ClamAV + worm in mbox file
Ow Mun Heng
Ow.Mun.Heng at wdc.com
Tue May 25 20:33:02 UTC 2004
On Tue, 2004-05-25 at 09:27, Christof Damian wrote:
> On Tue, 25 May 2004, Ow Mun Heng wrote:
> >
> > That;s not an idea which I don't mind doing. The only thing is, I
> > have _no_ idea which message contains the worm!
> >
>
> you could try something like this, use formail and a little
> script. its a bit slow, but it worked for me. you can use diff on the
> mailboxes to see the virus.
>
> formail < evilmailbox -s thescript.sh > nicemailbox
>
> #!/bin/bash
> TEMP=`mktemp`
> cat > $TEMP
> clamscan --quiet --unzip --mbox $TEMP
> if [ $? == 0 ]; then
> cat $TEMP
> fi
> rm $TEMP
That didn't work in my case.. Changing it to... worked
#!/bin/sh
TEMP=`mktemp XXXXXX`
cat > $TEMP
clamscan --quiet --unzip --mbox $TEMP
if [ $? == 0 ]; then
cat $TEMP
fi
rm $TEMP
Running it, diffing it and then googling around for the worm desc got me
to understand that clamav will mark it as a worm because of the http hyperlink
embedded in that email message.
It's not a real worm per se, but a link to it and clamav just uses that as the signature.
Is this normal??
More information about the fedora-list
mailing list