Hi everybody,
I've received more than twenty profoundly viral mails since last
night. They passed without being stopped, through our sendmail Clamav
(ClamAV 0.84/875/Tue May 10 14:27:59 2005+clamav-milter 0.84e). However if I
save each of these viral mails in a seperate mbox, "clamdscan" with the same
definitions can suddenly detect "Worm.Bagz.D" in them.
It seems that clamav-milter cannot handle these mails correctly,
and misses something while communicating (externally) with clamd. I should
mention that the mbox contains an attachment BASE64 encoded in long lines of
2048 bytes(!), a mangled date header and a crafted filename with lots of
spaces, eg:
"help.doc .exe"
I cannot submit the viral mbox on www.clamav.net, because it says
that "the virus is already detected".
Is this a wide-spread problem?
--
Apostolis Papayanakis
p.s. Here follows a part of the mailbox that passes through our mail server,
and detected as "Worm.Bagz.D" from clamdscan:
(">" is added at the start of each line to avoid being detected as "broken
executable" by clamd)
-------------------------------------------------------------------------------------------
>From [EMAIL PROTECTED] Wed May 11 03:02:23 2005
>Received: from 127.0.0.1 ([211.191.198.7])
> by olympos.ccf.auth.gr (8.13.3/8.13.3) with ESMTP id j4B02EsG013745
> for [EMAIL PROTECTED]; Wed, 11 May 2005 03:02:15 +0300 (EEST)
>Message-Id: <[EMAIL PROTECTED]>
>SUBJECT: text
>FROM: [EMAIL PROTECTED]
>TO: [EMAIL PROTECTED]
>DATE: [[ Όφ, 11 5 2005 Ώΐΐό 9:02:24 ]]
>MIME-Version: 1.0
>Content-Type: multipart/mixed; boundary="--------bound--"
>X-Virus-Scanned: ClamAV version 0.84, clamav-milter version 0.84e on
>antivirus1.ccf.auth.gr
>X-Virus-Status: Clean
>X-Spam-Checker-Version: SpamAssassin 3.0.2-gr1 (2004-11-16) on
> helios.ccf.auth.gr
>X-Spam-Level: *****
>X-Spam-Status: No, score=5.7 required=7.0 tests=BAYES_50,FORGED_HOTMAIL_RCVD2,
> HEAD_ILLEGAL_CHARS,INVALID_DATE,MSGID_FROM_MTA_ID,NO_REAL_NAME,
> RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.0.2-gr1
>Status: R
>Content-Length: 207546
>X-Keywords:
>
>----------bound--
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>Hello,
>What version of windows you are using?
>This last document I received from you came out weird.
>Please see the attached word file and resend the file to me.
>Many thanks,
>User
>
>----------bound--
>Content-Type: application/x-msdownload; name="help.doc
