Re: dealing with w32/bagle

[Scott Call <scall () devolution com>]

The clamav team is doing a great job of keeping up to date with the Bagle
varients, and they've also deployed a couple of generic signatures which
should catch at least some variations as they show up.

As for finding them on the filesystem once delivered, an easy place to
start is "support@$domain" where $domain = your local domain.  That seems
to be the one getting the most spread today that I've seen.

I have to admit at least our users seem to be learning (hit them with a
switch (either wooden or 3548) enough and they stop opening everything.

Once nice "feature" of the newer Bagle varients is them seem to lookup
their local domain's MX instead of pulling the MX out of a user's
configuration.  Since all of our domains are MX'd to a non-relaying, virus
scanning server, it's helping us keep our users from spreading the joy.

-S


On Wed, 3 Mar 2004, Dan Hollis wrote:

> I am curious how network operators are dealing with the latest w32/bagle
> variants which seem particularly evil.
>
> Also, does anyone have tools for regexp and purging these mails from unix
> mailbox (not maildir) mailspool files? Eg purging these mails after the
> fact if they were delivered to user's mailboxes before your virus scanner
> got a database update.
>
> -Dan
>
>
>
>
> !DSPAM:40463f4f114201456317298!

-- 
Scott Call      Router Geek, ATGi, home of $6.95 Prime Rib
I make the world a better place, I boycott Wal-Mart
VoIP incoming: +1 360-382-1814