Instructions for identifying infected emails

Discussions relating to ClamXav

Moderator: Mark

Postby smkolins » Sat 20 May 2006 4:16 pm

my guess is that the code isn't in the visible format. Most documents have formating for how things appear - and things not fitting into the formats don't show up (or show up weird.) It's kind of like bad html coding - weird things show at the edges or don't appear at all.

If that's the case I can think of a way maybe....

ClamXav is reporting an individual file as infected. OK. What you need is an ascii file view - not one processed with coding (but still let's you search.) Textedit might do the trick - you have to set it to ignore formating like html and rtf. It's in the preferences. Then you can open the infected file with textedit (Drag it onto Textedit with the mail email program not running) and search for the string you are looking for. Then look for readable text nearby. Then quit and go back to the way you were looking before and search for that readable text and delete that email. Don't delete with Text Edit as it may corrupt the email database.

An alternative to textedit might be TextWrangler - it's very good and free!
Posts: 768
Joined: Thu 07 Jul 2005 10:32 pm

HTML.Phishing.Pay-179 FOUND

Postby paddy » Sun 06 Aug 2006 9:35 pm

On August the 6th I got the message from clamXav that the "HTML.Phishing.Pay-179" virus was found in one of my emails from PayPal. Following the instruction above re: searching the ClamAv database and converting the hex code to ascii I got the following result:

get verified and help increase the security of your paypal transactions for yourself and for everyone with whom you?#?FV???????V?C??????7G&?

Searching for the text in the PayPal emails indicates this text appears in receipts for 3 items I had bought over eBay, one in October, 2004 and two in September, 2005. Prior to August 6th, I had not been notified that there was anything wrong with any of these emails.

1. Has the database been recently updated to recognize this virus? (This seems like a long time for a virus to be floating around before being recognized.)

2. Could this be a false positive?

Thanks in advance for any suggestions or thoughts.

Posts: 8
Joined: Sat 28 May 2005 9:46 pm

Postby capitolfax » Sat 12 Aug 2006 6:35 pm

I had a problem with my Mac crashing (the screen of death appeared three times in one day) so I downloaded your software. A scan produced a hit (HTML.Phishing.Bank-598) and gave me the file name that was infected (INBOX.mbox/Messages/60973.emlx).

So, I looked for the file name via Spotlight and couldn't find anything. I opened Finder and looked in the directory where ClamXav said the file resided and also couldn't find anything.

I deleted every possible suspect e-mail that remained in my inbox, ran the scan again and got the same result, HTML.Phishing.Bank-598, in the same file, 60973.emlx, which doesn't appear to exist.

Then, I used your method suggested in this thread.

I got a "hit" which was partially, ?ody bgcolor=#ffffff text=ffffff so I searched for that as well as the full result in both my Email search (all mailboxes, entire message) and in Spotlight and couldn't find anything.

I ran Norton Anti-Virus and came up with no viruses found. Any clues as to what's going on?

(I'm running 10.4.7 with all known updates loaded on my G5 3.1)
Posts: 2
Joined: Sat 12 Aug 2006 6:26 pm

Postby danco » Sun 13 Aug 2006 7:09 am

My mail program is Eudora. When Clam revealed a phishing exploit, and I had identified the infected mail, deleting it was not enough to prevent it showing up, even after I had quit Eudora and restarted it. I had to compact the mailbox to get rid of it. Evidently deletion did not remove the message itself, but just prevented it appearing in the list.
Posts: 116
Joined: Sun 19 Feb 2006 10:37 pm

Postby capitolfax » Sun 13 Aug 2006 7:20 pm

Danco gave me an idea that solved my problem.

Under the "Mailbox" pulldown in Mac's Mail program is a selection entitled "Rebuild." It must be the same as "compress" because it worked.

Thanks, Danco.
Posts: 2
Joined: Sat 12 Aug 2006 6:26 pm

identifying emails in OSX's Mail mbox

Postby lepews » Wed 16 Aug 2006 6:19 am


I just downloaded and ran your excellent ClamXav software.

Upon scanning my User's folder, ClamXav found a number of worms and other nasties - all in my emails.

Unfortunately, although the folder location is clearly indicated, the emails in question are identified as numbers only, and I can't seem to be able to match these numbers to the actual email messages infected.

Am I missing something, or could the emails infected be more clearly identified by ClamXav, maybe by subject line, or even better by date/time?

Thanks in advance,

Posts: 1
Joined: Wed 16 Aug 2006 6:15 am
Location: USA


Postby RUAdmin » Fri 22 Sep 2006 1:26 pm

Yes, there's GOT to be a better way. I've deleted every possible email with an attachment, yet it still finds a macro virus. I've used "REBUILD" on every mail folder in Apple Mail, yet it STILL keeps finding the same macro virus.

Neither TextEdit, BBEdit, nor any other program can open any of the .mbox files and I see no way in Apple Mail to export these to try another way to isolate the annoyance.

