[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ClamAV + worm in mbox file



On Tue, 2004-05-25 at 09:27, Christof Damian wrote:
> On Tue, 25 May 2004, Ow Mun Heng wrote:
> >
> > That;s not an idea which I don't mind doing.  The only thing is, I
> > have _no_ idea which message contains the worm!
> > 
> 
> you could try something like this, use formail and a little
> script. its a bit slow, but it worked for me. you can use diff on the
> mailboxes to see the virus.
> 
> formail < evilmailbox -s thescript.sh > nicemailbox
> 
> #!/bin/bash
> TEMP=`mktemp`
> cat > $TEMP
> clamscan --quiet --unzip --mbox $TEMP 
> if [ $? == 0 ]; then
>   cat $TEMP
> fi
> rm $TEMP

That didn't work in my case.. Changing it to... worked

#!/bin/sh
TEMP=`mktemp XXXXXX`
cat > $TEMP
clamscan --quiet --unzip --mbox $TEMP 
if [ $? == 0 ]; then
  cat $TEMP
fi
rm $TEMP


Running it, diffing it and then googling around for the worm desc got me
to understand that clamav will mark it as a worm because of the http hyperlink 
embedded in that email message. 

It's not a real worm per se, but a link to it and clamav just uses that as the signature.

Is this normal?? 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]