Strange Virus Detected Messages

Richard Lynch rich at MAIL.WVNET.EDU
Tue May 3 01:19:07 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

DNSAdmin wrote:

> At 05:05 PM 5/2/2005, you wrote:
>
>> Hi!
>>
>>> Raymond.. as far as you could tell.. what? A genuine infection?
>>>
>>> I am seeing this too. It's almost as if something is attaching these
>>> .HTML
>>> attachments to valid mail.
>>
>>
>> We have picked up some from quarantine, seems like f-prot is mioxing
>> things up. You also use f-prot i guess? Its all attachments made by
>> MS-Word. Mostly people that mail HTML style. Allthough i agree its
>> like a
>> virus sending people HTML mail i think f-prot fucked up a update
>> today. We
>> are switching off f-prot till they get this fixed.
>
>
> Yep, F-Prot and ClamAV. I'm turning off F-Prot too.
>
> Thanks!

I tried to send this message but it was detected as being infected.  So,
once again with a little editing....


This has got to be a bug in f-prot's signature updates.  I've narrowed
it down to a line that looks like this.  Note that you have to split the
line at the string "(*Split-line-here*)".

<p class=3DMsoNormal><span =
style=3D'font-size:(*Split-line-here*)10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

... that causes f-prot to detect it.  If you join it like so...

<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

... you no longer get the error.   We have reported it to f-prot.

-- Rich

--




------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Text/X-VCARD (charset: UTF-8 "Internet-standard Unicode") ]
    [ (Name: "rich.vcf")  13 lines. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list