Bug 133333

Summary: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state
Product: Ports & Packages Reporter: Sergey <starikov>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Sergey 2009-04-03 07:50:01 UTC 
ClamAV is running as a milter for sendmail Version 8.14.2
Problem appeared after the update of ClamAV from 0.94.2 to 0.95.

Normally ClamAV rejects viruses like:
clamd.log:
Apr  3 04:20:17 gw-1 clamav-milter[82788]: Message n330KFwi084209 from <> to
<my-user> with subject 'Mail delivery failed: returning message to sender'
message-id '<E1LpX8m-0006jH-82@fam6.famatech.com>' date 'Thu, 02 Apr 2009
19:20:12 -0500' infected by Worm.SomeFool.P

maillog:
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: from=<>, size=43403,
class=0, nrcpts=1, msgid=<E1LpX8m-0006jH-82@fam6.famatech.com>, proto=ESMTP,
daemon=IPv4, relay=mx.mydomain.ru [194.186.213.3]
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add):
header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add):
header: X-Virus-Status: Infected (Worm.SomeFool.P)
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter: data, reject=550
5.7.1 We don't receive viruses like Worm.SomeFool.P
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: to=<my-user@mydomain.ru>,
delay=00:00:02, pri=73403, stat=We don't receive viruses like Worm.SomeFool.P


But when it meets Worm.Mydoom.I the behaviour changes to:
clamd.log, just:
Apr  3 08:14:23 gw-1 clamd[39534]: fd[10]: Worm.Mydoom.I FOUND

maillog:
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084:
from=<irina.mashkina@russianpost.ru>, size=31040, class=0, nrcpts=1,
msgid=<200904030414.n334EMWU090084@gw-1.caotus.ru>, proto=ESMTP, daemon=IPv4,
relay=gw-3.caotus.ru [194.186.213.3]
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add):
header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add):
header: X-Virus-Status: Infected (Worm.Mydoom.I)
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: milter_sys_read(clmilter):
cmd read returned 0, expecting 5
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter (clmilter): to error
state
Apr  3 08:14:23 gw-1 sm-mta[90085]: n334EMWU090084: <my-user@mydomain.ru>,
delay=00:00:01, xdelay=00:00:00, mailer=local, pri=151427, relay=local,
dsn=2.0.0, stat=Sent


As the result ClamAV antivirus:
1. Passes the infected e-mail to local users
2. Stops anti-virus scanning of e-mails and begins cheching after restart,
until it catches the next Worm.Mydoom.I

Fix: 

As a temporary, rather bad fix I've have to fall back on ClamAV-0.94.2.
How-To-Repeat: 1. Turn on mail server, which uses ClamAV Milter;
2. Send via this e-mail server some test letters, contains viruses (one of them, but not first and not the last must be Worm.Mydoom.I);
3. Read clamd.log and maillog
Comment 1 Sergey 2009-04-03 07:59:37 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

FreeBSD-gnats-submit@FreeBSD.org ÐÉÛÅÔ:
> Thank you very much for your problem report.
> It has the internal identification `ports/133333'.
> The individual assigned to look at your
> report is: freebsd-ports-bugs. 
> 
> You can access the state of your problem report at any time
> via this link:
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=133333
> 
>> Category:       ports
>> Responsible:    freebsd-ports-bugs
>> Synopsis:       ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state
>> Arrival-Date:   Fri Apr 03 06:50:01 UTC 2009
> 
Excuse me, I've forgot to mention, that I've posted this bug also to
ClamAV Bugzilla:
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1537

- --
óÔÁÒÉËÏ× óÅÒÇÅÊ áÎÁÔÏÌØÅ×ÉÞ
÷ÅÄÕÝÉÊ ÉÎÖÅÎÅÒ-ÐÒÏÇÒÁÍÍÉÓÔ
ïÔÄÅÌÁ ÜËÓÐÌÕÁÔÁÃÉÉ ÉÎÆÏÒÍÁÃÉÏÎÎÙÈ, ÔÅÌÅËÏÍÍÕÎÉËÁÃÉÏÎÎÙÈ É
ËÒÉÐÔÏÇÒÁÆÉÞÅÓËÉÈ ÓÉÓÔÅÍ
äÅÐÁÒÔÁÍÅÎÔÁ ÐÒÏÃÅÓÓÉÎÇÁ ÅÄÉÎÏÊ ÓÉÓÔÅÍÙ ÐÏÞÔÏ×ÙÈ ÐÅÒÅ×ÏÄÏ×
ïóð éòã æçõð "ðÏÞÔÁ òÏÓÓÉÉ"
Starikov@caotus.ru
+7(495)398-4436
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAknVs9kACgkQiB5ezNypRyeDnwCfV1ZXhn5lsqV6X6IqmpBWJlCu
wSwAoI1MvRQj5GZLUFlucWyOxN/5parA
=EQ86
-----END PGP SIGNATURE-----
Comment 2 Renato Botelho freebsd_committer freebsd_triage 2009-05-07 16:56:52 UTC 
State Changed
From-To: open->closed

Already fixed in clamav 0.95.1