Re: [Clamav-users] Worm.Mytob.A on Solaris 9

Mon, 18 Apr 2005 14:47:49 -0700 

Quoting Simon <[EMAIL PROTECTED]>:

Didi Rieder <[EMAIL PROTECTED]> wrote: 
the virus Worm.Mytob.A is not recognized by clamav 0.83 on Sparc
Solaris 9.

[EMAIL PROTECTED] root]# clamscan --version
ClamAV 0.83/837/Sun Apr 17 17:25:32 2005

[EMAIL PROTECTED] root]# clamscan /tmp/ENTIRE_MESSAGE
/tmp/ENTIRE_MESSAGE: OK


Have you tried using --debug to see exactly what the scanner is doing with
the message?. It might help us work out what the problem is :o).

My first thought would be some problem parsing the email on the Solaris box?. 


[EMAIL PROTECTED] tmp]# clamscan --debug /tmp/ENTIRE_MESSAGE
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/COPYING
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.db
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.hdb
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.ndb
LibClamAV debug: Loading databases from /var/tmp//clamav-f1dceb776c66d3a7
LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.ndb
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 3dcf82e5f59335aa39fe040394125e52
LibClamAV debug: Decoded signature: 3dcf82e5f59335aa39fe040394125e52
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/COPYING
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.db
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.hdb
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.ndb
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.zmd
LibClamAV debug: Loading databases from /var/tmp//clamav-1f063121404bea29
LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.db
LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.hdb
LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.ndb
LibClamAV debug: Recognized Exim mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'From: [EMAIL PROTECTED]'
contMarker 0
LibClamAV debug: parseEmailFile: check 'To: [EMAIL PROTECTED]' contMarker 0
LibClamAV debug: parseEmailFile: check 'Subject: hello' contMarker 0
LibClamAV debug: parseEmailFile: check 'Date: Sun, 17 Apr 2005 20:53:20
+0200' contMarker 0
LibClamAV debug: parseEmailFile: check 'MIME-Version: 1.0' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed;'
contMarker 0
LibClamAV debug: parseEmailFile: check '
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"' contMarker 1
LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg='
multipart/mixed;
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: messageSetMimeType: 'multipart'
LibClamAV debug: mimeArgs = '
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: Add arguments '
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: parseEmailFile: check 'X-Priority: 3' contMarker 0
LibClamAV debug: parseEmailFile: check 'X-MSMail-Priority: Normal'
contMarker 0
LibClamAV debug: parseEmailFile: check 'X-Scanned-By:
milter-sender/0.62.837 (mail [129.27.3.25]); Sun, 17 Apr 2005 20:53:53
+0200' contMarker 0
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 5
LibClamAV debug: Content-type 'multipart' handler
LibClamAV debug: boundaryStart: found
----=_NextPart_000_0010_EC66F712.4DE7C66F in
------=_NextPart_000_0010_EC66F712.4DE7C66F
LibClamAV debug: Now read in part 0
LibClamAV debug: Multipart 0: About to parse folded header
'Content-Type: text/plain;   charset="Windows-1252"'
LibClamAV debug: parseEmailHeader 'Content-Type: text/plain;
charset="Windows-1252"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/plain;
charset="Windows-1252"'
LibClamAV debug: messageSetMimeType: 'text'
LibClamAV debug: mimeArgs = '   charset="Windows-1252"'
LibClamAV debug: Add arguments '        charset="Windows-1252"'
LibClamAV debug: Discarding unwanted argument 'charset'
LibClamAV debug: Multipart 0: About to parse folded header
'Content-Transfer-Encoding: 7bit'
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit'
LibClamAV debug: messageSetEncoding: '7bit'
LibClamAV debug: Encoding type 1 is "7bit"
LibClamAV debug: Multipart 0: End of header information
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments
'÷<G.¶]#w5Ý-YK4ÄÕhg/Æ;mpAÌ?o²J2Gû?± ¬](ÜÂÛZódSÙSP²]E?Ì¥ª_Â÷ÒAsàq
Çäßð6ú«~`ïh?·ÎÑ<×áÎá?1!æÀWf÷5oäâø·oÐcIìÕT;àrJqHâÎ74Ûje(S?ï"
öô£qbÈÜBæµóð|êÓc9çæóòÀ<fEAcc!®³'=>'÷<G.¶]#w5Ý-YK4ÄÕhg/Æ;mpAÌ?o²J2Gû?± ¬]'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments 'ñä.²»LªËé¯ 
ßåí,áä|`(þò?¶?GÆâpH?Dþ?fÂ'=>'ñä.²»LªËé¯
ßåí,áä|`'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments 'Ûе7®b-ÃCèçÞnÆN¶¢¬®ÙxÔË
s¬L?º4Viãå?,ËØ[?YÞ$:¯¥è®Ì(Ë|GßÊ"*ñTu»P${'ÁFoŬ®?éöڻݺ*j³,Jbã 
»bÔ_hHÛc'3ìrjg¬ÅÞõËï'=>'Ûе7®b-ÃCèçÞnÆN¶¢¬®ÙxÔË
s¬L?º4Viãå?,ËØ[?YÞ$:¯¥è®Ì'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments
'kçÌ9K?ol-énçV}sÕÍx!Ä?D]§V?3³yF{vJuåªyðç×`Üaâg{á°9¬ïÚhâ%p­ö3c_èÓöSZ&ãGn?EÔðÂ~UÛ;¥v-äH¬jXÙ['ÄbvýwêîæÏû2«?¶A3Y3÷ö£åο_:÷êºmܬ,?Éì¬þ¥ÑÍ¢LjÂ?¥ÄËQAbIRu<êmnaõ7máï|
 
