Problem identifying DumaRu Virus

Stephan Ilaender mailscanner at LAYLINE.DE
Thu Mar 25 12:46:02 GMT 2004 

Hi all,

I'm seeing a strange Problem when identifying the Worm Worm.Dumaru.Y.
If I send the infamous "myphoto.zip" as an attachment I get this warning
[amongst other scanner alarms] from clamav:

[...]
ClamAV: Mtw3afm contains Worm.Dumaru.Y
[...]

okay, exactly what I expected. The strange thing is - if I see this Virus come
in on our server from the Wild, I only get a Warning from AntiVir, reading

[...]
AntiVir: ALERT: [Worm/Dumaru.AB worm] msg-29968-13.txt --> file0.txt -->
Unknown.txt <<< Contains signature of the worm Worm/Dumaru.AB
[...]

but NO Warning from clamav. If I go to the quarantine directory an execute the
clamav-wrapper, clamav does not detect the Virus:

/etc/MailScanner/wrapper/clamav-wrapper /usr
/var/spool/MailScanner/quarantine/20040324/CD24EBE51/msg-29968-13.txt
----------- SCAN SUMMARY -----------
Known viruses: 41437
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 1.246 sec (0 m 1 s)


which is probably ok, because the .txt file is still in base64 encoding. If I
decode this to the original zip the Virus gets detected.

My question being: Why am I unable to detect DumaRu coming in from the wild
using clamav - it is caught by AntiVir but I see no reason why clamav should not
be able to get this.

Here's an excerpt from my logs:

[ just AntiVir ]
Mar 25 13:12:43 MailScanner[23829]: Virus and Content Scanning: Starting
Mar 25 13:12:47 MailScanner[23829]: ALERT: [Worm/Dumaru.AB worm]
./A5D5828006/msg-29968-13.txt --> file0.txt --> Unknown.txt --> mypho to.jpg
                                          .exe <<< Contains signature of the
worm Worm/Dumaru.AB
Mar 25 13:12:47 MailScanner[23829]: ALERT: [Worm/Dumaru.AB
worm] ./A5D5828006/msg-29968-13.txt --> file0.txt --> Unknown.txt <<< Contains
signature of the worm Worm/Dumaru.AB
Mar 25 13:12:47 MailScanner[23829]: ALERT:
[Worm/Dumaru.AB worm] ./A5D5828006/msg-23829-7.txt --> Unknown.txt -->
myphoto.jpg                       .exe <<< Contains signature of the worm
Worm/Dumaru.AB
Mar 25 13:12:47 MailScanner[23829]: ALERT: [Worm/Dumaru.AB worm]
./A5D5828006/msg-23829-7.txt --> Unknown.txt <<< Contains signature o f the worm
Worm/Dumaru.AB
Mar 25 13:12:47 MailScanner[23829]: Virus Scanning: AntiVir found
4 infections

 [ AntiVir and ClamAV ]
Mar 25 13:11:12 MailScanner[23836]: Virus and Content Scanning: Starting
Mar 25 13:11:14 MailScanner[23836]:
/var/spool/MailScanner/incoming/23836/./77CF82800B/Mtw3afm: Worm.Dumaru.Y FOUND
Mar 25 13:11:14 MailScanner[23836]: Virus Scanning: ClamAV found 1 infections
Mar 25 13:11:15 MailScanner[23836]: ALERT: [Worm/Dumaru.AB worm]
./77CF82800B/Mtw3afm <<< Contains signature of the worm Worm/Dumaru.A B
Mar 25 13:11:15 MailScanner[23836]: Virus Scanning: AntiVir found 1 infections
Mar 25 13:11:15 MailScanner[23836]: Infected message 77CF82800B came from
Mar 25 13:11:15 MailScanner[23836]: Virus Scanning: Found 1 viruses
Mar 25 13:11:15 MailScanner[23836]: Virus Scanning completed at 8518 bytes per
second
Mar 25 13:11:15 MailScanner[23836]: Saved infected "Mtw3afm" to
/var/spool/MailScanner/quarantine/20040325/77CF82800B

More information about the MailScanner mailing list