Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

FOO.EXE

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


dee at akwireless

Aug 16, 2003, 9:12 AM

Post #1 of 8 (528 views)
Permalink
FOO.EXE
Here I am looking at manual.
Using my clamav tools I find.

----------- SCAN SUMMARY -----------
Known viruses: 9317
Scanned directories: 1
Scanned files: 33
Infected files: 0
Data scanned: 27.98 Mb
I/O buffer size: 131072 bytes
Time: 14.597 sec (0 m 14 s)
webmail:/home/dee# clamscan viri
viri/message.zip: Trojan.Dropper.C FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9317
Scanned directories: 1
Scanned files: 1
Infected files: 1
Data scanned: 0.02 Mb
I/O buffer size: 131072 bytes
Time: 0.360 sec (0 m 0 s)

Following the Signature Tool section 3.5

sigtool -c "clamscan --stdout" -f message.zip -s "message"
Not detected at 3900, moving backward.
Not detected at 1950, moving backward.
Not detected at 975, moving backward.
Not detected at 487, moving backward.
Not detected at 243, moving backward.
Not detected at 121, moving backward.
Not detected at 60, moving backward.
Not detected at 29, moving backward.
Not detected at 13, moving backward.
Not detected at 5, moving backward.
Not detected at 1, moving backward.
Not detected at 0, moving backward.
Not detected at 0, moving backward.
Starting precise loop
Segmentation fault

This made it past our version of clamav ? clamscan / ClamAV version 0.60

Dee


Antony at Soft-Solutions

Aug 16, 2003, 9:42 AM

Post #2 of 8 (529 views)
Permalink
Re: FOO.EXE [In reply to]
On Saturday 16 August 2003 4:57 pm, W.D. McKinney wrote:

> Here I am looking at manual.
> Using my clamav tools I find.
>
> webmail:/home/dee# clamscan viri
> viri/message.zip: Trojan.Dropper.C FOUND

Yup - that's the one I thought it would be :)

It's been detected by ClamAV since 1st August.

> This made it past our version of clamav ? clamscan / ClamAV version 0.60

I don't understand. You said it just got detected and identified by your
version of ClamAV...

Does whatever mail scanning system you use check .zip files for viruses?
Did it correctly pass this one to ClamAV for checking when it came through?

Antony.

--

Anyone that's normal doesn't really achieve much.

- Mark Blair, Australian rocket engineer


dee at akwireless

Aug 16, 2003, 9:58 AM

Post #3 of 8 (522 views)
Permalink
Re: FOO.EXE [In reply to]
Hi,

One of our customers we host e-mail sent it to me from down in AU and it
was from admin [at] thecustomerdomain as it made it to her from our
server.(Like you said :-)

This is the first instance of a known viris making through our system
that I know.

Thanks

We run qmail/qmail-scanner/SA/clamav and it has worked excellent.
It may have been in a small window of time

On Sat, 2003-08-16 at 08:41, Antony Stone wrote:
> On Saturday 16 August 2003 4:57 pm, W.D. McKinney wrote:
>
> > Here I am looking at manual.
> > Using my clamav tools I find.
> >
> > webmail:/home/dee# clamscan viri
> > viri/message.zip: Trojan.Dropper.C FOUND
>
> Yup - that's the one I thought it would be :)
>
> It's been detected by ClamAV since 1st August.
>
> > This made it past our version of clamav ? clamscan / ClamAV version 0.60
>
> I don't understand. You said it just got detected and identified by your
> version of ClamAV...
>
> Does whatever mail scanning system you use check .zip files for viruses?
> Did it correctly pass this one to ClamAV for checking when it came through?
>
> Antony.


Antony at Soft-Solutions

Aug 16, 2003, 10:34 AM

Post #4 of 8 (521 views)
Permalink
Re: FOO.EXE [In reply to]
On Saturday 16 August 2003 5:58 pm, W.D. McKinney wrote:

> Hi,
>
> One of our customers we host e-mail sent it to me from down in AU and it
> was from admin [at] thecustomerdomain as it made it to her from our
> server.(Like you said :-)

When was the message sent (or, more accurately, when was it received &
scanned by your server)?

> We run qmail/qmail-scanner/SA/clamav and it has worked excellent.
> It may have been in a small window of time

This virus has been detected by ClamAV since 1st August. If the email was
processed on your server much after that I recommend you check your signature
updating system to ensure it (a) works and (b) tells you when there's a
problem (which there are from time to time).

Regards,

Antony.

--

This email was created using 100% recycled electrons.


tk at lodz

Aug 16, 2003, 11:31 AM

Post #5 of 8 (522 views)
Permalink
Re: FOO.EXE [In reply to]
On 16 Aug 2003 07:57:50 -0800
"W.D. McKinney" <dee [at] akwireless> wrote:

> sigtool -c "clamscan --stdout" -f message.zip -s "message"

> Not detected at 5, moving backward.
> Not detected at 1, moving backward.
> Not detected at 0, moving backward.
> Not detected at 0, moving backward.
> Starting precise loop
> Segmentation fault
>
> This made it past our version of clamav ? clamscan / ClamAV version
> 0.60

Sigtool has _nothing_ to virus catching. Something must be wrong in your
setup.

Best regards,
Tomasz Kojm
--
oo ..... zolw [at] konarski
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl


kevins at bmrb

Aug 16, 2003, 12:46 PM

Post #6 of 8 (522 views)
Permalink
Re: FOO.EXE [In reply to]
> sigtool -c "clamscan --stdout" -f message.zip -s "message"

Someone correct me if I'm wrong but I'm pretty sure you can't use
sigtool to extract the virus signature from a zip (no matter what
scanner you use). The zip itself is not infected, you need to unzip the
file and extract the signature from the infected file within. Quite why
you're trying to do this however I can't see, as you've already proven
that clamscan can detect the infection.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.


tk at mat

Aug 16, 2003, 1:20 PM

Post #7 of 8 (527 views)
Permalink
Re: FOO.EXE [In reply to]
On 16 Aug 2003 20:26:44 +0100
Kevin Spicer <kevins [at] bmrb> wrote:

> > sigtool -c "clamscan --stdout" -f message.zip -s "message"
>
> Someone correct me if I'm wrong but I'm pretty sure you can't use
> sigtool to extract the virus signature from a zip (no matter what

You're completely right.

Best regards,
Tomasz Kojm
--
oo ..... zolw [at] konarski
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl


Antony at Soft-Solutions

Aug 16, 2003, 1:21 PM

Post #8 of 8 (522 views)
Permalink
Re: FOO.EXE [In reply to]
On Saturday 16 August 2003 8:26 pm, Kevin Spicer wrote:

> > sigtool -c "clamscan --stdout" -f message.zip -s "message"
>
> Someone correct me if I'm wrong but I'm pretty sure you can't use
> sigtool to extract the virus signature from a zip (no matter what
> scanner you use). The zip itself is not infected, you need to unzip the
> file and extract the signature from the infected file within.

I assume the original poster suspected it was a virus which just happened to
have a .zip extension - not realising that it really is a genuine zip file,
with an infected .html inside.

> Quite why you're trying to do this however I can't see, as you've already
> proven that clamscan can detect the infection.

Indeed.

Antony.

--

I vote "no" to this proposal to form a committee to investigate whether we
should or should not hold a ballot on whether to vote yet.

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.