[clamav-users] Malware in an Icedove profile of mine cannot be located

amenex at amenex.com amenex at amenex.com
Wed Aug 19 15:06:17 EDT 2015


Solved ! It's not a ClamAV problem after all. It's a Mozilla bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=209501

The 12/31/1969-dated phantom emails are generated when (in my case at  
least) voids (two end-of-message characters in a row ?) are created  
when the search function is used in Thunderbird (or Icedove) to find  
target emails in one folder and then move them to another folder. The  
move also deletes those emails from the source folder, but that leaves  
voids, and when Mozilla comes back to see if it made the moves of  
those selected emails successfully, it finds a number of blanks in  
their place, which it proceeds to move again to the destination folder  
as though it had missed them in the first select & move operation.  
When I have a lot of emails to move all at once (10's to thousands)  
then the process repeats a number of times, and Mozilla records a  
count of X*(N-1) emails moved. The subsequent passes in this process  
go by with bigger and bigger "gulps" of emails (after all, they're  
blank !)

There's no getting around this, because the search results popup in  
Thunderbird has no copy mechanism that otherwise would allow one to  
move the emails from the search results in a manual two-step process:  
Copy and then delete.

When those 12/31/1969-dated phantoms are later searched out in the  
file structure (one per destination folder is what is always found)  
and deleted, the trash folder only displays one phantom  
12/31/1969-dated remnant.

The generation of these phantoms is also associated with password  
changes recorded in emails received and moved to file folders. A  
search on the Internet for "password 12/31/1969" reveals that  
12/31/1969 is the zero date for the linux perpetual calendar, and that  
this has been exploited by admins to set passwords by some sort of  
sleight-of-hand:

http://www.codejourneymen.com/content/adding-admin-user-drupal-site-without-overwriting-admin-user
https://books.google.com/books?id=tj0-8ctawTsC&pg=PA108&lpg=PA108&dq=password+12/31/1969#v=onepage&q=password%2012%2F31%2F1969&f=false




More information about the clamav-users mailing list