Quoting Simon <[EMAIL PROTECTED]>:
Didi Rieder <[EMAIL PROTECTED]> wrote:
the virus Worm.Mytob.A is not recognized by clamav 0.83 on Sparc
Solaris 9.
[EMAIL PROTECTED] root]# clamscan --version
ClamAV 0.83/837/Sun Apr 17 17:25:32 2005
[EMAIL PROTECTED] root]# clamscan /tmp/ENTIRE_MESSAGE
/tmp/ENTIRE_MESSAGE: OK
Have you tried using --debug to see exactly what the scanner is doing with
the message?. It might help us work out what the problem is :o).
My first thought would be some problem parsing the email on the Solaris box?.
[EMAIL PROTECTED] tmp]# clamscan --debug /tmp/ENTIRE_MESSAGE
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/COPYING
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.db
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.hdb
LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.ndb
LibClamAV debug: Loading databases from /var/tmp//clamav-f1dceb776c66d3a7
LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.ndb
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 3dcf82e5f59335aa39fe040394125e52
LibClamAV debug: Decoded signature: 3dcf82e5f59335aa39fe040394125e52
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/COPYING
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.db
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.hdb
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.ndb
LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.zmd
LibClamAV debug: Loading databases from /var/tmp//clamav-1f063121404bea29
LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.db
LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.hdb
LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.ndb
LibClamAV debug: Recognized Exim mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'From: [EMAIL PROTECTED]'
contMarker 0
LibClamAV debug: parseEmailFile: check 'To: [EMAIL PROTECTED]' contMarker 0
LibClamAV debug: parseEmailFile: check 'Subject: hello' contMarker 0
LibClamAV debug: parseEmailFile: check 'Date: Sun, 17 Apr 2005 20:53:20
+0200' contMarker 0
LibClamAV debug: parseEmailFile: check 'MIME-Version: 1.0' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed;'
contMarker 0
LibClamAV debug: parseEmailFile: check '
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"' contMarker 1
LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg='
multipart/mixed;
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: messageSetMimeType: 'multipart'
LibClamAV debug: mimeArgs = '
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: Add arguments '
boundary="----=_NextPart_000_0010_EC66F712.4DE7C66F"'
LibClamAV debug: parseEmailFile: check 'X-Priority: 3' contMarker 0
LibClamAV debug: parseEmailFile: check 'X-MSMail-Priority: Normal'
contMarker 0
LibClamAV debug: parseEmailFile: check 'X-Scanned-By:
milter-sender/0.62.837 (mail [129.27.3.25]); Sun, 17 Apr 2005 20:53:53
+0200' contMarker 0
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 5
LibClamAV debug: Content-type 'multipart' handler
LibClamAV debug: boundaryStart: found
----=_NextPart_000_0010_EC66F712.4DE7C66F in
------=_NextPart_000_0010_EC66F712.4DE7C66F
LibClamAV debug: Now read in part 0
LibClamAV debug: Multipart 0: About to parse folded header
'Content-Type: text/plain; charset="Windows-1252"'
LibClamAV debug: parseEmailHeader 'Content-Type: text/plain;
charset="Windows-1252"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/plain;
charset="Windows-1252"'
LibClamAV debug: messageSetMimeType: 'text'
LibClamAV debug: mimeArgs = ' charset="Windows-1252"'
