Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: dealing with w32/bagle

  • From: Adam Kujawski
  • Date: Wed Mar 03 16:09:39 2004

Quoting Dan Hollis <>:

> I am curious how network operators are dealing with the latest w32/bagle 
> variants which seem particularly evil.

We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only password-protected zip
files. If anybody has already modified amavisd-new to act in this way, I would
appreciate a hand. I'm *not* a perl person, and my first attempt at changing the
source code has not had the desired effect.

> Also, does anyone have tools for regexp and purging these mails from unix 
> mailbox (not maildir) mailspool files? Eg purging these mails after the 
> fact if they were delivered to user's mailboxes before your virus scanner 
> got a database update.

It seems that this virus uses a limited number of subject lines:

# E-mail account disabling warning.
# E-mail account security warning.
# Email account utilization warning.
# Important notify about your e-mail account.
# Notify about using the e-mail account.
# Notify about your e-mail account utilization.
# Warning about your e-mail account.

There's a script,, that's userful for this. It's available at It can be used
as such:

/usr/local/bin/ -verbose -noreset -subject "[subject of message
containing virus]" /var/mail/*

Of course, this won't work if/when the virus starts sending out emails with
randomized subjects. Let's hope the that the author isn't reading NANOG. :)


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.