> Hi,
>
> We've got a user whose files are being detected as
> "Worm.Mydoom.M.log". These ones all happen to be PDF files saved
> from Word 2007.
I know this doesn't help... but...looks like that name is a "special" hard
coded name:
special.c:
int cli_check_mydoom_log(int desc, const char **virname)
50 {
51 int32_t record[8], check;
52 int i, retval=CL_VIRUS, j;
53
54 cli_dbgmsg("in cli_check_mydoom_log()\n");
55
56 /* Check upto the first five records in the file */
57 for (j=0 ; j<5 ; j++) {
58 if (cli_readn(desc, &record, 32) != 32) {
59 break;
60 }
61
62 /* Decode the key */
63 record[0] = ~ntohl(record[0]);
64 cli_dbgmsg("Mydoom: key: %d\n", record[0]);
65 check = 0;
66 for (i=1 ; i<8; i++) {
67 record[i] = ntohl(record[i]) ^ record[0];
68 check += record[i];
69 }
70 cli_dbgmsg("Mydoom: check: %d\n", ~check);
71 if ((~check) != record[0]) {
72 return CL_CLEAN;
73 }
74 }
75
76 if (j < 2) {
77 retval = CL_CLEAN;
78 } else if (retval==CL_VIRUS) {
79 if(virname)
80 *virname = "Worm.Mydoom.M.log";
81 }
82
83 return retval;
84 }
Cheers,
Steve
Sanesecurity
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
