nanog mailing list archives
Re: dealing with w32/bagle
From: Adam Kujawski <adamkuj () amplex net>
Date: Wed, 3 Mar 2004 15:57:10 -0500
Quoting Dan Hollis <goemon () anime net>:
I am curious how network operators are dealing with the latest w32/bagle variants which seem particularly evil.
We are currenly blocking *all* .zip attachments as a short-term work around, until we can modify our virus scanner to block only password-protected zip files. If anybody has already modified amavisd-new to act in this way, I would appreciate a hand. I'm *not* a perl person, and my first attempt at changing the source code has not had the desired effect.
Also, does anyone have tools for regexp and purging these mails from unix mailbox (not maildir) mailspool files? Eg purging these mails after the fact if they were delivered to user's mailboxes before your virus scanner got a database update.
It seems that this virus uses a limited number of subject lines: # E-mail account disabling warning. # E-mail account security warning. # Email account utilization warning. # Important notify about your e-mail account. # Notify about using the e-mail account. # Notify about your e-mail account utilization. # Warning about your e-mail account. There's a script, expire_mail.pl, that's userful for this. It's available at http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used as such: /usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message containing virus]" /var/mail/* Of course, this won't work if/when the virus starts sending out emails with randomized subjects. Let's hope the that the author isn't reading NANOG. :) -Adam
Current thread:
- One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle, (continued)
- One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Alexei Roudnev (Mar 05)
- Re: dealing with w32/bagle Valdis . Kletnieks (Mar 05)
- Re: dealing with w32/bagle Richard Welty (Mar 05)
- Re: dealing with w32/bagle Roland Perry (Mar 04)
- Re: dealing with w32/bagle Stephen Milton (Mar 04)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Message not available
- Re: dealing with w32/bagle JC Dill (Mar 05)
- Re: dealing with w32/bagle Jeff Shultz (Mar 05)
- The attachment mess, was w32/bagle David Lesher (Mar 05)