I figured out that the .mbox files are a sick Apple joke and once inside these "package" files I can get to the real mbox file, but even though text editors can open them, there is NO TRACE of the signature that ClamXav insists it is finding (I tried finding the HEX and the ASCII; part and all). I tried the content_index and table_of_contents and even the EMPTY .index.ready file all to no avail! If it's not there, then how in heck is ClamXav finding anything?!?!

This is in Panther Mail.

Posts: 64
Joined: Thu 04 May 2006 12:32 pm

Postby erskine » Tue 14 Nov 2006 5:16 pm

I'm finding this with Entourage. The MS database is giving a positive scan but there is no trace of any infected email in Entourage. From tracing the HTML phish - HTML.Phishing.Bank-847 I recognise that this was an email that I received some weeks ago - and did not realise that it was a spoof! So I know that it did exist. However, I cannot now trace it in the mailbox. I have tried pulling the mail files out into a seperate folder and running the scan across it but it does not find anything while still returning a positive result on the MS database file. Recreating the database and adding the mails back to the mail box returns a clear scan. I assume that the original data is not deleted when the mail is trashed in Entourage, only the directory structure is obscured in a similar way to the trash/delete function for any file. ClamXAV must be finding the 'deleted' mail.

If this is so, does anyone have any idea how I can recover this deleted mail as I really need to follow up the action that I have taken on the spoof mail.
Posts: 17
Joined: Mon 13 Nov 2006 2:42 pm
Location: Scotland

Wheeere's the infected file?

Postby evanonearth » Wed 22 Nov 2006 7:21 am

This seems to be a persistent topic on these threads that I can't find a suitable answer for. I ran a scan, detected Phishing.Pay-135, ran that name to get the hex code, translated that to ASCII, searched the mailbox to no avail, deleted any file under suspicion, rebuilt the mailbox (OSX10.3.9), and still get a positive on that file when I rescan. I notice others having this issue as well. Does anyone (Mark?) have the straight answer on why this is? Also, are these files representing a risk to my data or security if I don't open them? I know now that anything coming from PayPal or Ebay on this account is bogus so I've set my email rules to delete them automatically.

Here's a tip: I see a lot of people having trouble with the the database for converting the virus name to hex code. Try deselecting the daily option. Worked for me.
Posts: 2
Joined: Wed 22 Nov 2006 6:29 am

ClamAV Virus Database Search Tip

Postby evanonearth » Wed 22 Nov 2006 7:24 am

Getting 0 results? Try deselecting the 'daily' option in the search criteria. Worked for me.
Posts: 2
Joined: Wed 22 Nov 2006 6:29 am

Postby erskine » Wed 22 Nov 2006 7:19 pm

A kinda side topic. If you want to avoid phishing sites (careful how you say that!), have a look at OpenDNS .

It seems to provide some sort of security.
Posts: 17
Joined: Mon 13 Nov 2006 2:42 pm
Location: Scotland

In our case...

Postby RUAdmin » Wed 29 Nov 2006 8:24 pm

We finally deleted a LOT of emails and eventually it stopped being found by ClamXav. Apparently it was there somewhere, but the method for searching the ASCII is apparently not foolproof (as in 100%, not as in I'm a fool and couldn't get it to help me - I hope!).
Posts: 64
Joined: Thu 04 May 2006 12:32 pm

ClamXav virus database

Postby dkg2u » Sun 10 Dec 2006 2:47 am

I followed the instructions in your post about finding a virus on the database and deciphering it. ClamXav 2.2 has identified 3 viruses in emails, but when I paste them into the recommended site, no results are found.
Please advise.
Posts: 2
Joined: Sun 10 Dec 2006 2:41 am

Re: ClamXav virus database

Postby Mark » Mon 11 Dec 2006 1:28 pm

dkg2u wrote:....ClamXav 2.2....

Version 2.2? Cool, can I have a copy - I'd love to know what it's going to look like! :wink:

...identified 3 viruses in emails, but when I paste them into the recommended site, no results are found.

What were the viruses?
Site Admin
Posts: 1458
Joined: Sat 28 May 2005 9:46 pm
Location: Edinburgh, Scotland

ClamXav virus database

Postby dkg2u » Mon 11 Dec 2006 2:48 pm

Good News,

These are the two infections I had in my MAIL .mbox


I was able to identify the virus found in two mailboxes by deselecting daily and searching MAIN database only.

However, I was unable to decipher the third, "worm.sober.u-3" virus using the Hex to ASCII converter. I'm not sure I had the right data stream. This virus may have been imbedded in HTML images???

I deleted and erased all emails in MAIL application that seemed suspicious. I hope that is all I need to do to eradicate the viruses.

I ran MacScan, but no spyware was detected. Are these viruses capable of launching spyware???

Thanks very much.

Posts: 2
Joined: Sun 10 Dec 2006 2:41 am


Return to ClamXav

Who is online

Users browsing this forum: No registered users