North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: dealing with w32/bagle
- From: Adam Kujawski
- Date: Wed Mar 03 16:09:39 2004
Quoting Dan Hollis <email@example.com>:
> I am curious how network operators are dealing with the latest w32/bagle
> variants which seem particularly evil.
We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only password-protected zip
files. If anybody has already modified amavisd-new to act in this way, I would
appreciate a hand. I'm *not* a perl person, and my first attempt at changing the
source code has not had the desired effect.
> Also, does anyone have tools for regexp and purging these mails from unix
> mailbox (not maildir) mailspool files? Eg purging these mails after the
> fact if they were delivered to user's mailboxes before your virus scanner
> got a database update.
It seems that this virus uses a limited number of subject lines:
# E-mail account disabling warning.
# E-mail account security warning.
# Email account utilization warning.
# Important notify about your e-mail account.
# Notify about using the e-mail account.
# Notify about your e-mail account utilization.
# Warning about your e-mail account.
There's a script, expire_mail.pl, that's userful for this. It's available at
http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used
/usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message
containing virus]" /var/mail/*
Of course, this won't work if/when the virus starts sending out emails with
randomized subjects. Let's hope the that the author isn't reading NANOG. :)