dealing with w32/bagle
Adam Kujawski
adamkuj at amplex.net
Wed Mar 3 20:57:10 UTC 2004
Quoting Dan Hollis <goemon at anime.net>:
>
> I am curious how network operators are dealing with the latest w32/bagle
> variants which seem particularly evil.
We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only password-protected zip
files. If anybody has already modified amavisd-new to act in this way, I would
appreciate a hand. I'm *not* a perl person, and my first attempt at changing the
source code has not had the desired effect.
> Also, does anyone have tools for regexp and purging these mails from unix
> mailbox (not maildir) mailspool files? Eg purging these mails after the
> fact if they were delivered to user's mailboxes before your virus scanner
> got a database update.
It seems that this virus uses a limited number of subject lines:
# E-mail account disabling warning.
# E-mail account security warning.
# Email account utilization warning.
# Important notify about your e-mail account.
# Notify about using the e-mail account.
# Notify about your e-mail account utilization.
# Warning about your e-mail account.
There's a script, expire_mail.pl, that's userful for this. It's available at
http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used
as such:
/usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message
containing virus]" /var/mail/*
Of course, this won't work if/when the virus starts sending out emails with
randomized subjects. Let's hope the that the author isn't reading NANOG. :)
-Adam
More information about the NANOG
mailing list