Re: dealing with w32/bagle

[Adam Kujawski <adamkuj () amplex net>]

Quoting Dan Hollis <goemon () anime net>:

> I am curious how network operators are dealing with the latest w32/bagle 
> variants which seem particularly evil.

We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only password-protected zip
files. If anybody has already modified amavisd-new to act in this way, I would
appreciate a hand. I'm *not* a perl person, and my first attempt at changing the
source code has not had the desired effect.

> Also, does anyone have tools for regexp and purging these mails from unix 
> mailbox (not maildir) mailspool files? Eg purging these mails after the 
> fact if they were delivered to user's mailboxes before your virus scanner 
> got a database update.

It seems that this virus uses a limited number of subject lines:

# E-mail account disabling warning.
# E-mail account security warning.
# Email account utilization warning.
# Important notify about your e-mail account.
# Notify about using the e-mail account.
# Notify about your e-mail account utilization.
# Warning about your e-mail account.

There's a script, expire_mail.pl, that's userful for this. It's available at
http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used
as such:

/usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message
containing virus]" /var/mail/*

Of course, this won't work if/when the virus starts sending out emails with
randomized subjects. Let's hope the that the author isn't reading NANOG. :)

-Adam