procmail
[Top] [All Lists]

Re: Magistr virus

2001-07-31 20:35:29
Professional Software Engineering wrote:

At 18:35 2001-07-31 -0500, Gregory Berardi wrote:
Does anyone have a way to stop the magistr virus?

Doesn't sound a bell.  Let's assume that it is an email-bourne
worm/trojan/virus -- if it isn't, then this certainly isn't the list to
inquire about it on.

Try here;

http://www.symantec.com/avcenter/venc/data/w32(_dot_)magistr(_dot_)24876(_at_)mm(_dot_)html

I'd start by reading CERT and McAffee, etc., virus bulletins about it, to
determine the nature of distribution and possible mutation.  Then, if
you've actually received one or more copies of it, examine the message and
headers.

Yes I have received the virus today from one of our users.

Does it mutate the filename, or is it always the same?  Are there static
components in the message body or subject?

Yes it does mutate the filename and I can't find any "static components" in the
mail and was hoping one of you had.  What I see in the body text is very 
random.  Possibly exerts from the document that was attached.


Whatever you do, DO NOT post the attachment itself it to this list -
partial headers and text excertpts from the message body are one thing, but
the full message isn't cool.
There have been a number of messages about SirCam, and other generic
executable attachment filters posted in the past weeks, as well as numerous
links to the Sanitizer - you should check them and seeing how to adapt them
to this Magistr virus.  If you check the URL in my .sig, you'll get
information on how to set up a testbed configuration to properly test your
recipes against a saved copy of the virus email(s), to see if it
effectively isolates it.  You should also consider throwing a saved copy of
your regular mailbox folders at the recipe to see whether it gets false
positives.

Have already adapted/implemented what was posted here which has worked quite
well 
at stopping over 100 copies of scrim in the last 4 days.

Removing all executables is really not an option here.

Thanks for the link to the testbed.  I'm sure it will be helpful.

Sorry, CERT is awful.  I use Bugtraq!

---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>