[Clamav-users] Attachment not identified as attachment/bad jpeg

Thu, 17 Mar 2005 03:03:04 -0800 

Hello,

this is my first post here so be gentle...

Clamscan does not find some attachments in some types of mail.
Most attachments are, but not all. This have me somewhat concerned,
since the receiving email client will not be as ignorant :(

Seems like it is related to how a buggy(?), attached jpeg picture is
scanned. Complete debug ķutput is attached, a brief version regarding the
interesting part is below. After the bad jpeg has been scanned, the next
attachment is not scanned nor identified at all. Problem is that this is
the virus/trojan...

I can not find any references to this when searching the mailinglist
archives...

In short: 1) virus attachment IS NOT identified when the jpeg attachment
             is present
          2) virus attachment IS identified if same mail w/o jpeg is
             scanned

The actual JPEG is available if anyone want to take a closer look.

Thanks in advance,
//Daniel


Version: 0.83

with latest virus definitions:

ClamAV update process started at Thu Mar 17 11:04:40 2005
main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder: tkojm)
daily.cvd is up to date (version: 765, sigs: 550, f-level: 4, builder: diego)


Debug output when virus attachment IS NOT identified below.

LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Digital signature is correct.
[...snip...]
LibClamAV debug: Recognized Raw mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0
[...snip...]
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: parseEmailFile: check 'Content-ID: <me2.jpeg>' contMarker 0
[...snip...]
LibClamAV debug: blobSetFilename: me2.jpeg
[...snip...]
LibClamAV debug: Saving attachment as 
/tmp/clamav-7f65e4c3ef347566/me2.jpegMXVP6t
LibClamAV debug: Exported 45597 bytes using enctype 2
LibClamAV debug: 1 trailing bytes to export
LibClamAV debug: base64chars = 1 (? @ @)
LibClamAV debug: Saving main message as attachment
LibClamAV debug: 0 multiparts found
LibClamAV debug: Not found uuencoded file
LibClamAV debug: Saving text part to scan
LibClamAV debug: Force mime encoding to application
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: messageToFileblob
LibClamAV debug: parseEmailBody() returning 1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized JPEG file
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: Calculated MD5 checksum: 9c8d6e9fc73551b964a4da30733eb0ee
LibClamAV debug: Calculated MD5 checksum: 5e5085fa8a38559b7866489c22f21159
LibClamAV debug: Calculated MD5 checksum: 69dcbc50c67caee1452809adb335748a
z.notfound: OK

----------- SCAN SUMMARY -----------
Known viruses: 31635
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.16 MB
I/O buffer size: 131072 bytes
Time: 1.006 sec (0 m 1 s)


LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-2e195b5732268cfa/COPYING
LibClamAV debug: Unpacking /tmp/clamav-2e195b5732268cfa/main.db
LibClamAV debug: Unpacking /tmp/clamav-2e195b5732268cfa/main.hdb
LibClamAV debug: Unpacking /tmp/clamav-2e195b5732268cfa/main.ndb
LibClamAV debug: Loading databases from /tmp/clamav-2e195b5732268cfa
LibClamAV debug: Loading /tmp/clamav-2e195b5732268cfa/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/clamav-2e195b5732268cfa/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/clamav-2e195b5732268cfa/main.ndb
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 29fda05728608a6bd19ef557e0f7efca
LibClamAV debug: Decoded signature: 29fda05728608a6bd19ef557e0f7efca
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-f8d32065f23c8b72/COPYING
LibClamAV debug: Unpacking /tmp/clamav-f8d32065f23c8b72/daily.db
LibClamAV debug: Unpacking /tmp/clamav-f8d32065f23c8b72/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-f8d32065f23c8b72/daily.ndb
LibClamAV debug: Unpacking /tmp/clamav-f8d32065f23c8b72/daily.zmd
LibClamAV debug: Loading databases from /tmp/clamav-f8d32065f23c8b72
LibClamAV debug: Loading /tmp/clamav-f8d32065f23c8b72/daily.db
LibClamAV debug: Loading /tmp/clamav-f8d32065f23c8b72/daily.hdb
LibClamAV debug: Loading /tmp/clamav-f8d32065f23c8b72/daily.ndb
LibClamAV debug: Recognized Raw mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'Received: from [1.2.3.4] by banana 
(Virus SMTP 2.0)' contMarker 0
LibClamAV debug: parseEmailFile: check '        with SMTP id 25635423; Tue Oct 
05 04:48 PDT 2004' contMarker 0
LibClamAV debug: parseEmailFile: check 'Date: Tue, 05 Oct 2004 07:42:55 -0500' 
contMarker 0
LibClamAV debug: parseEmailFile: check 'To: [EMAIL PROTECTED]' contMarker 0
LibClamAV debug: parseEmailFile: check 'Subject: Hello!' contMarker 0
LibClamAV debug: parseEmailFile: check 'From: [EMAIL PROTECTED]' contMarker 0
LibClamAV debug: parseEmailFile: check 'Message-Id: <[EMAIL PROTECTED]>' 
contMarker 0
LibClamAV debug: parseEmailFile: check 'Mime-Version: 1.0' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed;' 
contMarker 0
LibClamAV debug: parseEmailFile: check '        
boundary="--------mktekjuonfbmlaqzwhlr"' contMarker 1
LibClamAV debug: parseEmailFile: check ' ' contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed;        
boundary="--------mktekjuonfbmlaqzwhlr" '
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' multipart/mixed;    
    boundary="--------mktekjuonfbmlaqzwhlr" '
LibClamAV debug: messageSetMimeType: 'multipart'
LibClamAV debug: mimeArgs = '        boundary="--------mktekjuonfbmlaqzwhlr" '
LibClamAV debug: Add arguments '        boundary="--------mktekjuonfbmlaqzwhlr" 
'
LibClamAV debug: parseEmailFile: check '----------mktekjuonfbmlaqzwhlr' 
contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type: text/html; 
charset="us-ascii"' contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Type: text/html; charset="us-ascii"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/html; 
charset="us-ascii"'
LibClamAV debug: messageSetMimeType: 'text'
LibClamAV debug: mimeArgs = ' charset="us-ascii"'
LibClamAV debug: Add arguments ' charset="us-ascii"'
LibClamAV debug: Discarding unwanted argument 'charset'
LibClamAV debug: parseEmailFile: check 'Content-Transfer-Encoding: 7bit' 
contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit'
LibClamAV debug: messageSetEncoding: '7bit'
LibClamAV debug: Encoding type 1 is "7bit"
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 6
LibClamAV debug: 0 multiparts found
LibClamAV debug: Not found uuencoded file
LibClamAV debug: Found a bounce message with no header
LibClamAV debug: blobSetFilename: bounce
LibClamAV debug: fileblobSetFilename: 
mkstemp(/tmp/clamav-7bca776a45519ebc/bounceXXXXXX)
LibClamAV debug: Saving attachment as /tmp/clamav-7bca776a45519ebc/bounceMJFuGj
LibClamAV debug: parseEmailBody() returning 1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized Raw mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 2, arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'Received: by clamd (bounce)' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Transfer-Encoding: base64' 
contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: base64'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' base64'
LibClamAV debug: messageSetEncoding: 'base64'
LibClamAV debug: Encoding type 1 is "base64"
LibClamAV debug: parseEmailFile: check 'Content-Disposition: attachment; 
filename="me2.jpeg"' contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment; 
filename="me2.jpeg"'
LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg=' attachment; 
filename="me2.jpeg"'
LibClamAV debug: Force mime encoding to application
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: parseEmailFile: check 'Content-ID: <me2.jpeg>' contMarker 0
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 1
LibClamAV debug: messageToFileblob
LibClamAV debug: messageExport: numberOfEncTypes == 1
LibClamAV debug: messageExport: enctype 0 is 2
LibClamAV debug: blobSetFilename: me2.jpeg
LibClamAV debug: fileblobSetFilename: 
mkstemp(/tmp/clamav-7f65e4c3ef347566/me2.jpegXXXXXX)
LibClamAV debug: Saving attachment as 
/tmp/clamav-7f65e4c3ef347566/me2.jpegMXVP6t
LibClamAV debug: Exported 45597 bytes using enctype 2
LibClamAV debug: 1 trailing bytes to export
LibClamAV debug: base64chars = 1 (? @ @)
LibClamAV debug: Saving main message as attachment
LibClamAV debug: 0 multiparts found
LibClamAV debug: Not found uuencoded file
LibClamAV debug: Saving text part to scan
LibClamAV debug: Force mime encoding to application
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: messageToFileblob
LibClamAV debug: parseEmailBody() returning 1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized JPEG file
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment
LibClamAV debug: Calculated MD5 checksum: 9c8d6e9fc73551b964a4da30733eb0ee
LibClamAV debug: Calculated MD5 checksum: 5e5085fa8a38559b7866489c22f21159
LibClamAV debug: Calculated MD5 checksum: 69dcbc50c67caee1452809adb335748a
z.notfound: OK

