Hi,
>> $ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs
>> VIRUS NAME: MBL_144360
>> TARGET TYPE: ANY FILE
>> OFFSET: *
>> DECODED SIGNATURE:
>> update.multivaccine.co.kr/setupa
>>
>> Is that the correct way? I looked at the email itself, and not only is
>> it from a trusted sender, but it doesn't contain that URL in the
>> message. Am I missing something?
>
> Does it contain attachments or base64 encoded parts?
>
> Run clamscan --leave-temps --debug and see exactly what triggers it.
That provided a lot of good information, but I didn't see anything
that could have triggered it. These are the only pieces I think are
relevant:
LibClamAV debug: Bytecode 0000898176.cbc(34) has logical signature:
BC.Exploit.CVE_2011_0086.{Exploit-CVE_2011_0086};Engine:56-255,Target:1;(1|0);S2+16:6e642077696e646f773a202578202825;S0+256:4000e8ad03000083c4048b550852ff15
LibClamAV debug: Bytecode 0000905416.cbc(36) has logical signature:
BC.Format.DEB-AR-1;Engine:56-255,Target:0;0;0:213c617263683e0a64656269616e2d62696e617279
The MBL_144360 is still present in the mbl database, but now it
doesn't match. There weren't any encoded parts in the email, so I
don't think there were any attachments. Amavis is configured to not
quarantine viruses, but it did quarantine the message to the spam
quarantine. Is it possible it split the virus part off the message and
only quarantined the non-virus component?
There were three messages sent by this sender, and all three were
tagged. They were really quite simple messages (one even had a subject
of "Test").
There is only text/plain and text/html content types, so no binary attachments.
Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
