Hello All,
There is currently a new virus/worm on the Internet that infects a
users computer by propagating itself across the Internet via email without
the owner of the infected computers' knowledge. Details of the virus/worm
can be found at;
http://www.avertlabs.com/public/datafiles/valerts/vinfo/w32ska.asp
I have created a mail gateway procmail filter for Unix/Linux machines
that will automatically detect the incoming virus/worm, redirect it from
the user's mailbox, store it for safe viewing by the mail server system
administrator in /var/log/happy99.virus, and it will notify the sender of
the infected email that his computer is infected. The filter has been
tested on Redhat Linux 5.2 and Sun Solaris 2.7 (SunOS 5.7).
Install the procmail filter in your /etc directory as a file called
"procmailrc". Install the notification message in your /var/log directory
as "happy99.message". Feel free to edit the "happy99.message" file to
suit your taste, but please give me credit for the filter at the end of
the message like this;
"-Happy99.exe filter created by Michael Rawls -
michaelr(_at_)shadowstorm(_dot_)com-"
You may use and distribute the filter freely provided you give me credit.
Who knows maybe someone will by me lunch for my efforts : )
If you are not the system administrator on your mail server but wish to
add the filter it can be added to Linux user home accounts simply by
saving the file in your home directory as ".procmailrc". Be sure to
change the path statements "/var/log/" to your home directory, and install
the "happy99.message" notification in your home directory as well.
The Happy99.exe worm will generally only attempt to send a copy of
itself to a specific user's email address once, so the following will only
work on the first try. If you wish to see if your computer is currently
infected just send an email message to "happytest(_at_)shadowstorm(_dot_)com".
If
you receive a reply from postmaster(_at_)shadowstorm(_dot_)con informing you
have the
virus then you've got it. Follow the directions in the notification to
get rid of the virus/worm. No reply means your computer is currently not
infected by the worm/virus.
The correct term for Happy99.exe is "worm". However the phrase
"computer virus" is more widely known to the non-computer literate members
of the Internet community. Thus I have chosen to use the more familiar,
but less accurate description in the notification message.
Michael Rawls - System Administrator for Shadowstorm.com
==================================================
Begin procmail Happy99.exe filter - SysAdmins put this in your /etc
directory as "procmailrc"
==================================================
# Trojan virus program that propagates itself via email
:0 h c
* !^From:.*MAILER-DAEMON
* !^From:.*postmaster
* X-Spanska: Yes
| (formail -r -A"X-Mailer: procmail"; \
cat /var/log/happy99.message) | $SENDMAIL -oi -t -f
postmaster(_at_)yourdomain(_dot_)com
:0
* X-Spanska: Yes
/var/log/happy99.virus
:0 B c
* !^From:.*MAILER-DAEMON
* !^From:.*postmaster
* begin 644 Happy99.exe
| (formail -r -A"X-Mailer: procmail"; \
cat /var/log/happy99.message) | $SENDMAIL -oi -t -f
postmaster(_at_)yourdomain(_dot_)com
:0 B
* begin 644 Happy99.exe
/var/log/happy99.virus
=======================
End filter
=======================
========================
Begin notification message - SysAdmins put this in your /var/log directory
as "happy99.message".
========================
To Whom It May Concern,
An email you sent to a YOUR-DOMAIN.COM customer triggered the virus
filter on our mail server. There is currently a new virus on the Internet
that propagates itself via email. Unfortunately it appears your computer
has become infected and is currently emailing the virus to other users in
an attempt to infect other computers.
Please visit http://www.mcafee.com and download the latest McAfee Virus
Scan software along with the latest DAT files to fix this problem. A free
demo version of the software is available from McAfee. You must install
the latest DAT file upgrade from McAfee before the virus will be detected
as of 3/5/99.
Additional information on this virus can be found at;
http://www.avertlabs.com/public/datafiles/valerts/vinfo/w32ska.asp
This is not a hoax.
Sincerely,
YOUR NAME - System Administrator for YOUR-DOMAIN.COM
-Happy99.exe filter created by Michael Rawls -
michaelr(_at_)shadowstorm(_dot_)com-
===========================================================
End notification message
===========================================================
DISCLAIMER: I'm not repsonsible for damage to your system if you screw
up. This filter is offered as is with no expressed warranties, and the
creator takes no resposibility for someone else's system. I have tested
it on Redhat Linux 5.2 and Solaris 2.7 and it works. Use at your own risk.
===========================================================
I am not in way associated with McAfee Virus Scan other than I use their
product on my personal home computer.
===========================================================