mydoom-a miscounting, a discovery
Jeff A. Earickson
jaearick at COLBY.EDU
Wed Jan 28 18:21:07 GMT 2004
Hi,
I wondered last night why clamav was counting so many
more SCO.A's than sophos was counting MyDoom-A. I was seeing
about twice as many INFECTED:: syslogs for clamav in my summary
perl report, eg:
1779: Worm.SCO.A
638: W32/MyDoom-A
In poking thru my syslogs, I discovered that sometimes MailScanner
writes a syslog message from Sophos like:
INFECTED:: W32/MyDoom-A:: ./i0SI7Qhm007323/document.pif
and sometimes it writes out:
INFECTED:: W32/MyDoom-A W32/MyDoom-A:: ./i0SI8W68008073/data.zip
where the filetype is always *.zip for the double notation.
Once I tweaked my perl script that does the summary counts, the
arithmetic matched: Clamav and Sophos are catching the same
numbers of copies. Any ideas on why the double notation from
Sophos? Both the signature of the zipped and unzipped files match
the sig for MyDoom-A?
Jeff Earickson
Colby College
More information about the MailScanner
mailing list