LibClamAV debug: Add arguments ' charset="Windows-1252"'
LibClamAV debug: Discarding unwanted argument 'charset'
LibClamAV debug: Multipart 0: About to parse folded header
'Content-Transfer-Encoding: 7bit'
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit'
LibClamAV debug: messageSetEncoding: '7bit'
LibClamAV debug: Encoding type 1 is "7bit"
LibClamAV debug: Multipart 0: End of header information
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments
'�<G.�]#w5�-YK4��hg/�;mpA�?o�J2G�?� �](���Z�dS�SP�]E?̥�_���As�q
����6��~`�h?���<����?1!��Wf�5o����o�cI��T;�rJqH��74�je(S?�"
���qb��B���|��c9�����<fEAcc!��'=>'�<G.�]#w5�-YK4��hg/�;mpA�?o�J2G�?� �]'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments '��.��L���
���,��|`(��?�?G��pH?D�?f�'=>'��.��L���
���,��|`'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments '�е7�b-�C���n�N�����x��
s�L?�4Vi��?,��[?Y�$:����(�|G��"*�Tu�P${'�FoŬ�?��ڻݺ*j�,Jb�
�b�_hH�c'3�rjg������'=>'�е7�b-�C���n�N�����x��
s�L?�4Vi��?,��[?Y�$:����'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments
'k��9K?ol-�n�V}s��x!�?D]�V?3�yF{vJu�y���`�a�g{�9¬��h�%p��3c_���SZ&�Gn?E���~U�;�v-�H�jX�['�bv�w�����2�?�A3Y3����ο_:��mܬ,?�����͢Lj�?���QAbIRu<�mna�7m��|
�NU/|~��O��p�(d��q!�f�!$Fr���k?HFb�Ui��:,.9�Y�I5���s'=>'k��9K?ol-�n�V}s��x!�?D]�V?3�yF{vJu�y���`�a�g{�9¬��h�%p��3c_���SZ&�Gn?E���~U�;�v-�H�jX�['�bv�w�����2�?�A3Y3����ο_:��mܬ,?�����͢Lj�?���QAbIRu<�mna�7m��|
�NU/|~��O��p�'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments 'Rn�(p�j��N��r '=>'Rn�'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments '?O1P%
4�?�L��J!����dWz?��1�p�O*����P��}�r�1��$D��6�^
F�5Nl" �3�('=>'?O1P% 4�?�L��J!����dWz?��1�p�O*����P��}�r�1��$D��6�^ F�5Nl
�3�'
LibClamAV debug: rfc822comments: contains a comment
LibClamAV debug: rfc822comments
':��"zk5�8#�'�b7E�?�_q��$���?��j�jM�*�Wx�8�$���Y�hh�7gN��(Q�r%��϶!M����`�F<P}?x��L�q�IWi�u�K�MG)
���i|�B�?Jyu?��6<�;�*���'=>':��zk5�8#�'�b7E�?�_q��$���?��j�jM�*�Wx�8�$���Y�hh�7gN��
���i|�B�?Jyu?��6<�;�*���'
LibClamAV debug: boundaryStart: found
----=_NextPart_000_0010_EC66F712.4DE7C66F in
------=_NextPart_000_0010_EC66F712.4DE7C66F
LibClamAV debug: Part 0 has 33 lines
LibClamAV debug: Now read in part 1
LibClamAV debug: Multipart 1: About to parse folded header
'Content-Type: application/octet-stream; name="text.pif"'
LibClamAV debug: parseEmailHeader 'Content-Type:
application/octet-stream; name="text.pif"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg='
application/octet-stream; name="text.pif"'
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: mimeArgs = ' name="text.pif"'
LibClamAV debug: Add arguments ' name="text.pif"'
LibClamAV debug: Multipart 1: About to parse folded header
'Content-Transfer-Encoding: base64'
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: base64'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding',
arg=' base64'
LibClamAV debug: messageSetEncoding: 'base64'
LibClamAV debug: Encoding type 1 is "base64"
LibClamAV debug: Multipart 1: About to parse folded header
'Content-Disposition: attachment; filename="text.pif"'
LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment;
filename="text.pif"'
LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg='
attachment; filename="text.pif"'
LibClamAV debug: Multipart 1: End of header information
LibClamAV debug: Part 1 has 735 lines
LibClamAV debug: Now read in part 2
LibClamAV debug: Empty part
LibClamAV debug: The message has 2 parts
LibClamAV debug: Find out the multipart type (mixed)
LibClamAV debug: Mixed message with 2 parts
LibClamAV debug: Mixed message part 0 is of type 6
