Re: [Declude.Virus] Virus name reported as different than what scanner detected.

Fri, 28 Oct 2005 11:26:21 -0700

That's good to hear that others are seeing this as well... Hopefully, we will have a fix soon. 
Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. 


Bill Landry writes: 


Yep, I'm seeing the same thing with Version 3.0.5.12:
=====
10/28/2005 10:56:04.343 q662b02ab0000beb9.smd Vulnerability flags = 0

10/28/2005 10:56:04.343 q662b02ab0000beb9.smd MIME file: [text/html][7bit; 
Length=714 Checksum=63910]
10/28/2005 10:56:04.390 q662b02ab0000beb9.smd MIME file: email-details.zip 
[base64; Length=93976 Checksum=11204045]
10/28/2005 10:56:04.390 q662b02ab0000beb9.smd Banning .ZIP file with scr 
extension.
10/28/2005 10:56:06.156 q662b02ab0000beb9.smd Virus scanner 1 reports exit 
code of 3
10/28/2005 10:56:06.171 q662b02ab0000beb9.smd Scanner 1: Virus= 
W32/[EMAIL PROTECTED] Attachment=email-details.zip [16] I
10/28/2005 10:56:07.109 q662b02ab0000beb9.smd Virus scanner 2 reports exit 
code of 1
10/28/2005 10:56:07.109 q662b02ab0000beb9.smd Scanner 2: Virus= [ 
WORM_MYTOB.LV](    1) in 
M:\IMail\spool\proc\work\D662B0~1.VIR\0.zip,(email-details.htm .scr) 
Attachment=email-details.zip [16] I
10/28/2005 10:56:07.109 q662b02ab0000beb9.smd File(s) are INFECTED [ [ 
TROJ_GOLDUN.G](    1) in 
M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1]
10/28/2005 10:56:07.109 q662b02ab0000beb9.smd Scanned: CONTAINS A VIRUS 
[Prescan OK][MIME: 2 94832]
10/28/2005 10:56:07.109 q662b02ab0000beb9.smd From: xxx To: xxx [incoming 
from xxx]
10/28/2005 10:56:07.109 q662b02ab0000beb9.smd Subject: Important 
Notification 

===== 


10/28/2005 10:56:22.171 q664302ab0000becd.smd Vulnerability flags = 0

10/28/2005 10:56:23.750 q664302ab0000becd.smd Virus scanner 1 reports exit 
code of 3
10/28/2005 10:56:23.750 q664302ab0000becd.smd Scanner 1: Virus= 
HTML/[EMAIL PROTECTED] Attachment= [16] I
10/28/2005 10:56:24.625 q664302ab0000becd.smd Virus scanner 2 reports exit 
code of 1
10/28/2005 10:56:24.625 q664302ab0000becd.smd Scanner 2: Virus= [ 
HTML_Netsky.P](    1) in 
M:\IMail\spool\proc\work\D66430~1.VIR\0,(NONAMEFL) Attachment= [16] I
10/28/2005 10:56:24.625 q664302ab0000becd.smd File(s) are INFECTED [ [ 
TROJ_GOLDUN.G](    1) in 
M:\IMail\spool\proc\work\D644C0~1.VIR\0.rar,(MsWindowsUpdate.exe): 1]

10/28/2005 10:56:24.625 q664302ab0000becd.smd Scanned: CONTAINS A VIRUS

10/28/2005 10:56:24.625 q664302ab0000becd.smd From: xxx To: xxx [incoming 
from xxx]
10/28/2005 10:56:24.625 q664302ab0000becd.smd Subject: Mail delivery 
failed: returning message to sender
===== 


Bill

----- Original Message ----- From: "Darrell 
([EMAIL PROTECTED])" <[EMAIL PROTECTED]>

To: <[email protected]>
Sent: Friday, October 28, 2005 9:37 AM

Subject: [Declude.Virus] Virus name reported as different than what 
scanner detected. 




Anyone seen this before?  The message (attachment) have the W97M/Thus 
Virus and is detected by McAfee as having such, but the final virus 
string somehow ends up at Netsky?

Darrell
x:\imail\spool>grep -i q41c378d5099ed6c9.smd vir1028.log
10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability flags = 0

10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD New Look 
list.doc [base64; Length=59

904 Checksum=2996157]

10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner 1 reports 
exit code of 0
10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner 2 reports 
exit code of 13
10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the 
W97M/Thus.gen Attachment=HD

New Look List.doc [11] I

10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ 
W32/[EMAIL PROTECTED]: 13]
10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A VIRUS 
[MIME: 2 60102]
10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: [EMAIL PROTECTED] 
To: [EMAIL PROTECTED] [

incoming from 64.207.161.182]

10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go Again - 
Proposal 



------------------------------------------------------------------------

Check out http://www.invariantsystems.com for utilities for Declude And 
Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, 
MRTG Integration, and Log Parsers. 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found

at http://www.mail-archive.com. 



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.






















					Reply via email to