Viruses apparently getting through
Julian Field
MailScanner at ecs.soton.ac.uk
Sun Dec 4 16:36:36 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Corrupted viruses are surprisingly common. It always makes me wonder how
this happens. The other thing that happens is they turn into 0-length
files. Everything else about the message looks exactly like the virus,
just the attachment has no data in it. Never figured that one out
either, unless it's a broken virus scanner doing it. I hope MailScanner
doesn't ever do that!
João Gouveia wrote:
>Hi,
>
>I've seen a similar behaviour. In that particular situation, after
>analisys, it turned out that the zip file was corrupted.
>Running clamav by hand would render an error stating that the file
>could not be unziped.
>
>J.
>
>On 12/3/05, Gib Gilbertson Jr. <gib at tmisnet.com> wrote:
>
>
>>Hi.
>>
>>At 05:43 PM 3/12/2005, you wrote:
>>
>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>Where is your copy of ClamAV installed? The location must be correct in
>>>/etc/MailScanner/virus.scanners.conf.
>>>If "which clamscan" produces /usr/local/bin/clamscan, then the entry in
>>>virus.scanners.conf should be "/usr/local", if it produces
>>>/usr/bin/clamscan, then it should be "/usr".
>>>
>>>What does your maillog say? That should give some indication of what
>>>it's finding.
>>>
>>>
>>>
>>Location is correct. It is catching other viruses fine. Just for some
>>reason a few e-mails which appear to be messages from other mail
>>systems reporting mail to non existent users has been returned for
>>what ever reason. The headers of the original e-mail are always
>>forged with some address from tmisnet.com such as hostmaster, or
>>webmaster, etc.
>>
>>Here is an entry for a typical virus found by ClamAV:
>>
>>Dec 3 01:27:22 thumper MailScanner[62916]:
>>/var/spool/MailScanner/incoming/62916/./jB39R0OK082075/account-password.zip:
>>Worm.Mytob.
>>JM FOUND
>>Dec 3 01:27:22 thumper MailScanner[62916]: Virus Scanning: ClamAV
>>found 1 infections
>>Dec 3 01:27:22 thumper MailScanner[62916]: Infected message
>>jB39R0OK082075 came from 59.92.149.188
>>Dec 3 01:27:22 thumper MailScanner[62916]: Virus Scanning: Found 1 viruses
>>
>>Just doesn't seem to be picking up this latest virus for some reason.
>>ClamAV is up to date.
>>
>>Thanks
>>
>>gib
>>
>>
>>
>>
>>
>>>Gib Gilbertson Jr. wrote:
>>>
>>>
>>>
>>>>Hi.
>>>>
>>>>I seeing a lot of e-mails getting through that are caught by ZoneAlarm
>>>>Security Suite and reported to be infected by the Win32.Sober.W!.ZIP
>>>>virus. These are coming in as attachments with the extension .zm9 as
>>>>reported by ZoneAlarm.
>>>>
>>>>
>>>>I am running the following on FreeBSD 4.10
>>>>
>>>>MailScanner 4.32.4
>>>>ClamAV 0.87.1/1200
>>>>
>>>>I've added a file types rule to deny \.zm9$ files
>>>>
>>>>I'm still getting them in e-mail though.
>>>>
>>>>Any thoughts?
>>>>
>>>>Thanks
>>>>
>>>>gib
>>>>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list