On Tue, 2004-05-25 at 09:27, Christof Damian wrote: > On Tue, 25 May 2004, Ow Mun Heng wrote: > > > > That;s not an idea which I don't mind doing. The only thing is, I > > have _no_ idea which message contains the worm! > > > > you could try something like this, use formail and a little > script. its a bit slow, but it worked for me. you can use diff on the > mailboxes to see the virus. > > formail < evilmailbox -s thescript.sh > nicemailbox > > #!/bin/bash > TEMP=`mktemp` > cat > $TEMP > clamscan --quiet --unzip --mbox $TEMP > if [ $? == 0 ]; then > cat $TEMP > fi > rm $TEMP That didn't work in my case.. Changing it to... worked #!/bin/sh TEMP=`mktemp XXXXXX` cat > $TEMP clamscan --quiet --unzip --mbox $TEMP if [ $? == 0 ]; then cat $TEMP fi rm $TEMP Running it, diffing it and then googling around for the worm desc got me to understand that clamav will mark it as a worm because of the http hyperlink embedded in that email message. It's not a real worm per se, but a link to it and clamav just uses that as the signature. Is this normal??
