Quoting Bill Randle <[EMAIL PROTECTED]>:
On Thu, 2004-06-17 at 19:16, Michael D. Crawford wrote:I think the virus that's assaulting me is what this page calls the PE_ZAFI.B virus:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_ZAFI.B&VSect=T
The clamav database lists a virus called Worm.Zafi.B.
I'm still working on downloading my mailbox. I copied it to my home directory at my hosting service, then truncated my mail spool file so I wouldn't fill up the filesystem. My spool file had grown to 1.2 gigabytes in three days.
After I truncated my spool file, I was able to open it in elm for a little while before elm was unable to keep up and quit. In the space of five minutes or so I received 417 messages. Elm crapped out when the spool file had about 2000 messages in it.
As an interesting aside, the Zafi worm also ignores DNS MX records and goes straight for final destination if it can. We have a postfix/amavisd/clamav/spamassassin filter box that fronts the main server which contains user mailboxes. The main server kept getting all these Zafi infected mails coming in, and it took me a bit to realize they were bypassing the filter box entirely.
I ended up putting an access rule in the main gateway router to block incoming smtp to everything except the filter box and that's stopped it.
Its also interesting to note that even before clamav detected zafi it was being
blocked by qmail-scanner:
Jun 15 12:25:19 external qmail-scanner[29017]: Policy:Bad_MIME_Break:RC:0(24.188.90.209):SA:1(10.5/5.0): 2.184665 18140 [EMAIL PROTECTED] [EMAIL PROTECTED] Larsen_Family <[EMAIL PROTECTED]> mycalendar.com
It seems virus writers cant get the mime parts correct...what a suprise. Turns
out its also spam with a score of 10.5. Its amazing how widespread it is
keeping all this in mind.
Jim
------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
