ClamAVModule ignoring MyDoom-O - eek!

Brett Charbeneau brett at WRL.ORG
Thu Jul 29 19:37:25 IST 2004


> Brett Charbeneau wrote:
>
> >Greetings all,
> >
> >        I am running MS 4.31.6 on a 2.4.26 kernel box, and have
installed
> >clamav-0.75 as per the instructions at:
> >
> >http://www.sng.ecs.soton.ac.uk/mailscanner/install/ClamAVModule.shtml
> >
> >
> >
> I posted here yesterday, after a visit to the ClamAV forums, that so far
> they have been unable to find any operational virus attached to any
> mydoom.o version. In other words, the attachment is broken and does not
> execute any malicious code. They have so far ignored writing any sigs
> (yesterday anyway) since these are not really viruses... or as one
> person put it... they were 'dead' viruses or fragmented viruses and so
> far totally harmless. Seems the concensus was to not write sigs
> (bloatware) for viruses that weren't really viruses.

        Huh.
        Well, some of my users picked up a functional variant of MyDoom
because it sure did it's thing once the attachment was open.
        I have submitted my test attachment to

http://www.gietl.com/test-clamav/

        And it did identify the .zip file as

Worm.Bagle.Gen-zippwd

        Since I have the latest *.cvd files, I would think that the
ClamAVModule would pick it up.
        I have also tried the eicar test virus at

http://baby.com.ar/MailScanner/zipWzip/eicar_com.zip

        which also passes through into my INBOX without detection, so I
think I've still got some issue going on with the way the ClamAVModule is
installed or configured...

--

Brett Charbeneau, Network Administrator         Tel: 757-259-7750
Williamsburg Regional Library                   FAX: 757-259-7798
7770 Croaker Road                               brett at wrl.org
Williamsburg, VA 23188-7064                     http://www.wrl.org

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list