North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: dealing with w32/bagle
Quoting Dan Hollis <[email protected]>: > > I am curious how network operators are dealing with the latest w32/bagle > variants which seem particularly evil. We are currenly blocking *all* .zip attachments as a short-term work around, until we can modify our virus scanner to block only password-protected zip files. If anybody has already modified amavisd-new to act in this way, I would appreciate a hand. I'm *not* a perl person, and my first attempt at changing the source code has not had the desired effect. > Also, does anyone have tools for regexp and purging these mails from unix > mailbox (not maildir) mailspool files? Eg purging these mails after the > fact if they were delivered to user's mailboxes before your virus scanner > got a database update. It seems that this virus uses a limited number of subject lines: # E-mail account disabling warning. # E-mail account security warning. # Email account utilization warning. # Important notify about your e-mail account. # Notify about using the e-mail account. # Notify about your e-mail account utilization. # Warning about your e-mail account. There's a script, expire_mail.pl, that's userful for this. It's available at http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used as such: /usr/local/bin/expire_mail.pl -verbose -noreset -subject "[subject of message containing virus]" /var/mail/* Of course, this won't work if/when the virus starts sending out emails with randomized subjects. Let's hope the that the author isn't reading NANOG. :) -Adam
|