RS doesn NOT pick up Sober-Worm in .EML-Files

Hi,

Win2k-SP4 with all important updates,
avast 4 home (4.1.289, VPS 310-3 from 29.10.03)

the Resident shield does pick up the infected .BAT-file from
Win32:Sober [Wrm],
but it DOES NOT alert to the saved wormmail (.EML-file from Netscape 7.02 german); neither on copy nor write

  • RS is set to scan the default extensionlist including EML both on open & create/modify
  • Quickscan picks up bot BAT & EML correctly, as do other OD-scanners

How come ? any files/logs you’d like from me ?

P.S.: Where do I find the RS-Log on virus-findings ? I only find OD-Reports or Install/error-Logs

??? ???

Maybe because the worm is uuencoded(base64) inside the EML. You can say it is a kind of Archive.

The Standard Shield does not scan inside archives by default (MIME/uue are treated as archives)/

See e.g. http://www.avast.com/forum/index.php?board=2;action=display;threadid=15;start=msg50#msg50 (the MIME packer is what you need in this case)

Vlk

ok, silly me… forgot all about mailarchives

I’ll try including MIME only for RS to scan

However, I find it a bit misleading then if EML shows up in the default extension-list