[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [vps-mail] mail from john@ // new virus ?

Subject: Re[2]: [vps-mail] mail from john@ // new virus ?
From: Abigail Marshall <webmaster@xxxxxxxxxxxx>
Date: Tue, 4 Nov 2003 15:01:14 -0800

mcc> Any body have a filer for any of the new virus's. especially the
mcc> W32.mimail.C@mm

This works for W32.mimail.C - but I've only caught two
instances:

# W32.Mimail.C@mm
# Testing, this is a new worm described at 
# http://www.sarc.com/avcenter/venc/data/w32.mimail.c@xxxxxxx
:0
* <25000
* H ?? Subject:.*our private photos
* B ?? photos\.zip
{
        LOG="W32.Mimail.C@mm"
        :0 
        /var/dump/MimailC
}

(Note: /var/dump/ is MY path to a quarantine directory - you
will need to set your own path or dev/null)

I am TESTING this signature based recipe but have not caught
any instances of the virus with it:

# W32.Mimail.C@mm
# Testing, this is a new worm described at 
# http://www.sarc.com/avcenter/venc/data/w32.mimail.c@xxxxxxx
:0B
* <25000
* ^JAAD2SwkY38ovTbY9y4kBCB+XIkUnm0vsgUkFkgUHEvIr
{
        LOG="W32.Mimail.C@xxxx"
        :0 
        /var/dump/MimailC2
}

When I say I haven't caught these, it's because my server
does not seem to be getting hit with them -- there are no
instances of the virus getting through, either.  So
basically you have to use one or both of the above recipes
on a test basis.  The signature line comes from only 2
instances of the worm (as that is the only corpus I have) -
usually I like to have more samples before creating a
signature based block.

-Abigail

mcc> Mike (Hillbilly) Williams,
mcc> Hostmaster for
mcc> www.countryvintage.com
mcc> www.countryhosting.com
mcc> Webmaster for
mcc> www.lorettalynn.com
mcc> www.jettwilliams.com
mcc> www.shebwooley.com
mcc> among others
mcc> ----- Original Message ----- 
mcc> From: "Scott Wiersdorf" <scottw@xxxxxxxxxxxx>
mcc> To: <vps-mail@xxxxxxxxxxxx>
mcc> Sent: Tuesday, November 04, 2003 10:55 AM
mcc> Subject: Re: [vps-mail] mail from john@ // new virus ?

>> On Tue, Nov 04, 2003 at 11:41:00AM +0100, Martin Fischer wrote:
>> > Today I noticed a high numnber of mails from john@xxxxxxxxxxxxxxxxxxxx?
>> > Even on accounts without catch-all. Any explanation available right now?
>>
>> Fwiw, clamav caught this almost a full day before Symantec, Sophos and
>> most other commercial scanners did.
>>
>> Scott
>> -- 
>> Scott Wiersdorf
>> scottw@xxxxxxxxxxxx
>> ======================================================================
>> This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
>> ======================================================================
>>

mcc> ======================================================================
mcc> This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
mcc> ======================================================================

======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
======================================================================

Follow-Ups:
- Re: [vps-mail] mail from john@ // new virus ?
  - From: anon

References:
- Re: [vps-mail] procmail escaping of non alphanumerics
  - From: Godwin Stewart
- [vps-mail] mail from john@ // new virus ?
  - From: Martin Fischer
- Re: [vps-mail] mail from john@ // new virus ?
  - From: Scott Wiersdorf
- Re: [vps-mail] mail from john@ // new virus ?
  - From: mikwms

Prev by Date: Re: [vps-mail] procmail updated - now Quota exceeded messages everywhere
Next by Date: Re: [vps-mail] mail from john@ // new virus ?
Previous by thread: Re: [vps-mail] mail from john@ // new virus ?
Next by thread: Re: [vps-mail] mail from john@ // new virus ?
Index(es):
- Date
- Thread

Main Index | Thread Index