The attached patch for clamav-0.75.1 will catch the files sent by Mydoom.M that have been reported as "binary fragments".
They will get reported as Mydoom.M.log Thanks, -trog
--- clamav-0.75.1.dist/libclamav/scanners.c 2004-06-29 22:58:37.000000000 +0100
+++ clamav-0.75.1/libclamav/scanners.c 2004-08-05 08:35:26.000000000 +0100
@@ -29,6 +29,7 @@
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
+#include <netinet/in.h>
#ifdef CL_THREAD_SAFE
# include <pthread.h>
@@ -958,6 +959,40 @@
return ret;
}
+static int cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev)
+{
+ int32_t record[8], check;
+ int i, retval=CL_VIRUS, j;
+
+ cli_dbgmsg("in mydoom_log\n");
+
+ /* Check upto the first five records in the file */
+ for (j=0 ; j<5 ; j++) {
+ if (cli_readn(desc, &record, 32) != 32) {
+ break;
+ }
+
+ /* Decode the key */
+ record[0] = ~ntohl(record[0]);
+ cli_dbgmsg("key: %lu\n", record[0]);
+ check = 0;
+ for (i=1 ; i<8; i++) {
+ record[i] = ntohl(record[i]) ^ record[0];
+ check += record[i];
+ }
+ cli_dbgmsg("check: %lu\n", ~check);
+ if ((~check) != record[0]) {
+ return CL_CLEAN;
+ }
+ }
+ if (j < 2) {
+ retval = CL_CLEAN;
+ } else if (retval==CL_VIRUS) {
+ *virname = "Mydoom.M.log";
+ }
+ return retval;
+}
+
static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev)
{
char magic[MAGIC_BUFFER_SIZE+1];
@@ -982,7 +1017,6 @@
/* return CL_EMAXREC; */
return CL_CLEAN;
-
(*reclev)++;
lseek(desc, 0, SEEK_SET);
bread = read(desc, magic, MAGIC_BUFFER_SIZE);
@@ -1057,6 +1091,11 @@
}
}
+ if (ret == CL_CLEAN) {
+ lseek(desc, 0, SEEK_SET);
+ ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, reclev);
+ }
+
return ret;
}
signature.asc
Description: This is a digitally signed message part
