We believed f-prot/declude didn't catch a virus and we are still in the "figuring out why" phase.
I know why. :)
Virus log showsHere, Declude Virus scanned an E-mail with 3 MIME segments: An HTML segment (the body of the E-mail), a "DELETED.TXT" file (the first attachment) and "TIP.HTM" (the second attachment).
--------------------
01/14/2003 01:20:25 Qac281626014a3633 MIME file: [text/html][quoted-printable; Length=121 Checksum=8588]
01/14/2003 01:20:25 Qac281626014a3633 MIME file: DELETED0.TXT [base64; Length=127 Checksum=11072]
01/14/2003 01:20:25 Qac281626014a3633 MIME file: TIP.HTM [base64; Length=15495 Checksum=1351261]
01/14/2003 01:20:25 Qac281626014a3633 Scanned: Virus Free [MIME: 3 15743]
The clue here is the subject of the E-mail (from the .jpg), which is one used by Klez. Klez has 3 MIME segments, but the middle one contains the virus. In this case, though, it appears that some mailserver virus scanner detected the virus and replaced it with a safe file "DELETED.TXT".
Specifically, a virus cannot be executed in a .TXT file.
Ah, gotta love the users that see their computer acting erratically after they *think* they did something wrong. :)the delete.txt ask you if you want to open the file or not... guess what my client did... Of course he opened it... way to go.... his computer is working erratically... we don't still don't know if he would be able to send us the attached virus message.
The key here would be the contents of the DELETED.TXT file, which likely say something like "The such-and-such software deleted a virus...", which is what the user saw that he thought meant that he had a virus.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
