Viruses apparently getting through

Gib Gilbertson Jr. gib at TMISNET.COM
Sun Dec 4 00:13:16 GMT 2005


Hi.

At 05:40 PM 3/12/2005, you wrote:
>Sigh.  I think this is another OS-specific instance of Clam failing
>to catch Sober.U, noted by me earlier this week in this list.
>Try using the latest CVS version of Clam to see if this solves your
>problem.
>
>Jeff Earickson
>Colby College

ClamAV is catching the Sober.U virus. Here is a typical entry from my maillog.

Dec  3 08:41:05 thumper MailScanner[11564]: 
/var/spool/MailScanner/incoming/11564/./jB3Gei3e027819/reg_pass.zip: 
Worm.Sober.U FOUND
Dec  3 08:41:05 thumper MailScanner[11564]: Virus Scanning: ClamAV 
found 1 infections
Dec  3 08:41:05 thumper MailScanner[11564]: Infected message 
jB3Gei3e027819 came from 24.206.80.69
Dec  3 08:41:05 thumper MailScanner[11564]: Virus Scanning: Found 1 viruses

This appears to be a virus called Win32.Sober.W!.ZIP according to 
ZoneAlarm Security Suite. Note the W in the virus name.

gib


>On Sat, 3 Dec 2005, Gib Gilbertson Jr. wrote:
>
>>Date: Sat, 3 Dec 2005 13:21:13 +1000
>>From: Gib Gilbertson Jr. <gib at TMISNET.COM>
>>Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Viruses apparently getting through
>>Hi.
>>
>>I seeing a lot of e-mails getting through that are caught by 
>>ZoneAlarm Security Suite and reported to be infected by the 
>>Win32.Sober.W!.ZIP virus. These are coming in as attachments with 
>>the extension .zm9 as reported by ZoneAlarm.
>>
>>
>>I am running the following on FreeBSD 4.10
>>
>>MailScanner 4.32.4
>>ClamAV 0.87.1/1200
>>
>>I've added a file types rule to deny \.zm9$ files
>>
>>I'm still getting them in e-mail though.
>>
>>Any thoughts?
>>
>>Thanks
>>
>>gib



      Gib Gilbertson Jr.
      Tierramiga Info Systems
      619-287-8647 Support
      http://www.tmisnet.com
      San Diego's Friendly ISP

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list