the file of the virus is thank_you.pif and ravlin found it, but the mail is not blocked.
Thu, 19 Feb 2004 10:50:32 +0100:29731: +++ starting debugging for process 29731 by uid=1002 at Thu, 19 Feb 2004 10:50:32 +0100
Thu, 19 Feb 2004 10:50:32 +0100:29731: setting UID to EUID so subprocesses can access files generated by this script
Thu, 19 Feb 2004 10:50:32 +0100:29731: program name is qmail-scanner-queue.pl.t, version 1.20
Thu, 19 Feb 2004 10:50:32 +0100:29731: incoming SMTP connection from via SMTP from 194.243.125.8
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: mkdir /var/spool/qmailscan/tmp/mail2107718423246129731
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: start dumping incoming msg into /var/spool/qmailscan/working/tmp/mail2107718423246129731 [1077184232.18224]
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: primary Content-Type of multipart/mixed found
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: found a top-level boundary definition of \-\-\-\-\-\-\-\-\-\-\-\-060701000306030801020402
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: attachment 1: Content-Type of text/plain found
Thu, 19 Feb 2004 10:50:32 +0100:29731: found C-T attachment filename thank_you.pif
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: attachment 2: Content-Type of application/octet-stream found
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: looks like a Windows executable, filename=thank_you.pif,type=application/octet-stream
Thu, 19 Feb 2004 10:50:32 +0100:29731: w_c: rename new msg from /var/spool/qmailscan/working/tmp/mail2107718423246129731 to /var/spool/qmailscan/working/new/mail2107718423246129731 [1077184232.2573]
Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: starting /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/mail2107718423246129731/ </var/spool/qmailscan/working/new/mail2107718423246129731 [1077184232.25759]
Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: finished /usr/local/bin/reformime -x/var/spool/qmailscan/tmp/mail2107718423246129731/ [1077184232.27084]
Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: Checking all attachments to see if they're MS-TNEF
Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: is /var/spool/qmailscan/tmp/mail2107718423246129731/thank_you.pif is a TNEF file?: 256 [1077184232.27359]
Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: is /var/spool/qmailscan/tmp/mail2107718423246129731/1077184232.29733-0.mail2 is a TNEF file?: 256 [1077184232.27632]
Thu, 19 Feb 2004 10:50:32 +0100:29731: d_m: unpacking message took 0.018916 seconds
Thu, 19 Feb 2004 10:50:32 +0100:29731: unsetting QMAILQUEUE env var
Thu, 19 Feb 2004 10:50:32 +0100:29731: g_e_h: return-path is "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Thu, 19 Feb 2004 10:50:32 +0100:29731: from=Michele Cerioni <[EMAIL PROTECTED]>,subj=virusse, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 194.243.125.8
Thu, 19 Feb 2004 10:50:32 +0100:29731: ini_sc: start scanning
Thu, 19 Feb 2004 10:50:32 +0100:29731: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/mail2107718423246129731/
Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/mail2107718423246129731"...
Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: scanner=ravlin_scanner,plain_text_msg=0
Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: starting scan of directory "/var/spool/qmailscan/tmp/mail2107718423246129731"...
Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: /usr/local/rav8/bin/ravav --listall --mail --archive --heuristics=on --all /var/spool/qmailscan/tmp/mail2107718423246129731 2>&1
Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: RAV AntiVirus command line for Linux i686.
Version: 8.3.1.
Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved.
Searching for the engine in '/usr/local/rav8'...
Running in evaluation mode.
16 days left!
Scan engine 8.11 for i386. Last update: Mon Sep 1 14:58:36 2003 Scanning for 81707 malwares (viruses, trojans and worms).
*** Since the number of existing viruses grow radically, it is recommended ***
*** to update your product to keep good detection/cleaning capabilities. ***
*** So check out http://www.ravantivirus.com for updates! ***
Scanning with following configuration:
* checking all files!
* checking inside archive files!
* also checking mail files!
* heuristic scanning is activated!
* integrity check is enabled!
* don't use report file!
/var/spool/qmailscan/tmp/mail2107718423246129731/thank_you.pif , exit status 0
Thu, 19 Feb 2004 10:50:32 +0100:29731: ravlin_scanner: finished scan of dir "/var/spool/qmailscan/tmp/mail2107718423246129731" in 0.236643 secs
Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: scanner=spamassassin,plain_text_msg=0
Thu, 19 Feb 2004 10:50:32 +0100:29731: scanloop: finished scan of "/var/spool/qmailscan/tmp/mail2107718423246129731"...
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: starting scan of directory "/var/spool/qmailscan/tmp/mail2107718423246129731"...
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love Letter Virus/Trojan'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing subject: ILOVEYOU
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '82:message/partial.*' = 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing content-type: message/partial.*
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '85:.{100,}' = 'Virus-date' = 'MIME Header Buffer Overflow'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing date: .{100,}
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '86:.{100,}' = 'Virus-mime-version' = 'MIME Header Buffer Overflow '
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing mime-version: .{100,}
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '87:.{100,}' = 'Virus-resent-date' = 'MIME Header Buffer Overflow'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing resent-date: .{100,}
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a header!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking for objects containing to: [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a size!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a size!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: 'zipped_files.exe' = '120495' = 'W32/ExploreZip.worm.pak virus'
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: type is a size!
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking thank_you.pif against perlscanner database...
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: file thank_you.pif is lowercased to thank_you.pif and has extension .pif
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: compare thank_you.pif (size 75554,100498) against perlscanner database
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: skipping auto-generated file 1077184232.29733-0.mail2
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: checking thank_you.pif against perlscanner database...
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: file thank_you.pif is lowercased to thank_you.pif and has extension .pif
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: compare thank_you.pif (size 75554,100498) against perlscanner database
Thu, 19 Feb 2004 10:50:32 +0100:29731: p_s: finished scan of dir "/var/spool/qmailscan/tmp/mail2107718423246129731" in 0.002443 secs
Thu, 19 Feb 2004 10:50:32 +0100:29731: ini_sc: scanning message took 0.239428 seconds
Thu, 19 Feb 2004 10:50:32 +0100:29731: q_r: fork off child into /var/qmail/bin/qmail-queue...
Thu, 19 Feb 2004 10:50:32 +0100:29738: q_r: xstatus=0
Thu, 19 Feb 2004 10:50:32 +0100:29731: cleanup: archiving into /var/spool/qmailscan/archives/new/
19/02/2004 10:50:35:29731: all finished. Total of 3.581528 secs
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
