This seemed to be a bit of a puzzler at first glance, so I popped over to consult the experts in AVI-EWS, and they pointed out a few things that might cause this sort of a problem.
The first thing to consider is that since you are using two different scanners, it is not uncommon for one to detect a file as suspicious (or infected) when another has not. This is why most people use more than one scanner -- to achieve an overlap of detection coverage.
The second thing to determine is if the files being flagged as infected are, in fact, infected. The best way to do this is to send samples to both vendors involved. There are likely to be three possible responses:
With Bugbear-B, many vendors have been seeing more damaged samples than functioning infected files. In some cases the executables have been truncated with the end being replaced with the key log information. In other cases the key log file (with an .EXE, .SCR or .PIF extension) is being mailed.
You should seriously consider blocking all files with those extensions, as well as any others that may carry infections.
Another issue that might be at play here involves how a worm might use its SMTP engines to talk directly to the secondary MX (Mail Exchange) servers at your location. In other words, it may be possible that the worm somehow has been getting the IP address of the servers inside your network and then connecting to them directly, bypassing the gateways.
It is recommended that if you aren't blocking port 25 from the Internet to all addresses except the gateways, you should do that immediately.
I hope this helps you solve the problem.
For more info on this topic, check out these SearchSecurity.com resources:
This was first published in June 2003