Hi there The new W32/Nyxem-D virus seems to escape clamav fairly well.
It comes in as a .HQX or .MIM attachment - which is base64 encoded. However, the resultant HQX/MIM file is actually an UUENCODED file (that WinXP at least auto-supports). I uudecoded it and wrote my own signature for the resulting executable using "sigtool --md5" (you have to do it against the exe - it's always the same size, whereas the uuencoded files have different sizes based on what random filename they chose when generated). After than Clamav detects the virus in the executable just fine - but can't catch it within either the uuencoded attachment, or the raw email itself. "clamscan --verbose --debug file.eml" shows it loading the homemade signature, but shows no reference to uudecoding. I have just uploaded it via the submission form. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
