Hya,

The other day, I downloaded a mail archive (text file, almost 150000 lines).

When it was scanned by clamscan, Worm.Bagle.AT shows up.

Web search says that Worm.Bagle comes as mail attachment.

So, I tried to identify where worm is.

Step 1. spilt into small files.Step 2. which part worm resides.Then the worm is gone. ???

T thought that worm was cut by split command, so I used different size fraction, then result is same.

I am totally lost.

Can anybody please explain this situation?

Hi -

The worm was probably never a threat to your Linux system.

It's carried in the payload of your e-mail, which is in the MIME attachement. MIME is uuencoded; the payload are some files which are in turn encoded in a .zip file.

You can get details about a similar worm here:
http://www.cromwell-intl.com/securit...e/bagel.z.html

'Hope that helps

Bagle.A is a worm without destructive effects that spreads via e-mail in a message with the subject Hi and an attached file with a name that consists of several random characters and has an EXE extension. Bagle.A attempts to connect to several web pages through the port 6777, in order to update itself and make an inventory of the affected users. However, these web pages have been disabled. In addition, it has code that allows it to download files from the Internet and run them on the affected computer.So do not hesitate to remove it from your computer!
Maybe you can get some help here: http://www.instantspywareremoval.com

Hya,

Thank you for your replies.

The reason clamscan did not detect worm in fragmented files might be:
Fragmented files do not look like mail archive (do not start with From line).

I cut that archive into 2300+ pieces at every "From ..." line, I know where worm resides in that archive, it is exterminated.

Happy Penguins!