±NU/|~·×O²¿p®(d¿÷q!Æfé!$FrâùÊk?HFbåUiÙó:,.9ÐYëI5¹Úàs'=>'kçÌ9K?ol-énçV}sÕÍx!Ä?D]§V?3³yF{vJuåªyðç×`Üaâg{á°9¬ïÚhâ%p­ö3c_èÓöSZ&ãGn?EÔðÂ~UÛ;¥v-äH¬jXÙ['ÄbvýwêîæÏû2«?¶A3Y3÷ö£åο_:÷êºmܬ,?Éì¬þ¥ÑÍ¢LjÂ?¥ÄËQAbIRu<êmnaõ7máï|
±NU/|~·×O²¿p®'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments 'Rnµ(p³j²ÍNÍïr '=>'Rnµ'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments '?O1P% 
4Þ?åLÕ×J!øá¹ÉçdWz?ãÍ1úpµO*ÀÀúìPÃÈ}·rÑ1ðô$Dûé6в?Ü^
Fñ5Nl" ¢3±('=>'?O1P% 4Þ?åLÕ×J!øá¹ÉçdWz?ãÍ1úpµO*ÀÀúìPÃÈ}·rÑ1ðô$Dûé6в?Ü^ Fñ5Nl
¢3±'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments
':Úó¥"zk5ð8#ª'Éb7E¹?º_qö¡$ºÙî?×ÜjäjM±*ªWxï8À$£ÉïYþhhÊ7gN«£(Q·r%¬ñ϶!M²ºíö`×F<P}?xæÙL×qÓIWi÷uþKúMG)
ÑÄôi|è¯BÄ?Jyu?¶ò6<Ã;·*ª³ü'=>':Úó¥zk5ð8#ª'Éb7E¹?º_qö¡$ºÙî?×ÜjäjM±*ªWxï8À$£ÉïYþhhÊ7gN«£
ÑÄôi|è¯BÄ?Jyu?¶ò6<Ã;·*ª³ü'
LibClamAV debug: boundaryStart: found
----=_NextPart_000_0010_EC66F712.4DE7C66F in
------=_NextPart_000_0010_EC66F712.4DE7C66F
LibClamAV debug: Part 0 has 33 lines
LibClamAV debug: Now read in part 1
LibClamAV debug: Multipart 1: About to parse folded header
'Content-Type: application/octet-stream;     name="text.pif"'
LibClamAV debug: parseEmailHeader 'Content-Type:
application/octet-stream;      name="text.pif"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg='
application/octet-stream;   name="text.pif"'
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: mimeArgs = '   name="text.pif"'
LibClamAV debug: Add arguments '        name="text.pif"'
LibClamAV debug: Multipart 1: About to parse folded header
'Content-Transfer-Encoding: base64'
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: base64'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding',
arg=' base64'
LibClamAV debug: messageSetEncoding: 'base64'
LibClamAV debug: Encoding type 1 is "base64"
LibClamAV debug: Multipart 1: About to parse folded header
'Content-Disposition: attachment;    filename="text.pif"'
LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment;
filename="text.pif"'
LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg='
attachment;  filename="text.pif"'
LibClamAV debug: Multipart 1: End of header information
LibClamAV debug: Part 1 has 735 lines
LibClamAV debug: Now read in part 2
LibClamAV debug: Empty part
LibClamAV debug: The message has 2 parts
LibClamAV debug: Find out the multipart type (mixed)
LibClamAV debug: Mixed message with 2 parts
LibClamAV debug: Mixed message part 0 is of type 6
LibClamAV debug: Mixed message text part disposition ""
LibClamAV debug: Mime subtype "plain"
LibClamAV debug: Adding part to main message
LibClamAV debug: Adding to non mime-part
LibClamAV debug: Mixed message part 1 is of type 1
LibClamAV debug: messageToFileblob
LibClamAV debug: messageExport: numberOfEncTypes == 1
LibClamAV debug: messageExport: enctype 0 is 2
LibClamAV debug: blobSetFilename: text.pif
LibClamAV debug: fileblobSetFilename:
mkstemp(/var/tmp//clamav-c52ddbc60e7c7ad9/text.pifXXXXXX)
LibClamAV debug: Saving attachment as
/var/tmp//clamav-c52ddbc60e7c7ad9/text.pifw5aGA1
