Thank you Edward, It looks like the newer version of Clam do indeed find it. Now to look up cleaning instructions, I have a few users that I didn't warn in time. The output is as follows: ClamAV Version running: ClamAV 0.87.1/1254/Fri Jan 27 18:22:39 2006 ClamAV scans the file ... Clamav-Output: /tmp/php8xhSKX: Trojan.Brepibot.L FOUND And found something: Trojan.Brepibot.L Since clamav already recognizes the content you submitted there is no reason to resubmit it. /----------------------------------------- | Bryan Murphy, CISSP | Information Technology Coordinator | MSU Plant Research Lab and Plant Biology | http://infotech.prl.msu.edu \----------------------------------------- -----------[ 1/27/06 1:29 PM [log in to unmask] ]-------------- > > Bryan, > > This is definitely a virus. It was just recently added to ClamAV virus > definitions as Trojan.Brepibot.L, BehavesLike:Win32.IRC-Backdoor > (Bitdefender). > > Looks to be a variant of this virus from November. > "A backdoor Trojan that is remotely controlled via Internet Relay Chat > (IRC). It exploits Sony BMG Digital Rights Management (DRM) software to hide > its presence." > > The mail.msu.edu system is catching these now as of around 1pm. If anyone > would like to help out with updates to ClamAV, we first try the online > scanner to make sure there's nothing wrong with our version of ClamAV: > http://test-clamav.power-netz.de/ > > and if the online scanner doesn't detect the file/message as a virus we then > submit the sample at: http://cgi.clamav.net/sendvirus.cgi (all links from > the main www.clamav.net webpage) > > You can also send possible virus samples to [log in to unmask] if you'd rather > have us look at the virus and submit it to ClamAV. > > -Ed >