> .exe"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment; filename="help.doc
> .exe"
>
>TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABGXurlAj+EtgI/hLYCP4S2gSOKthI/hLZtII+2BD+Etm0gjrY/P4S2gTfZtgU/hLYCP4W2Pj+EtgQckrYAP4S2xTmCtgM/hLZSaWNoAj+EtgAAAAAAAAAAAAAAAAAAAABQRQAATAEDAObVd0EAAAAAAAAAAOAADwELAQYAAGACAAAQAAAAkAAAoPECAACgAAAAAAMAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAQAwAAEAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKQDAwDgAAAAAAADAKQDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAAAJAAAAAQAAAAAAAAAAQAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAABgAgAAoAAAAFQCAAAEAAAAAAAAAAAAAAAAAABAAADgLnJzcmMAAAAAEAAAAAADAAAGAAAAWAIAAAAAAAAAAAAAAAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMS4yNQBVUFghDAkCCq/DZRXqhlUzL9UCAJlRAgAAwAIAJgUAB/+9+f9Vi+xq/2jgbUAAZKEAUGSJJQdRgeygBLX//S9TVleJZfDHRfwTagCLRQhQBfwuWPcBaA+ABgTPAGiMr0K93969yIJCHP8V3HBQiUXoaIA2rpntkwGLTehRG+AyXIO82f6Nlej7//9SEQS/vIJCg/9g///J/zPA8q730Sv5i/eL2Yv6EIPH/4vLwen/+f7tAvOlBoPhA/OkaLgzhVDoBQAFedvt2/2DxAiJheQOi40FUWbcAXcBe1527WhAgGAgBE8Qi5VSDmCz2bID+QSJQ4n5OUHIrCYARFxC3Vv5CLkgAF2NvVgV89iXdIerO5hYiz1ImWy7QchYXQLsilA5M1vsBQtU9o1s5oTtUYdUhwAe4NO9Efaoz+k4WPt/drIZRezLi0IMg+AQhcB1M/aHba0F8QGw3OYRhGdse/UsUBaNUQxhLyQ8670OJwvxbG2McZx4BJCI2zdjg2XUr9jrBrjPEgzDsWHYHKkM/wlq9I7zv7vJDQAAX15bi+VdwhAAzO9mmo3/g+wcahyNReRQjgQIsdFt7u10BW/o6wI4K8MkUX/ht9/5i30MD699sF0Ii8+FN338iU0Iddz+77YHIumV3ot1FGb3RgwMAXQdRhjY8m8vARTrDHwUABAAAOsDCBv3/90yKgRcIzvIi/lyAov4V/82U9T/7e1/DWw
>pfQgpfgQBPtwMA99o/OtLO00Uci7+rf3bg31Ci8F0CTPS918IK8JQU/92EJf+zu0xC3YpSTaD+P90NymHA9ht993u6xhWGAqdEVl0KIgDhkP/ebcZfnOKRQgAD4V2CNQQ/7bdLXzJw4NODGEEBSCLx1srPri1/7deDOvlVot0JAhXg88mrKhAtt8vXAKDyEg6qIN0NFgSIx742Uae7QcRvYERCn0lz/sfum0SMRyNC6EQoYNmHABZWDYSDFsGDG09ayDcDIY5PgeL3z23Qa7kBUAHi6OB4U/+hNsIAQh0KTsiO9iL+3UIPwgTCj49OivfAX0Ib7P28utGO11GhcmOtzRZdXmz/eQPSXQNi8P7K/rrQvtfPpyzzRRLRwEr2DvHr8Ddw3I+hSmuVg++Bkg29z3C9VlaLv9FpEulWX+QhQ33p50y22FQvF2jsFt9ZccrdKFt2jVf50QXJw0Bwylpu9kxbBAD8hW3w2pADpNgdq8MA5EFWTxF7B/fbpzADHH8ZIsdxIsDZKMH8G38XYpdDItj/Itt6OB4wu8Fa7/qWFmHBCQNBkFC6aZtAs9C+BP6FUAwbmfY2pMC/AJtXchim90a24tAMP2sZ0EELVtSsNh2+IlpiXJcMNYWXDcET/yNvVAAQ2y/2DYUAhBPTBefuiDdpHYyHmoFQTUUN/fRfsVl7FWU9BmJ8KsN9paWFkBH+Nqg7NxtVm5n7P/gUBhRWn0H6+5UH5yLo+z3wclT/Ny7bc1Rx4Fwe3AI0Ac3N9jAg3g0rnjYAHMdhm9v3IQXQDRh4DoFNFeWZeQc6K4oXdNsG9kAA/T4/C7wlsPemlaJEolt+J3Y2P04C0n7zNNF0Fu77bIFENSNCFAP/zBJpFyWbRMBWVlNzH10F3aShSS7VtjrCS3DOxzC2MzMZLNfOhYwuEWQP2b0D2sv8O6tx0AkbClY600EEDc7Y5vrFAUQ/wrHPyyEAnN4JAB1C+r3jzHGdVjOMhyLayD/YxhOKrVhOXTjqLLQbttmqXh3IV9Mxok0f6nZ3pl8OYP+OwUgFU0QTo0Ett/3t/Y5TIMEBi4FO0gIfgUeDPVNm+PnHqM0R33K/y4UZv8L7UaJMQVxATtHDHcEO/B2RwKTueZDd0HvVdQCh1E4jBhwkV2qHLqNf8OLTCQE95IG/LgBdV/aNg1EJKJUOYkCuAMQw118g84+EhBH/miUGLr/W3BBmjUAGQVYLywtuUIWpr07XiS3rf0LHo00dosMs4lZ30gXfLPt3/eFBCESaAEBLbN9CUb/VAgsOdP768NkjwVDiozHwK3h/SzDDYF5BGhvUfeDu1f4Ugw5UQgem4pRu9COf/sItusKCOxLAkMEiWsMWf3ihNpbwmdh6PQ0OxHaGAlmq1hix2+5jeg9PCE3itSJFcxH7scCDfsF/4ANyA3uz3aBwREDygrE6BCjwAdgw/XXM/bsKspZXwocZtst/Al5WYn8CCeqTTh37MfioxjFbCZ4o5CvCSQrBIuN7WEjcpCUK9C7pFpQbnymNBYazZz26Q0aL5IGD7fXxWoKWOviAma7nFZWIjAS0PVaaPruPUWgUD7BmotjCQqNT1zKmFDDIZb5uMfo/u3HdZge0oM9mHIBRCwIcPR+XeIECEFo0wLBhjBnKC8kWSX+QQy6QHXDo5+DD4TEpX/LBneoQLwHAnQKDMXtBjtoGE8LcUhmqQML7R92DXUJFi2UWesFNIYGAxLbAu0YAghDifw/MAZUbPpni1YM9sKCdTRealsbcxAv+RBe+cH/b7v4N9zhH4s8vQDE5jzPRr+Yg629/W8Jik8EX4DhgoD5LQaAznY4rYNW6IF+GFiGW05Ejtzg7cEIdATFBHXERhgOSIa+xO9nD7YBQYkOEPfYG8AWNV/iAtAQCWeDZgQAXjQutGepDFPfvlc7v8T/HzeqD4PFkMaD5h/B+AXB5gONsP3Yr2OGiwQGA8aKUASvASUTL7cHnia0YnjtrbVobp3KFwJ1YgR1+9L/SHQdikAFPAp0FpoQiAeLQk8BDCz8s7T4xkQwBQrx9D
>+2uCzQFmYQNDD9SG/QbEd1OglEaoQ7wXXBjNHwFccFtJcJfrhi4yCxsA1kMW2+DWcC8v8W+y5yWRdji1X0AVX4jUwwBIpv8cT2BKiAoPgg0saAPwoDXy/xdQQMBBQk+4jBi/gCm4P2EAPIZALuywSV2Gw/EIoAPBozrjwNw7nbX7u1R/8TWipJOcRzGCHu325LvzhIBoMIAutexgcNR0TsvLnZ63PLK9T/agHQtdBNBgoJRyL0zRfctkJBHvacHxOKRf8XKCzxd0aLC0eIRDEF9DtHDNy2Fy+Aff9jBRYK6yN+jmeVsZQt2DIZdAQ6ajv3d7+SD4KhchB71+gaXXTzBpLkAogGK0ZY6LZF6viu+OuBJQQMS3g3AEjy6zrQYDhX8gkQdrX5X1hG0dY7/nYIO/gPgnj3x2/cVOPgVcKD4gOUCHIpvx38Usr/JJW4HsfHuhyD6eWt0NQEcmYDRheF0B26p2tuHo3IkAdM4BMM8YW26wgwAyPRn1GKRgGIZWtua+gFAlYIWcZbdpKxx1zMjUkrJUmeZRkBAgKmA/m6s5AjRiFHP4yapum6rwacA5SMhHzp/q9pdGy/RI7kiUSP5Afopmmapujs7PDwmqZpmvT0+Pj8/CH8gQ01jSsD8AP4CYPXdN//8NAD3PARjDawt3BeX16QnQv5JAQXbBGjDaAtDDMKK8kxZ/aSQdj3/H8kDf3jtQyf3fx3UCD32WXffE4m4e+P+StYHzNd94sskGgLiAOwbfm6W2EDOm8DTlhPVraXMOwtSx+j7rIB+W4C7wIpjJAnK1sS3iSrLQOu7sLMxptaWwQGmqZpugwDFBwkLDTTNCNsRyCXHBwYTdM0TRgUFBAQDDRN0zQMCAgEBLruhIUfYAVoA3jBuSVsjCCXt7WH2EKYLQ+DE+BFQhi3q/BW6X8nhfZ0WqHkw1GLA3UWGnxvfv8vIVZ0NlALTFIFF2itvhoIJo1HgN+tpwP8UCI5hjkRUNDNN0IR/BLd6w9Wbs2W20E14E4rTF5oU1XNE/guWHwkFDs9j4YAxwaC3MCL946D5h+YaneJWUwpaVdNPtT2trXHJjyD/xAm/34WagIWWx5rKLToH1k7xRwrwIRsPVlQo1CLoL2NdXftHVpYWYBkWQJPYFk87VVk6xV0gMQjrFBdWx842GCB+qiGGe1s0f4Dk2aBZgz3+zoTBoVZBxuKCI1eKkMQwH0SIhKIWREvKPQPXLiT9kYNQG0GrcGTLT8RtyK5uH+boQQYUzsMM9tXaa1EC1qaWAnnv4ltiTdzCPIxZ4s+K/iF//5+CfB+JldQXTvHdQ6YgHQOGGATrWWa6wcjvZ1wC/T/MAWYX4vDHJoVDGQmjtX4ht9a1WMz/zk1wJV+TaGos5uJGz79sL04i0hm4zDZcIuFg54QMQ9QeBHobVt6Hx1D6xoVtRMhAmwKxf5lGnUCC/hGO0zxhwqwxThwdKDaFv9OA4hT0F4QqIJd/bYzyPPr1xajqBB0Jf6xF9sETggk/svFixRYOkjCZQxH7/Xebn9YdiKB/uilZnQIBwimQtHcgKZ+U4pAIQe84IBgkfAvV3RkBLftIDCNSDkOWBhJ1OEVvhxOBH4QPDM6EK19wVQtM4P7/4Swy5Fjsc74kwSFBMi4NhqXPvZA2HQNa8VTuFE3DKlZin+ICC6sqdAvVANfUjmNQ6ENn1/chPtE6ENNWSVl6whER+2zOv0UgewU3cXmUuH0UzsNBJMGeQGLSKzkwYvx8JETLQymV7eMANkeLDYC8CgVsqihDOg2SHZXUaC1xreA1lffWVXBkxBBfbi8Iz7ihufv7EZN/CtNceuaaD/8KQr/H4oJbI23tm8KVAnwxgCh30DeEf9ug42VKSvKgfnJfMyL+GexMMw7VxcNVzZCHBYWVOVDcnajRIuroJp8CwnbblG2ZEU+coq5ixO01MzC+ouRRV90SRcuCFg5IXVMb6NvwaTvf9Ovtc/rx41cNgnaTfTbCWQLuKyLztGJCKcsnKVZT7NR0T0/araLFoYMAdr8zf6r2+c5oXUcPesWn
>...
>... (approx 100 long encoded lines skipped)
>...
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAMAAAAgAACADgAAAGAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAGQQAAFAAAACkAAMA6AIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAGUAAAB4AACAAAAAAAAAAAAAAAAAAAABABkEAACQAAAAkAMDABQAAAAAAAAAAAAAAKDQAgAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMDAwMDAwMDAAAAMDAwMDAwMDAwMDAwMDAAAwMDAwMDAwMDAwMDAwMAAAAwP//////////////wMAADAz//////////////wwAAADA///////////////AwAAMDP/8DAf/DAx/////DAAAAMD/8MDA/8DAz////8DAAAwM//wMDH8MDAf///8MAAAAwP/wwMCPwMDA////wMAADAz//AwMDwwMDH///wwAAADA//DAwMDAwMDP///AwAAMDP/8DAwMDAwMB///DAAAAMD/8MDAwMDAwMD//8DAAAwM//wMDwwMDAwMf/8MAAAAwP/wwM+AwMDPwM//wMAADAz//AwPfAwMD3wH/wwAAADA//DAz/DAwM/wwP/AwAAMDP/8DA/4DAwP/Ax/DAAAAMDwwMDAx8DAz8DAwMDAAAwM/AwMDA8MDA8MDAwMAAAAwP//////////////wMAADAz//////////////wwAAADA///////////////AwAAMDP//////////////DAAAAMDAwMDAwMDAwMDAwMDAAAwMDAwMDAwMDAwMDAwMAAAAwMDAwMDAwMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA///////////AAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAAD//////////+I0wIAAAABAAEAICAQAAEABADoAgAAAQAAAAAAAAAAAAAAAAAUBAMA9AMDAAAAAAAAAAAAAAAAACEEAwAEBAMAAAAAAAAAAAAAAAAALQQDAAwEAwAAAAAAAAAAAAAAAAAAAAAAAAAAADgEAwBGBAMAVgQDAAAAAABkBAMAAAAAAHQEAwAAAAAAS0VSTkVMMzIuRExMAFNIRUxMMzIuZGxsAFVTRVIzMi5kbGwAAABMb2FkTGlicmFyeUEAAEdldFByb2NBZGRyZXNzAABFeGl0UHJvY2VzcwAAAFNoZWxsRXhlY3V0ZUEAAABTZXRXaW5kb3dQb3MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
>----------bound--
>
>----------bound----
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