LibClamAV debug: Exported 41823 bytes using enctype 2
LibClamAV debug: 2 trailing bytes to export
LibClamAV debug: base64chars = 2 (@ @ @)
LibClamAV debug: Save non mime and/or text/plain part
LibClamAV debug: blobSetFilename: textpart
LibClamAV debug: fileblobSetFilename:
mkstemp(/var/tmp//clamav-c52ddbc60e7c7ad9/textpartXXXXXX)
LibClamAV debug: Saving attachment as
/var/tmp//clamav-c52ddbc60e7c7ad9/textpartx5aGA1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized DOS/W32 executable/library/driver file
LibClamAV debug: Calculated MD5 checksum: f09bc90992e53eebb97ba8dd3dff6037
LibClamAV debug: e_lfanew == 12
LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 2
LibClamAV debug: TimeDateStamp: Fri Sep 11 03:35:02 1987
LibClamAV debug: SizeOfOptionalHeader: 224
LibClamAV debug: MajorLinkerVersion: 0
LibClamAV debug: MinorLinkerVersion: 0
LibClamAV debug: SizeOfCode: 61440
LibClamAV debug: SizeOfInitializedData: 24576
LibClamAV debug: SizeOfUninitializedData: 0
LibClamAV debug: AddressOfEntryPoint: 0x20063
LibClamAV debug: SectionAlignment: 4096
LibClamAV debug: FileAlignment: 4096
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 135168
LibClamAV debug: SizeOfHeaders: 512
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name:
LibClamAV debug: VirtualSize: 86016
LibClamAV debug: VirtualAddress: 0x1000
LibClamAV debug: SizeOfRawData: 0
LibClamAV debug: PointerToRawData: 0x0 (0)
LibClamAV debug: Section contains executable code
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name:
LibClamAV debug: VirtualSize: 45056
LibClamAV debug: VirtualAddress: 0x16000
LibClamAV debug: SizeOfRawData: 41308
LibClamAV debug: PointerToRawData: 0x200 (512)
LibClamAV debug: Section contains executable code
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0xa263 (41571)
LibClamAV debug: UPX/FSG: empty section found - assuming compression
LibClamAV debug: FSG: Source buffer out of section bounds
LibClamAV debug: UPX: Section 0 name:
LibClamAV debug: UPX: Section 1 name:
LibClamAV debug: UPX: Possibly hacked UPX section headers
LibClamAV debug: UPX: NRV2B decompressor failed
LibClamAV debug: UPX: NRV2D decompressor failed
LibClamAV debug: UPX: NRV2E decompressor failed
LibClamAV debug: UPX: All decompressors failed
LibClamAV debug: in cli_check_mydoom_log()
LibClamAV debug: Mydoom: key: 3020594983
LibClamAV debug: Mydoom: check: 2043342637
LibClamAV debug: Calculated MD5 checksum: 7debf154e6d9d9d6254e56c850e8be4a
LibClamAV debug: Calculated MD5 checksum: 8c4a8873a9a08838882174571b732b83
/tmp/ENTIRE_MESSAGE: OK

----------- SCAN SUMMARY -----------
Known viruses: 33177
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
I/O buffer size: 131072 bytes
Time: 2.467 sec (0 m 2 s)

Didi

--
-------------------------
Didi Rieder
[EMAIL PROTECTED]
PGPKey ID: 3431D0B0
-------------------------



Attachment:
pgpO9qA6uxs9z.pgp

Description: PGP Digital Signature


_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to