Hi you malware fighters,

Computer viruses are attacking once again.
Another computer virus has been detected in some computers.
It’s called Exploit.PDF computer virus or Exploit.PDF 9669 computer virus.
Some computer users say
that this computer virus slows down your computer with the mouse usually freezes.
One user said “PDF-9669 seems to be matching most HTML encoded messages on older versions of ClamAV”
Gossamer Threads’ user said:
I’ve seen lots of false positives matching on this signature. At first I
thought somebody was mass-mailing a PDF exploit under lots of different
guises, though it’s definitely a false-positive.
It looks like Exploit.PDF-9669 matches on an empty 0 byte string:
d41d8cd98f00b204e9800998ecf8427e:0:Exploit.PDF-9669
For now I’ve commented out the line in daily.inc/daily.hdb – it’s the last
line in the file in the version that I have, though this is only going to
help until freshclam runs. This really needs to be fixed ASAP, I hate to
think how many systems around the world are hitting on this and blocking
huge amounts of legitimate mail. I’m very suprised that there isn’t some
sort of automated check that is run against a signature release that
ensures that a signature isn’t matching 0 bytes.

Read more: http://www.ordoh.com/?p=1532#ixzz0c8tEOTWW
Via: OrdOh News

Polonus received three messages through his ISP for this being filtered out:

VIRUS ALERT

Our content checker found
virus: Exploit.PDF-9669

in an email to you from unknown sender:
?ATmail.aboutchat.org
claiming to be: <o.cherrie_sqATcaii-dc.com>

Our internal reference code for your message is 07677-12-3/WIebbT4+1T+7

First upstream SMTP client IP address: [173.11.40.249] mail.aboutchat.org
According to a ‘Received:’ trace, the message originated at: [173.11.40.249],
eqicyafpg mail.aboutchat.org [173.11.40.249]

Return-Path: <o.cherrie_sqATcaii-dc.com>
Message-ID: <1262997183.0897ATcaii-dc.com>
Subject: ED Pills From $34.99. Save up to $420 on ED Pills. Order Online Now!
ovyvtj xo6c
The message has been quarantined as: W/virus-WIebbT4+1T+7

Please contact your system administrator for details.

Can anybody comment from what malcode I was saved - real, FP or what?

polonus

Hi malware fighters,

Ok, some have found the issue.
Looks like it is related to clamav and they are guessing it’s because of an update.
When you edited /opt/zimbra/data/clamav/db/daily.inc/daily.hdb and remove the third from the last line that reads d41d8cd98f00b204e9800998ecf8427e:0:Exploit.PDF-9669

This so far has resolved the problem until the next freshclam update.
Older versions of zimbra might have the file in /opt/zimbra/clamav/data/db/daily.inc/daily.hdb

polonus

OK, useful infos you bring here which email providers are using ClamAV ? Zimbra only ?

edit: I think someone mentioned Gmail too in the other thread…

edit: the thing is the message you got seems to mention real malware being filtered… ???

One of my e-mail server administrators said this is a valid pdf exploit that is why my server is blocking the e-mails. When I try to send through Outlook the virus attaches the following PDF: “Exploit.pdf-9669” Going to contact Avast! directly about this issue. The ClamAV thing has nothing to do with me or my e-mail servers.

OK this sounds really bad, a French internet provider is affected too:
http://www.actuneuf.com/2010/01/09/1255/incident-reseau-mail-sfr-virus-exploit-pdf-9669/

edit: they say the issue is the AV itself and it’s an FP…

[s]an example with Gmail:
http://www.google.bg/support/forum/p/Google+Mobile/thread?tid=430eec0c5812fe22&hl=en[/s]

error: that was from a forwarded mail that came from another provider.

Hi Logos,

The zimbra webfilter FP was hit with the FP this afternoon (12.27 Central European Time) and was fixed in Amsterdam 16.00 according to my ISP,

polonus

good; I’m wondering who’s gonna be held responsible for this, Zimbra or the AV they integrate in their software…anyway, no “chasse aux sorcières” required…but what a mess ;D