Re: [Clamav-users] eicar not detected

Mon, 21 May 2007 05:31:57 -0700 

Paul Bijnens wrote:
> On 2007-05-21 07:26, Benoit Schmid wrote:
>   
>> Good morning,
>>
>> When I run a clamscan on a folder containing emails with different viruses.
>> There is an eicar that is not detected.
>>
>> Would you know why?
>>     
>
> Because the file below is not a mail message.
>
>   
Good morning,

I agree with you, it is SUN Jes internal format.
But what suprises me is that all viruses (stored in this "email format"),
are found except eicar.

Would you know why?

# clamscan /tmp/ZZf0z36ec6DWt.00
/tmp/ZZf0z36ec6DWt.00: Worm.Mydoom.M FOUND

----------- SCAN SUMMARY -----------
Known viruses: 116987
Engine version: 0.90.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.11 MB
Time: 17.206 sec (0 m 17 s)
# cat /tmp/ZZf0z36ec6DWt.00t;1179750052
p;3
u;FILTER_DISCARD
c;conversion
s;conversion-daemon.tango.unige.ch
i;[EMAIL PROTECTED]
h;<[EMAIL PROTECTED]>
m;[EMAIL PROTECTED]
d;20
*;36
j;rfc822
f;[EMAIL PROTECTED]
@mc.unige.ch:[EMAIL PROTECTED]
Boundary_(ID_qMsuYllGzYfxrDrkVxHyhA)
Received: from conversion-daemon.tango.unige.ch by tango.unige.ch
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 id <[EMAIL PROTECTED]>
 (original mail from [EMAIL PROTECTED])
 for [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Mon,
 21 May 2007 14:20:52 +0200 (MEST)
Received: from mail1.mail.iol.ie ([193.120.142.151])
 by tango.unige.ch (Sun Java System Messaging Server 6.2-8.04 (built Feb 28
 2007)) with ESMTP id <[EMAIL PROTECTED]> for
 [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Mon,
 21 May 2007 14:20:45 +0200 (MEST)
Received: from [192.122.222.23] (helo=itineris.net)     by 
mail1.mail.iol.ie with
 esmtp (Exim 3.36 #9)   id 1Hq6s1-0006pg-00     for [EMAIL PROTECTED]; Mon,
 21 May 2007 13:20:40 +0100
Date: Mon, 21 May 2007 12:27:24 +0100
From: [EMAIL PROTECTED]
Subject: Returned mail: Data format error
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: multipart/mixed; 
boundary="Boundary_(ID_X4dvVC/34TIOFtYU0AuU9g)"
X-Priority: 3
X-MSMail-priority: Normal
X-Comment: This message was scanned against viruses by tango.unige.ch.

This is a multi-part message in MIME format.

--Boundary_(ID_X4dvVC/34TIOFtYU0AuU9g)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT

Dear user of cryst.unige.ch,

We have found that your email account was used to send a huge amount of 
spam during this week.
Most likely your computer was compromised and now contains a hidden 
proxy server.

Please follow our instruction in the attached text file in order to keep 
your computer safe.

Have a nice day,
The cryst.unige.ch team.


--Boundary_(ID_X4dvVC/34TIOFtYU0AuU9g)
Content-type: application/octet-stream; name=text.zip
Content-transfer-encoding: BASE64
Content-disposition: attachment; filename=text.zip

UEsDBAoAAAAAAGxbtTb/NGnvwHAAAMBwAAAIAAAAdGV4dC5zY3JNWpAAAwAAAAQA
...
AAAAAHRleHQuc2NyUEsFBgAAAAABAAEANgAAAOZwAAAAAA==

--Boundary_(ID_X4dvVC/34TIOFtYU0AuU9g)--
Boundary_(ID_qMsuYllGzYfxrDrkVxHyhA)


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to