Ok... it's a message that contains a message that contains a .pif file The first message is not recognized (as I said) The extracted message is not recognized as a virus The extracted virused .pif file *is* recognized
notice that it's a .pif file, and not a .scr, my mistake, the .scr was in another message acting the same way. Below is the beginning of this mail message, if that helps : ---------------------------------cut here------------------------ Message-ID: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Hello Date: Mon, 3 May 2004 10:42:47 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary="----_=_NextPart_002_01C430EA.F0843650" ------_=_NextPart_002_01C430EA.F0843650 Content-Type: text/plain; charset="windows-1252" Your file is attached. ------_=_NextPart_002_01C430EA.F0843650 Content-Type: application/octet-stream; name="your_picture.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="your_picture.pif" -------------------virus and EOM removed, for everybody's sake--------------------- ----- Original Message ----- From: "Antony Stone" <[EMAIL PROTECTED]> Newsgroups: gmane.comp.security.virus.clamav.user Sent: Wednesday, May 05, 2004 4:17 PM Subject: Re: Worm/virus not recognized locally > On Wednesday 05 May 2004 3:09 pm, Flynn wrote: > > > Hi everyone ... > > > > I have a file, which I suppose is infected with W32/[EMAIL PROTECTED], if I trust > > some other AV. > > If I submit it to the clam on-line scan server, it finds it as > > "Worm.SomeFool.Gen-1" > > > > but... clamscan does not find it. > > > > Inside the file there is some .scr attachement, > > If you extract this attachment to a file on its own (without any email headers > or Mime encoding etc) does clamscan identify it then? > > Regards, > > Antony > > -- > All matter in the Universe can be placed into one of two categories: > > 1. Things which need to be fixed. > 2. Things which need to be fixed once you've had a few minutes to play with > them. > > Please reply to the list; > please don't CC me. > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > _______________________________________________ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
