIME header.  MailScanner (or the
> perl modules that handle MIME encoding) analyze the message and
> determine that there is no MIME-encoded attachment, and as a result
> delivers the message.  The message is received by Eudora (or Outlook),
> which may be a bit more aggressive in detecting MIME-encoded
> attachments, and passes the attachment with the incomplete MIME header
> to NAV and it reports the MyDoom virus.
>
> This is just a guess by me from reading other posts on this list and
> looking at some representative messages.
>
> Thanks for the suggestion.
>
> Mike

Mike
are you using the SAVI version or the binary version?

I'm using the SAVI, and that caught the critter when ClamAV didn't.

Also using FreeBSD rather than Linux which might make a difference too.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

--
Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.

More information about the MailScanner mailing list