Problem identifying DumaRu Virus

Stephan Ilaender mailscanner at LAYLINE.DE
Thu Mar 25 15:48:00 GMT 2004 

am 25.03.2004 schrieb Muenz, Michael zum Thema
 ## Re: Problem identifying DumaRu Virus ##

> Hi
>
> > I'm seeing a strange Problem when identifying the Worm Worm.Dumaru.Y.
> > If I send the infamous "myphoto.zip" as an attachment I get this warning
> > [amongst other scanner alarms] from clamav:
>
> My problem is, that Clamav AND F-Prot doesn't detect Dumaru.Y and Z !
>

maybe your libclamav is buggy - try using --disable-archive:

file /tmp/Mtw3afm
/tmp/Mtw3afm: Zip archive data, at least v1.0 to extract

clamscan /tmp/Mtw3afm:
/tmp/Mtw3afm: Zip module failure.

clamscan --disable-archive /tmp/Mtw3afm
/tmp/Mtw3afm: Worm.Dumaru.Y FOUND

I am using --disable-archive in my wrapper-scripts:

/etc/MailScanner/wrapper/clamav-wrapper /usr /tmp/Mtw3afm
/tmp/Mtw3afm: Worm.Dumaru.Y FOUND

However, MailScanner cannot detect this Virus when it's hiting my server from
the wild - an in the quarantine dirs I only find base64 .txt files (decode them
with metamail an clamscan will detect). If I run the clamav-wrapper on the files
in the quarantine dir nothing is detected.

regards,
Stephan


> #################################################################
> From: "Elene" <FUCKENSUICIDE at HOTMAIL.COM>
> To: <XXX>
> Subject: Important information for you. Read it immediately !
> MIME-Version: 1.0
> Content-Type: multipart/mixed;boundary="xxxx"
> Message-Id: <20040325144225.5295C581CE at XXX>
> Date: Thu, 25 Mar 2004 15:42:25 +0100 (CET)
> X-Virus-Status: Found to be clean
> X-Spam-Status: Yes, hits=14.1 tag1=3.0 tag2=5.6 kill=5.6 tests=BAYES_99,
>  DCC_CHECK, HTML_FONTCOLOR_UNKNOWN, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,
>  HTML_RELAYING_FRAME, MIME_HTML_NO_CHARSET, MIME_HTML_ONLY,
>  MIME_MISSING_BOUNDARY, MY_DSL, UPPERCASE_25_50
> X-Spam-Level: **************
>
> --xxxx
> Content-Type: text/html;
> Content-Transfer-Encoding: 7bit
>
> <FONT color=red size=15><CENTER>Hi !</CENTER></FONT><BR>
> Here is my photo, that you asked for yesterday.<BR><iframe src=domain_marker
> WIDTH=1 HEIGHT=1></iframe>
> --xxxx
>
>        name="accounts.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
>        filename="myphoto.zip"
>
> #################################################################
>
> This is really strange, cause on www.clamav.net a search within the
> Signature datebase found Dumaru.Y ?!?!
>
> Michael
>
>

More information about the MailScanner mailing list