----------- SCAN SUMMARY -----------
Known viruses: 31635
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.16 MB
I/O buffer size: 131072 bytes
Time: 1.006 sec (0 m 1 s)

LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-8eedc31c0e67f83f/COPYING
LibClamAV debug: Unpacking /tmp/clamav-8eedc31c0e67f83f/main.db
LibClamAV debug: Unpacking /tmp/clamav-8eedc31c0e67f83f/main.hdb
LibClamAV debug: Unpacking /tmp/clamav-8eedc31c0e67f83f/main.ndb
LibClamAV debug: Loading databases from /tmp/clamav-8eedc31c0e67f83f
LibClamAV debug: Loading /tmp/clamav-8eedc31c0e67f83f/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/clamav-8eedc31c0e67f83f/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/clamav-8eedc31c0e67f83f/main.ndb
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 29fda05728608a6bd19ef557e0f7efca
LibClamAV debug: Decoded signature: 29fda05728608a6bd19ef557e0f7efca
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-a583d3ba8a788117/COPYING
LibClamAV debug: Unpacking /tmp/clamav-a583d3ba8a788117/daily.db
LibClamAV debug: Unpacking /tmp/clamav-a583d3ba8a788117/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-a583d3ba8a788117/daily.ndb
LibClamAV debug: Unpacking /tmp/clamav-a583d3ba8a788117/daily.zmd
LibClamAV debug: Loading databases from /tmp/clamav-a583d3ba8a788117
LibClamAV debug: Loading /tmp/clamav-a583d3ba8a788117/daily.db
LibClamAV debug: Loading /tmp/clamav-a583d3ba8a788117/daily.hdb
LibClamAV debug: Loading /tmp/clamav-a583d3ba8a788117/daily.ndb
LibClamAV debug: Recognized Raw mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'Received: from [1.2.3.4] by banana 
(Virus SMTP 2.0)' contMarker 0
LibClamAV debug: parseEmailFile: check '        with SMTP id 25635423; Tue Oct 
05 04:48 PDT 2004' contMarker 0
LibClamAV debug: parseEmailFile: check 'Date: Tue, 05 Oct 2004 07:42:55 -0500' 
contMarker 0
LibClamAV debug: parseEmailFile: check 'To: [EMAIL PROTECTED]' contMarker 0
LibClamAV debug: parseEmailFile: check 'Subject: Hello!' contMarker 0
LibClamAV debug: parseEmailFile: check 'From: [EMAIL PROTECTED]' contMarker 0
LibClamAV debug: parseEmailFile: check 'Message-Id: <[EMAIL PROTECTED]>' 
contMarker 0
LibClamAV debug: parseEmailFile: check 'Mime-Version: 1.0' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed;' 
contMarker 0
LibClamAV debug: parseEmailFile: check '        
boundary="--------mktekjuonfbmlaqzwhlr"' contMarker 1
LibClamAV debug: parseEmailFile: check ' ' contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed;        
boundary="--------mktekjuonfbmlaqzwhlr" '
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' multipart/mixed;    
    boundary="--------mktekjuonfbmlaqzwhlr" '
LibClamAV debug: messageSetMimeType: 'multipart'
LibClamAV debug: mimeArgs = '        boundary="--------mktekjuonfbmlaqzwhlr" '
LibClamAV debug: Add arguments '        boundary="--------mktekjuonfbmlaqzwhlr" 
'
LibClamAV debug: parseEmailFile: check '----------mktekjuonfbmlaqzwhlr' 
contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type: text/html; 
charset="us-ascii"' contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Type: text/html; charset="us-ascii"'
LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/html; 
charset="us-ascii"'
LibClamAV debug: messageSetMimeType: 'text'
LibClamAV debug: mimeArgs = ' charset="us-ascii"'
LibClamAV debug: Add arguments ' charset="us-ascii"'
LibClamAV debug: Discarding unwanted argument 'charset'
LibClamAV debug: parseEmailFile: check 'Content-Transfer-Encoding: 7bit' 
contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit'
LibClamAV debug: messageSetEncoding: '7bit'
LibClamAV debug: Encoding type 1 is "7bit"
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 6
LibClamAV debug: 0 multiparts found
LibClamAV debug: Not found uuencoded file
LibClamAV debug: Found a bounce message with no header
LibClamAV debug: blobSetFilename: bounce
LibClamAV debug: fileblobSetFilename: 
mkstemp(/tmp/clamav-31582027417dd0e6/bounceXXXXXX)
LibClamAV debug: Saving attachment as /tmp/clamav-31582027417dd0e6/bounceVj4Oah
LibClamAV debug: parseEmailBody() returning 1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized Raw mail file
LibClamAV debug: Starting cli_scanmail(), mrec == 2, arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'Received: by clamd (bounce)' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Transfer-Encoding: base64' 
contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: base64'
LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' base64'
LibClamAV debug: messageSetEncoding: 'base64'
LibClamAV debug: Encoding type 1 is "base64"
LibClamAV debug: parseEmailFile: check 'Content-Disposition: attachment; 
filename="Readme.cpl"' contMarker 0
LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment; 
filename="Readme.cpl"'
LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg=' attachment; 
filename="Readme.cpl"'
LibClamAV debug: Force mime encoding to application
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 1
LibClamAV debug: messageToFileblob
LibClamAV debug: messageExport: numberOfEncTypes == 1
LibClamAV debug: messageExport: enctype 0 is 2
LibClamAV debug: blobSetFilename: Readme.cpl
LibClamAV debug: fileblobSetFilename: 
mkstemp(/tmp/clamav-ecde0f5f51a68c6a/Readme.cplXXXXXX)
LibClamAV debug: Saving attachment as 
/tmp/clamav-ecde0f5f51a68c6a/Readme.cplwG9mpr
LibClamAV debug: Exported 40536 bytes using enctype 2
LibClamAV debug: 2 trailing bytes to export
LibClamAV debug: base64chars = 2 (+ ? @)
LibClamAV debug: Saving main message as attachment
LibClamAV debug: 0 multiparts found
LibClamAV debug: Not found uuencoded file
LibClamAV debug: Saving text part to scan
LibClamAV debug: Force mime encoding to application
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: messageToFileblob
LibClamAV debug: parseEmailBody() returning 1
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized DOS/W32 executable/library/driver file
LibClamAV debug: Worm.Bagle.AC found in descriptor 7.
z.z: Worm.Bagle.AC FOUND

----------- SCAN SUMMARY -----------
Known viruses: 31635
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.04 MB
I/O buffer size: 131072 bytes
Time: 0.936 sec (0 m 0 s)

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to