From nobody@FreeBSD.org  Fri Apr  3 06:48:30 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 909CF106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  3 Apr 2009 06:48:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 735E18FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  3 Apr 2009 06:48:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n336mTQE086466
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 3 Apr 2009 06:48:29 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n336mTGm086465;
	Fri, 3 Apr 2009 06:48:29 GMT
	(envelope-from nobody)
Message-Id: <200904030648.n336mTGm086465@www.freebsd.org>
Date: Fri, 3 Apr 2009 06:48:29 GMT
From: Sergey <starikov@caotus.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         133333
>Category:       ports
>Synopsis:       ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 03 06:50:01 UTC 2009
>Closed-Date:    Thu May 07 15:56:53 UTC 2009
>Last-Modified:  Thu May 07 15:56:53 UTC 2009
>Originator:     Sergey
>Release:        FreeBSD 6.3-RELEASE #0
>Organization:
>Environment:
FreeBSD mail.mydomain.ru 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Mon Dec 22
11:03:36 MSK 2008     root@mail.mydomain.ru:/usr/obj/usr/src/sys/CUSTOM_KERNEL 
i386
>Description:
ClamAV is running as a milter for sendmail Version 8.14.2
Problem appeared after the update of ClamAV from 0.94.2 to 0.95.

Normally ClamAV rejects viruses like:
clamd.log:
Apr  3 04:20:17 gw-1 clamav-milter[82788]: Message n330KFwi084209 from <> to
<my-user> with subject 'Mail delivery failed: returning message to sender'
message-id '<E1LpX8m-0006jH-82@fam6.famatech.com>' date 'Thu, 02 Apr 2009
19:20:12 -0500' infected by Worm.SomeFool.P

maillog:
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: from=<>, size=43403,
class=0, nrcpts=1, msgid=<E1LpX8m-0006jH-82@fam6.famatech.com>, proto=ESMTP,
daemon=IPv4, relay=mx.mydomain.ru [194.186.213.3]
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add):
header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add):
header: X-Virus-Status: Infected (Worm.SomeFool.P)
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter: data, reject=550
5.7.1 We don't receive viruses like Worm.SomeFool.P
Apr  3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: to=<my-user@mydomain.ru>,
delay=00:00:02, pri=73403, stat=We don't receive viruses like Worm.SomeFool.P


But when it meets Worm.Mydoom.I the behaviour changes to:
clamd.log, just:
Apr  3 08:14:23 gw-1 clamd[39534]: fd[10]: Worm.Mydoom.I FOUND

maillog:
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084:
from=<irina.mashkina@russianpost.ru>, size=31040, class=0, nrcpts=1,
msgid=<200904030414.n334EMWU090084@gw-1.caotus.ru>, proto=ESMTP, daemon=IPv4,
relay=gw-3.caotus.ru [194.186.213.3]
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add):
header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add):
header: X-Virus-Status: Infected (Worm.Mydoom.I)
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: milter_sys_read(clmilter):
cmd read returned 0, expecting 5
Apr  3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter (clmilter): to error
state
Apr  3 08:14:23 gw-1 sm-mta[90085]: n334EMWU090084: <my-user@mydomain.ru>,
delay=00:00:01, xdelay=00:00:00, mailer=local, pri=151427, relay=local,
dsn=2.0.0, stat=Sent


As the result ClamAV antivirus:
1. Passes the infected e-mail to local users
2. Stops anti-virus scanning of e-mails and begins cheching after restart,
until it catches the next Worm.Mydoom.I
>How-To-Repeat:
1. Turn on mail server, which uses ClamAV Milter;
2. Send via this e-mail server some test letters, contains viruses (one of them, but not first and not the last must be Worm.Mydoom.I);
3. Read clamd.log and maillog
>Fix:
As a temporary, rather bad fix I've have to fall back on ClamAV-0.94.2.

>Release-Note:
>Audit-Trail:

From: =?KOI8-R?Q?=F3=D4=C1=D2=C9=CB=CF=D7_=F3=C5=D2=C7=C5=CA?=
 <starikov@caotus.ru>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Cc:  
Subject: Re: ports/133333: ClamAV Milter passes 'Worm.Mydoom.I' and this virus
 turns Milter socket to error state
Date: Fri, 03 Apr 2009 10:59:37 +0400

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
 FreeBSD-gnats-submit@FreeBSD.org :
 > Thank you very much for your problem report.
 > It has the internal identification `ports/133333'.
 > The individual assigned to look at your
 > report is: freebsd-ports-bugs. 
 > 
 > You can access the state of your problem report at any time
 > via this link:
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=133333
 > 
 >> Category:       ports
 >> Responsible:    freebsd-ports-bugs
 >> Synopsis:       ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state
 >> Arrival-Date:   Fri Apr 03 06:50:01 UTC 2009
 > 
 Excuse me, I've forgot to mention, that I've posted this bug also to
 ClamAV Bugzilla:
 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1537
 
 - --
   
  -
   ,  
  
      
    " "
 Starikov@caotus.ru
 +7(495)398-4436
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iEYEAREIAAYFAknVs9kACgkQiB5ezNypRyeDnwCfV1ZXhn5lsqV6X6IqmpBWJlCu
 wSwAoI1MvRQj5GZLUFlucWyOxN/5parA
 =EQ86
 -----END PGP SIGNATURE-----
State-Changed-From-To: open->closed 
State-Changed-By: garga 
State-Changed-When: Thu May 7 15:56:52 UTC 2009 
State-Changed-Why:  
Already fixed in clamav 0.95.1 

http://www.freebsd.org/cgi/query-pr.cgi?pr=133333 
>Unformatted:
