mydoom-a miscounting, a discovery

Jeff A. Earickson jaearick at COLBY.EDU
Wed Jan 28 18:21:07 GMT 2004

   I wondered last night why clamav was counting so many
more SCO.A's than sophos was counting MyDoom-A.  I was seeing
about twice as many INFECTED:: syslogs for clamav in my summary
perl report, eg:

  1779: Worm.SCO.A
   638: W32/MyDoom-A

In poking thru my syslogs, I discovered that sometimes MailScanner
writes a syslog message from Sophos like:

INFECTED:: W32/MyDoom-A:: ./i0SI7Qhm007323/document.pif

and sometimes it writes out:

INFECTED:: W32/MyDoom-A W32/MyDoom-A:: ./i0SI8W68008073/

where the filetype is always *.zip for the double notation.

Once I tweaked my perl script that does the summary counts, the
arithmetic matched: Clamav and Sophos are catching the same
numbers of copies.  Any ideas on why the double notation from
Sophos?  Both the signature of the zipped and unzipped files match
the sig for MyDoom-A?

Jeff Earickson
Colby College

More information about the MailScanner mailing list