On Tue, 2004-07-20 at 13:31, henry j. mason wrote: > greetings clamav.users; > > i use clamav 0.70-4 on debian 3.0 stable/testing, with > amavisd-new-20030616. one of my customers has been complaining > of recieving what they claim are Worm.Bagle.AG emails, but > when they forward them to me, they contain nothing but an > image file with a number in it (the 'zip password', apparently) > and an *empty* unencrypted zip file.
Yup. My boss got a couple of them, then I got one. It contains the following: ----------eugcyhgbudjduewlztxz Content-Type: application/octet-stream; name="Doll.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Doll.zip" ----------eugcyhgbudjduewlztxz-- clearly not a threat from a zero-length file. > clamav has been catching lots of Worm.Bagle.AG, ever since it > has appeared on the scene, I've only caught a hundred or so, I've captured about 500 Bagle.AF.2's, though, in the past 24 hours. > and this is the first real report > i have of anything slipping by it. of course, since the zip > files in all cases so far have been actually empty, this does > not represent a serious threat, just an annoyance. indeed, i'm > not sure how clamav can be expected to block something that > does not in fact contain a virus :> But it looks like a virus, and people get perturbed. That was the issue with the SCO.A-DAM worm, but this is much harder to discern, as there is nothing that can be pulled out as a signature. I think, in amavis-new-20040701, you can block on combinations of attachments, so you could ban .bmp files that occur in the same e-mail as a .zip But I only know that from glancing through the release notes, not any practical application or specific details. I am putting off playing with amavis-new-20040701 until spamassassin 3.0 is officially released. > > has anyone else encountered this? i can easily see a poorly > written virus sending out botched copies of itself. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
