nanog mailing list archives
Re: dealing with w32/bagle
From: Scott Call <scall () devolution com>
Date: Wed, 3 Mar 2004 12:51:17 -0800 (PST)
The clamav team is doing a great job of keeping up to date with the Bagle varients, and they've also deployed a couple of generic signatures which should catch at least some variations as they show up. As for finding them on the filesystem once delivered, an easy place to start is "support@$domain" where $domain = your local domain. That seems to be the one getting the most spread today that I've seen. I have to admit at least our users seem to be learning (hit them with a switch (either wooden or 3548) enough and they stop opening everything. Once nice "feature" of the newer Bagle varients is them seem to lookup their local domain's MX instead of pulling the MX out of a user's configuration. Since all of our domains are MX'd to a non-relaying, virus scanning server, it's helping us keep our users from spreading the joy. -S On Wed, 3 Mar 2004, Dan Hollis wrote:
I am curious how network operators are dealing with the latest w32/bagle variants which seem particularly evil. Also, does anyone have tools for regexp and purging these mails from unix mailbox (not maildir) mailspool files? Eg purging these mails after the fact if they were delivered to user's mailboxes before your virus scanner got a database update. -Dan !DSPAM:40463f4f114201456317298!
-- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Current thread:
- Re: dealing with w32/bagle, (continued)
- Re: dealing with w32/bagle Sam Stickland (Mar 05)
- One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Alexei Roudnev (Mar 05)
- Re: dealing with w32/bagle Valdis . Kletnieks (Mar 05)
- Re: dealing with w32/bagle Richard Welty (Mar 05)
- Re: dealing with w32/bagle Roland Perry (Mar 04)
- Re: dealing with w32/bagle Stephen Milton (Mar 04)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Message not available
- Re: dealing with w32/bagle JC Dill (Mar 05)
- Re: dealing with w32/bagle Jeff Shultz (Mar 05)
- The attachment mess, was w32/bagle David Lesher (Mar 05)