LibClamAV debug: Mixed message text part disposition ""
LibClamAV debug: Mime subtype "plain"
LibClamAV debug: Adding part to main message
LibClamAV debug: Adding to non mime-part
LibClamAV debug: Mixed message part 1 is of type 1
LibClamAV debug: messageToFileblob
LibClamAV debug: messageExport: numberOfEncTypes == 1
LibClamAV debug: messageExport: enctype 0 is 2
LibClamAV debug: blobSetFilename: text.pif
LibClamAV debug: fileblobSetFilename:
mkstemp(/var/tmp//clamav-c52ddbc60e7c7ad9/text.pifXXXXXX)
LibClamAV debug: Saving attachment as
/var/tmp//clamav-c52ddbc60e7c7ad9/text.pifw5aGA1
LibClamAV debug: Exported 41823 bytes using enctype 2
LibClamAV debug: 2 trailing bytes to export
LibClamAV debug: base64chars = 2 (@ @ @)
LibClamAV debug: Save non mime and/or text/plain part
LibClamAV debug: blobSetFilename: textpart
LibClamAV debug: fileblobSetFilename:
mkstemp(/var/tmp//clamav-c52ddbc60e7c7ad9/textpartXXXXXX)
LibClamAV debug: Saving attachment as
/var/tmp//clamav-c52ddbc60e7c7ad9/textpartx5aGA1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized DOS/W32 executable/library/driver file
LibClamAV debug: Calculated MD5 checksum: f09bc90992e53eebb97ba8dd3dff6037
LibClamAV debug: e_lfanew == 12
LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 2
LibClamAV debug: TimeDateStamp: Fri Sep 11 03:35:02 1987
LibClamAV debug: SizeOfOptionalHeader: 224
LibClamAV debug: MajorLinkerVersion: 0
LibClamAV debug: MinorLinkerVersion: 0
LibClamAV debug: SizeOfCode: 61440
LibClamAV debug: SizeOfInitializedData: 24576
LibClamAV debug: SizeOfUninitializedData: 0
LibClamAV debug: AddressOfEntryPoint: 0x20063
LibClamAV debug: SectionAlignment: 4096
LibClamAV debug: FileAlignment: 4096
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 135168
LibClamAV debug: SizeOfHeaders: 512
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name:
LibClamAV debug: VirtualSize: 86016
LibClamAV debug: VirtualAddress: 0x1000
LibClamAV debug: SizeOfRawData: 0
LibClamAV debug: PointerToRawData: 0x0 (0)
LibClamAV debug: Section contains executable code
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name:
LibClamAV debug: VirtualSize: 45056
LibClamAV debug: VirtualAddress: 0x16000
LibClamAV debug: SizeOfRawData: 41308
LibClamAV debug: PointerToRawData: 0x200 (512)
LibClamAV debug: Section contains executable code
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0xa263 (41571)
LibClamAV debug: UPX/FSG: empty section found - assuming compression
LibClamAV debug: FSG: Source buffer out of section bounds
LibClamAV debug: UPX: Section 0 name:
LibClamAV debug: UPX: Section 1 name:
LibClamAV debug: UPX: Possibly hacked UPX section headers
LibClamAV debug: UPX: NRV2B decompressor failed
LibClamAV debug: UPX: NRV2D decompressor failed
LibClamAV debug: UPX: NRV2E decompressor failed
LibClamAV debug: UPX: All decompressors failed
LibClamAV debug: in cli_check_mydoom_log()
LibClamAV debug: Mydoom: key: 3020594983
LibClamAV debug: Mydoom: check: 2043342637
LibClamAV debug: Calculated MD5 checksum: 7debf154e6d9d9d6254e56c850e8be4a
LibClamAV debug: Calculated MD5 checksum: 8c4a8873a9a08838882174571b732b83
/tmp/ENTIRE_MESSAGE: OK
----------- SCAN SUMMARY -----------
Known viruses: 33177
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
I/O buffer size: 131072 bytes
Time: 2.467 sec (0 m 2 s)
Didi
--
-------------------------
Didi Rieder
[EMAIL PROTECTED]
PGPKey ID: 3431D0B0
-------------------------
pgpO9qA6uxs9z.pgp
Description: PGP Digital Signature
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
