Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

Worm.SomeFool.D not detected in a message

  

 
ClamAV devel RSS feed   Index | Next | Previous | View Threaded


fxlist at noos

Mar 3, 2004, 6:17 AM

Post #1 of 7 (1032 views)
Permalink
Worm.SomeFool.D not detected in a message
Hi,
I use clamav v0.67 and a problem with this mail :
http://fxbois.free.fr/virus/virus.html

When I scan the mail (clamdscan --mbox mail.msg) clamdscan detects nothing.

When I extract the file your_text.pif and I scan it, clamdscan detects the
worm :
( your_text.pif: Worm.SomeFool.D FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.004 sec (0 m 0 s) )

Is there anyway to have it work ?
I use clamav on a mail server et this kind of message is quite usual

thanx in advance


ps : the mail option is setup in the config file
ps2 : I have a redhat advanced server 3 and use your RPMs



fx


trog at uncon

Mar 3, 2004, 6:27 AM

Post #2 of 7 (1022 views)
Permalink
Re: Worm.SomeFool.D not detected in a message [In reply to]
On Wed, 2004-03-03 at 14:03, fx wrote:
> Hi,
> I use clamav v0.67 and a problem with this mail :
> http://fxbois.free.fr/virus/virus.html
>
> When I scan the mail (clamdscan --mbox mail.msg) clamdscan detects nothing.
>

clamdscan doesn't take --mbox as a command line option. Scanning of mail
messages is configured in the clamav.conf configuration file.

Configure your clam installation appropriately and it'll work.

-trog
Attachments: signature.asc (0.18 KB)


fxlist at noos

Mar 3, 2004, 6:51 AM

Post #3 of 7 (1023 views)
Permalink
Re: Worm.SomeFool.D not detected in a message [In reply to]
Hi Trog,
I have the ScanMail option in clamav.conf

Moreover when I try
clamscan --mbox mail.msg

I have this :
mail.msg: OK
----------- SCAN SUMMARY -----------
Known viruses: 20366
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.563 sec (0 m 0 s)

... perhaps clamscan doesn't manage to extract the file (it is encoded in
base64)

have you tried to scan this file :
http://fxbois.free.fr/virus/virus.html ?


trog at uncon

Mar 3, 2004, 7:03 AM

Post #4 of 7 (1027 views)
Permalink
Re: Worm.SomeFool.D not detected in a message [In reply to]
On Wed, 2004-03-03 at 14:37, fx wrote:
>
> have you tried to scan this file :
> http://fxbois.free.fr/virus/virus.html ?

Yes...
$ clamdscan virus.html
/tmp/virus.html: Worm.SomeFool.D FOUND

$ clamscan --mbox virus.html
virus.html: Worm.SomeFool.D FOUND

you probably need to upgrade your version of clamav to the latest CVS
snapshot.

-trog
Attachments: signature.asc (0.18 KB)


ng at qogo

Mar 22, 2004, 6:01 PM

Post #5 of 7 (1023 views)
Permalink
Re: Worm.SomeFool.D not detected in a message [In reply to]
In article <1078325332.713.22.camel [at] synta>, trog [at] uncon says...
> On Wed, 2004-03-03 at 14:37, fx wrote:
> >
> > have you tried to scan this file :
> > http://fxbois.free.fr/virus/virus.html ?
>
> Yes...
> $ clamdscan virus.html
> /tmp/virus.html: Worm.SomeFool.D FOUND
>
> $ clamscan --mbox virus.html
> virus.html: Worm.SomeFool.D FOUND
>
> you probably need to upgrade your version of clamav to the latest CVS
> snapshot.
>
> -trog

I'm new to clamav, so please forgive me if I say something stupid here
-- and yes, I've googled and trolled these newsgroups looking for
answers like a good netizen.

I pulled down the above URL to a local file and ran it, as is, through
both clamscan and clamdscan. Regardless of whether I specified --mbox or
turned ScanMail on in the clamav.conf file, the worm was not detected. I
tried this on 0.68, 0.70-rc and on the 20040322 snapshot.

The file at that URL is not a complete email message as it does not
contain the envelope "From " header. Once I added that, both scanners
identified a worm, but not the same variant that you have listed above.
I found Worm.SomeFool.Gen-1 but I'm assuming that is probably a
reclassification of the worm in the signatures since your message was
posted.

Did you add the envelope to the file before scanning it or am I missing
something blindingly obvious here and need to smack myself in the head?

The SMTP daemon that I have been looking into (qpsmptd) creates temp
files for the incoming messages that also do not contain the envelope,
and are also not being marked as infected.

Thanks for any help you may offer up,
Burt


trog at uncon

Mar 23, 2004, 1:07 AM

Post #6 of 7 (1038 views)
Permalink
Re: Re: Worm.SomeFool.D not detected in a message [In reply to]
On Tue, 2004-03-23 at 01:45, Burt wrote:
> In article <1078325332.713.22.camel [at] synta>, trog [at] uncon says...
> > On Wed, 2004-03-03 at 14:37, fx wrote:
> > >
> > > have you tried to scan this file :
> > > http://fxbois.free.fr/virus/virus.html ?
> >
> > Yes...
> > $ clamdscan virus.html
> > /tmp/virus.html: Worm.SomeFool.D FOUND
> >
> > $ clamscan --mbox virus.html
> > virus.html: Worm.SomeFool.D FOUND
> >
> > you probably need to upgrade your version of clamav to the latest CVS
> > snapshot.

> I pulled down the above URL to a local file and ran it, as is, through
> both clamscan and clamdscan. Regardless of whether I specified --mbox or
> turned ScanMail on in the clamav.conf file, the worm was not detected. I
> tried this on 0.68, 0.70-rc and on the 20040322 snapshot.

You did, of course, remove the HTML code that the web server added to
the file before scanning it.

-trog
Attachments: signature.asc (0.18 KB)


ng at qogo

Mar 23, 2004, 10:11 AM

Post #7 of 7 (1027 views)
Permalink
Re: Re: Worm.SomeFool.D not detected in a message [In reply to]
In article <1080032793.26687.4.camel [at] synta>, trog [at] uncon says...
> On Tue, 2004-03-23 at 01:45, Burt wrote:
> > In article <1078325332.713.22.camel [at] synta>, trog [at] uncon says...
> > > On Wed, 2004-03-03 at 14:37, fx wrote:
> > > >
> > > > have you tried to scan this file :
> > > > http://fxbois.free.fr/virus/virus.html ?
> > >
> > > Yes...
> > > $ clamdscan virus.html
> > > /tmp/virus.html: Worm.SomeFool.D FOUND
> > >
> > > $ clamscan --mbox virus.html
> > > virus.html: Worm.SomeFool.D FOUND
> > >
> > > you probably need to upgrade your version of clamav to the latest CVS
> > > snapshot.
>
> > I pulled down the above URL to a local file and ran it, as is, through
> > both clamscan and clamdscan. Regardless of whether I specified --mbox or
> > turned ScanMail on in the clamav.conf file, the worm was not detected. I
> > tried this on 0.68, 0.70-rc and on the 20040322 snapshot.
>
> You did, of course, remove the HTML code that the web server added to
> the file before scanning it.
>
> -trog

Yes, sir, I did.

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.