[68136] in North American Network Operators' Group
Re: dealing with w32/bagle
daemon@ATHENA.MIT.EDU (Adam Kujawski)
Wed Mar 3 16:07:22 2004
Date: Wed, 3 Mar 2004 15:57:10 -0500
From: Adam Kujawski <adamkuj@amplex.net>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0403031219310.32184-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
Quoting Dan Hollis <goemon@anime.net>:
>
> I am curious how network operators are dealing with the latest w32/bagle
> variants which seem particularly evil.
We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only password-protected zip
files. If anybody has already modified amavisd-new to act in this way, I would
appreciate a hand. I'm *not* a perl person, and my first attempt at changing the
source code has not had the desired effect.
> Also, does anyone have tools for regexp and purging these mails from unix
> mailbox (not maildir) mailspool files? Eg purging these mails after the
> fact if they were delivered to user's mailboxes before your virus scanner
> got a database update.
It seems that this virus uses a limited number of subject lines:
# E-mail account disabling warning.
# E-mail account security warning.
# Email account utilization warning.
# Important notify about your e-mail account.
# Notify about using the e-mail account.
# Notify about your e-mail account utilization.
# Warning about your e-mail account.
There's a script, expire_mail.pl, that's userful for this. It's available at
http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used
as such:
/usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message
containing virus]" /var/mail/*
Of course, this won't work if/when the virus starts sending out emails with
randomized subjects. Let's hope the that the author isn't reading NANOG. :)
-Adam
