SMTP server reporting outgoing message contains virus Email_Phishing_VOF1-6344278-0

[muiz]

I'm running Mac OS X Sierra (10.12.6). Have Intego X9 Internet Security as my virus/malware protection, with RealTime scanning of all downloaded files, and incoming email attachments. Malware definitions are up to date as of today (Jan 19).

Downloaded a WordPress plugin, and afterwards tried to email the downloaded .zip file to a client. Attached the zip file to a message, with OS X Sierra's AppleMail, and sent it. Got an AppleMail error saying "Sending the message content to the server failed. The server response was: message contains virus: Email.Phishing.VOF1-6344278-0".

1-AppleMail SMTP Server Error Message.jpg (122.83 KiB) Viewed 3339 times

Worried that something may have been missed by Intego VirusBarrier RealTime scannner during the download of the zip file, I immediately used the Intego VirusBarrier manual scan to test the zip file ... Intego didn't report any viral/malware infection of the file.

Called Sonic Tech Support. To rule out the possibility of some weird problem within AppleMail, on the advice of the Sonic tech support rep, I tried sending the file using Sonic Webmail instead of AppleMail, and got the same error message. See attachments 1 and 2 for screenshots of the 2 different SMTP server error messages ... each saying the same thing: message not sent - file contains Email.Phishing.VOF1-6344278-0.

2-Sonic Webmail SMTP Error Msg.jpg (217.74 KiB) Viewed 3339 times

Also tried Kapersky's online virus scan for individual files, fearing that the alleged virus might not be in Integos malware database -- again the zip file is reported virus free.

3-Kaspersky Online Scan.png (106.62 KiB) Viewed 3339 times

Have emailed the zip file to Intego for investigation by loading it into an encrypted sparseimage.

Wondering 1: if the file is really infected, and if so why VirusBarrier isn't finding it; and 2: Where the SMTP server is getting the exact virus name, as doing an internet search for that name doesn't turn it up at any of the big anti-malware companies.

Thanks,

Muiz

[joemuller]

Called Sonic Tech Support. To rule out the possibility of some weird problem within AppleMail, on the advice of the Sonic tech support rep, I tried sending the file using Sonic Webmail instead of AppleMail, and got the same error message. See attachments 1 and 2 for screenshots of the 2 different SMTP server error messages ... each saying the same thing: message not sent - file contains Email.Phishing.VOF1-6344278-0.
...
Wondering 1: if the file is really infected, and if so why VirusBarrier isn't finding it; and 2: Where the SMTP server is getting the exact virus name, as doing an internet search for that name doesn't turn it up at any of the big anti-malware companies.

Let me first address question #2 - the particular virus name is coming from ClamAV Antivirus (per this thread, the virus signature first appeared on Oct 11, 2017). For some attachments, Sonic's mail servers check attachments in outbound emails via a local installation of ClamAV.

On the first question, I recommend checking out the 'Other Malware Tools' link at GotPhish.com, specifically Sekoia Dropper Analysis. It's certainly possible that you experienced a false-positive, but I would recommend downloading a fresh copy of the plugin from Wordpress here. If you're handy with the Terminal on OSX, you may want to try running shasum against both files to see if they match.