Menu

#169 clamscan loop on specific mail virus

open
alch
Scanner (176)
5
2015-01-16
2005-02-15
Anonymous
No

Entering here after going through the clamav bug track -
which referred back to here.

I have a loop problem after upgrading clamav (through
clamwin) from 0.6x to 0.82 and today 0.83.
The problem is, that certain low frequency mail files with
the virus:Worm.SomeFool.Gen-1 causes the clamscan
program to loop infinitely.

I am running W2003server and the clamscan program for
the clamwin install.

Below is listed debug output up to the loop.
The mail file with the virus is uploaded in
passwordprotected zipped format - password is "virus"

====================================
E:\Temp\t>"c:\program files\clamwin\bin\clamscan" --
debug --verbose
--unzip=\ -d
"C:\WINNT\Profiles\All Users.clamwin\db" -m
B0004052792.MSF_y
LibClamAV debug: Loading databases from
C:\WINNT\Profiles\All
Users.clamwin\db
LibClamAV debug: Loading C:\WINNT\Profiles\All
Users.clamwin\db/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) =
9aff6a2c17d56ea067c1a3f86a4ea655
LibClamAV debug: Decoded signature:
9aff6a2c17d56ea067c1a3f86a4ea655
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/COPYING
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/daily.db
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/daily.hdb
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/daily.ndb
LibClamAV debug: Loading databases from
/cygdrive/c/TEMP/clamav-1fdf07dfd83673e8

LibClamAV debug: Loading /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/daily.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/daily.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /cygdrive/c/TEMP/clamav-
1fdf07dfd83673e8/daily.ndb
LibClamAV debug: Loading C:\WINNT\Profiles\All
Users.clamwin\db/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) =
33a3388daae12b3f1b11accad1acd7b5
LibClamAV debug: Decoded signature:
33a3388daae12b3f1b11accad1acd7b5
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/COPYING
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/main.db
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/main.hdb
LibClamAV debug: Unpacking /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/main.ndb
LibClamAV debug: Loading databases from
/cygdrive/c/TEMP/clamav-9dbdb9420c5e8386

LibClamAV debug: Loading /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/main.db
LibClamAV debug: Loading /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/main.hdb
LibClamAV debug: Loading /cygdrive/c/TEMP/clamav-
9dbdb9420c5e8386/main.ndb
Full path: /cygdrive/e/Temp/t/B0004052792.MSF_y
Scanning /cygdrive/e/Temp/t/B0004052792.MSF_y
LibClamAV debug: Recognized Maildir file
LibClamAV debug: Starting cli_scanmail(), mrec == 1,
arec == 0
LibClamAV debug: in mbox()
LibClamAV debug: parseEmailFile
LibClamAV debug: parseEmailFile: check 'Return-path:
djpandouriver@msn.com' co
ntMarker 0
LibClamAV debug: parseEmailFile: check 'Received: from
agurk.dk
(ALagny-103-1-4-
124.w80-14.abo.wanadoo.fr [80.14.228.124]) by '
contMarker 0
LibClamAV debug: parseEmailFile: check ' (Vircom
SMTPRS 4.2.181) with
ESMTP id B0004052792@ for katrine@agurk.dk;' contMarker 0
LibClamAV debug: parseEmailFile: check ' Sun, 13 Feb
2005 15:41:51 +0100'
contMa
rker 1
LibClamAV debug: parseEmailFile: check 'Message-ID:
B0004052792@'
contMarker 0

LibClamAV debug: parseEmailFile: check 'From:
djpandouriver@msn.com'
contMarker
0
LibClamAV debug: parseEmailFile: check 'To:
katrine@agurk.dk' contMarker 0
LibClamAV debug: parseEmailFile: check 'Subject:
Status' contMarker 0
LibClamAV debug: parseEmailFile: check 'Date: Sun, 13
Feb 2005 15:40:43
+0100' c
ontMarker 0
LibClamAV debug: parseEmailFile: check 'MIME-Version:
1.0' contMarker 0
LibClamAV debug: parseEmailFile: check 'Content-Type:
multipart/mixed;'
contMark
er 0
LibClamAV debug: parseEmailFile: check '
boundary="----=_NextPart_000_000
7_0000432D.0000587A"' contMarker 1
LibClamAV debug: parseEmailHeader 'Content-Type:
multipart/mixed;
boundary
="----=_NextPart_000_0007_0000432D.0000587A"'
LibClamAV debug: parseMimeHeader: cmd='Content-
Type', arg='
multipart/mixed;boun
dary="----=_NextPart_000_0007_0000432D.0000587A"'
LibClamAV debug: messageSetMimeType: 'multipart'
LibClamAV debug: mimeArgs = '
boundary="----=_NextPart_000_0007_0000432D.00005
87A"'
LibClamAV debug: Add arguments '
boundary="----=_NextPart_000_0007_000043
2D.0000587A"'
LibClamAV debug: parseEmailFile: check 'X-Priority: 3'
contMarker 0
LibClamAV debug: parseEmailFile: check 'X-MSMail-
Priority: Normal'
contMarker 0
LibClamAV debug: parseEmailFile: check '' contMarker 0
LibClamAV debug: End of header information
LibClamAV debug: parseEmailFile: return
LibClamAV debug: in parseEmailBody
LibClamAV debug: Parsing mail file
LibClamAV debug: mimeType = 5
LibClamAV debug: Content-type 'multipart' handler
LibClamAV debug: boundaryStart: found
----=_NextPart_000_0007_0000432D.0000587A
in ------=_NextPart_000_0007_0000432D.0000587A
LibClamAV debug: Now read in part 0
LibClamAV debug: Multipart 0: About to parse folded
header 'Content-Type:
text/p
lain; charset="Windows-1252"'
LibClamAV debug: parseEmailHeader 'Content-Type:
text/plain;
charset="Windows
-1252"'
LibClamAV debug: parseMimeHeader: cmd='Content-
Type', arg=' text/plain;
charset=
"Windows-1252"'
LibClamAV debug: messageSetMimeType: 'text'
LibClamAV debug: mimeArgs = ' charset="Windows-
1252"'
LibClamAV debug: Add arguments '
charset="Windows-1252"'
LibClamAV debug: Discarding unwanted
argument 'charset'
LibClamAV debug: Multipart 0: About to parse folded
header
'Content-Transfer-Enc
oding: 7bit'
LibClamAV debug: parseEmailHeader 'Content-Transfer-
Encoding: 7bit'
LibClamAV debug: parseMimeHeader: cmd='Content-
Transfer-Encoding', arg='
7bit'
LibClamAV debug: messageSetEncoding: '7bit'
LibClamAV debug: Encoding type 1 is "7bit"
LibClamAV debug: Multipart 0: End of header information
LibClamAV debug: boundaryStart: found
----=_NextPart_000_0007_0000432D.0000587A
in ------=_NextPart_000_0007_0000432D.0000587A
LibClamAV debug: Part 0 has 2 lines
LibClamAV debug: Now read in part 1
LibClamAV debug: Multipart 1: About to parse folded
header 'Content-Type:
applic
ation/x-zip-compressed; name="paypal_news.zip"'
LibClamAV debug: parseEmailHeader 'Content-Type:
application/x-zip-compressed;na
me="paypal_news.zip"'
LibClamAV debug: parseMimeHeader: cmd='Content-
Type', arg='
application/x-zip-co
mpressed; name="paypal_news.zip"'
LibClamAV debug: messageSetMimeType: 'application'
LibClamAV debug: mimeArgs = '
name="paypal_news.zip"'
LibClamAV debug: Add arguments '
name="paypal_news.zip"'
LibClamAV debug: Multipart 1: About to parse folded
header
'Content-Transfer-Enc
oding: base64'
LibClamAV debug: parseEmailHeader 'Content-Transfer-
Encoding: base64'
LibClamAV debug: parseMimeHeader: cmd='Content-
Transfer-Encoding', arg='
base64'

LibClamAV debug: messageSetEncoding: 'base64'
LibClamAV debug: Encoding type 1 is "base64"
LibClamAV debug: Multipart 1: About to parse folded
header
'Content-Disposition:
attachment; filename="paypal_news.zip"'
LibClamAV debug: parseEmailHeader 'Content-
Disposition: attachment;
filename
="paypal_news.zip"'
LibClamAV debug: parseMimeHeader: cmd='Content-
Disposition', arg='
attachment;fi
lename="paypal_news.zip"'
LibClamAV debug: Multipart 1: End of header information
LibClamAV debug: Part 1 has 475 lines
LibClamAV debug: Now read in part 2
LibClamAV debug: Part 2 has 1 lines
LibClamAV debug: The message has 3 parts
LibClamAV debug: Find out the multipart type (mixed)
LibClamAV debug: Mixed message with 3 parts
LibClamAV debug: Mixed message part 0 is of type 6
LibClamAV debug: Mixed message text part disposition ""
LibClamAV debug: Mime subtype "plain"
LibClamAV debug: Adding part to main message
LibClamAV debug: Adding to non mime-part
LibClamAV debug: Mixed message part 1 is of type 1
LibClamAV debug: messageToFileblob
LibClamAV debug: messageExport: numberOfEncTypes
== 1
LibClamAV debug: messageExport: enctype 0 is 2
LibClamAV debug: blobSetFilename: paypal_news.zip
LibClamAV debug: fileblobSetFilename:
mkstemp(/cygdrive/c/TEMP/clamav-6534f9109f
db8387/paypal_news.zipXXXXXX)
LibClamAV debug: Saving attachment as
/cygdrive/c/TEMP/clamav-6534f9109fdb8387/p
aypal_news.zip005704
LibClamAV debug: Exported 25488 bytes using enctype 2
LibClamAV debug: 2 trailing bytes to export
LibClamAV debug: base64chars = 2 (@ @ @)
LibClamAV debug: Mixed message part 2 is of type 0
LibClamAV debug: No mime headers found in multipart
part 2
LibClamAV debug: Adding to non mime-part
LibClamAV debug: textAdd: count = 1
LibClamAV debug: Save non mime and/or text/plain part
LibClamAV debug: blobSetFilename: textpart
LibClamAV debug: fileblobSetFilename:
mkstemp(/cygdrive/c/TEMP/clamav-6534f9109f
db8387/textpartXXXXXX)
LibClamAV debug: Saving attachment as
/cygdrive/c/TEMP/clamav-6534f9109fdb8387/t
extpart005704
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: paypal_news.doc.pif,
compressed: 25353, normal:
25353, rat
io: 1 (max: 250)
LibClamAV debug: Zip: Can't generate tmpfile().
LibClamAV debug: Worm.SomeFool.Gen-1 found in
descriptor 5.

* Ctrl-C pressed to end loop *

Discussion

  • HaraldVillemoes

    HaraldVillemoes - 2005-02-15

    Logged In: YES
    user_id=1217349

    Sorry I missed the check mark for upload.
    If the mail test file is needed I can mail it

     

  • alch

    alch - 2005-02-15

    Logged In: YES
    user_id=1004158

    yes please sned it to alch[at]users.sourceforge.net

     

Log in to post a comment.