mark at msapiro.net
Fri Nov 13 16:00:05 GMT 2009
On Thu, Nov 12, 2009 at 07:55:12AM -0800, Brett Moss wrote:
> I looked into the logs again and did find the following line. It is the second line that I think I failed to post.
> Nov 11 03:56:46 mailgw MailScanner: [Found password stealer] <HTML/Irsphish (exact)> ./nABBuKZR024867/msg-20311-2.html
> Nov 11 03:56:46 mailgw MailScanner: Found spam-virus in
> This line is repeated each time MailScanner tries to process the message.
> I am unsure which scanner is catching it, the logs show nothing. I am running clam, mcafee, and f-prot-6
> I have loaded to pastebin http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing.
Found spam-virus means one of your virus scanners got a hit with a name
that matched the pattern in MailScanner's configuration setting
Virus Names Which Are Spam =
These are intended to by clam hits on Sanesecurity spam signatures.
Your message on the pastebin hits
on my system. This sig is winnow.botnet.ff.trojans.4190 from the
winnow_malware_links.ndb database. See
This sig decodes to
and hits on the /www.irs.gov.mikkuo.me.uk/ URL in the message.
Mark Sapiro mark at msapiro net The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner