ClamAVModule ignoring MyDoom-O - eek!
Brett Charbeneau
brett at WRL.ORG
Thu Jul 29 19:37:25 IST 2004
> Brett Charbeneau wrote:
>
> >Greetings all,
> >
> > I am running MS 4.31.6 on a 2.4.26 kernel box, and have
installed
> >clamav-0.75 as per the instructions at:
> >
> >http://www.sng.ecs.soton.ac.uk/mailscanner/install/ClamAVModule.shtml
> >
> >
> >
> I posted here yesterday, after a visit to the ClamAV forums, that so far
> they have been unable to find any operational virus attached to any
> mydoom.o version. In other words, the attachment is broken and does not
> execute any malicious code. They have so far ignored writing any sigs
> (yesterday anyway) since these are not really viruses... or as one
> person put it... they were 'dead' viruses or fragmented viruses and so
> far totally harmless. Seems the concensus was to not write sigs
> (bloatware) for viruses that weren't really viruses.
Huh.
Well, some of my users picked up a functional variant of MyDoom
because it sure did it's thing once the attachment was open.
I have submitted my test attachment to
http://www.gietl.com/test-clamav/
And it did identify the .zip file as
Worm.Bagle.Gen-zippwd
Since I have the latest *.cvd files, I would think that the
ClamAVModule would pick it up.
I have also tried the eicar test virus at
http://baby.com.ar/MailScanner/zipWzip/eicar_com.zip
which also passes through into my INBOX without detection, so I
think I've still got some issue going on with the way the ClamAVModule is
installed or configured...
--
Brett Charbeneau, Network Administrator Tel: 757-259-7750
Williamsburg Regional Library FAX: 757-259-7798
7770 Croaker Road brett at wrl.org
Williamsburg, VA 23188-7064 http://www.wrl.org
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list