Fix -- Re: Mydoom Virus getting Through

Julian Field mailscanner at ecs.soton.ac.uk
Thu Feb 12 20:46:41 GMT 2004 

Okay, I can guess exactly why that happened.

Please apply this little patch to your Message.pm and get straight back to
me to let me know if it worked.

-----SNIP-----
--- Message.pm.old 2004-02-11 21:31:07.000000000 +0000
+++ Message.pm  2004-02-12 20:44:16.000000000 +0000
@@ -1025,12 +1025,15 @@
  sub ExplodePart {
    my($this, $explodeinto) = @_;

-  my($dir, $part);
+  my($dir, $part, @parts);

    $dir = new DirHandle;

    $dir->open($explodeinto);
-  while($part = $dir->read) {
+  @parts = $dir->read();
+  $dir->close();
+
+  foreach $part (@parts) {
      #print STDERR "Reading $part\n";
      next unless $part =~ /^msg.*txt/;

@@ -1058,7 +1061,6 @@

      unless ($foundheader) {
        $file->close();
-      $dir->close();
        return;
      }

-----SNIP-----

At 20:27 12/02/2004, you wrote:
>oops, spoke too soon.  It's still broken.
>
>It runs for a minute then stops writing to the log silently. The
>processes are still busy exploding thousands of identical copies of
>*.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250
>directories.
>The messages are:
>msg-12397-2166.txt
>msg-12397-2167.txt
>msg-12397-2168.txt
>msg-12397-2169.txt
>etc...
>
>ls | wc
>    3213    3213   61044
>
>diff msg-12397-2166.txt msg-12397-2167.txt
>
>No diff.
>Hope this helps,
>
>Ken A.
>Pacific.Net
>
>
>
>Ken Anderson wrote:
>
>>patched and restarted with no problems.
>>Thanks,
>>Ken A.
>>Pacific.Net
>>
>>
>>Julian Field wrote:
>>
>>>Please try this patch instead of the new Message.pm.
>>>
>>>cd /usr/lib/MailScanner/MailScanner
>>>cp Message.pm Message.pm.safe
>>>patch -p0 < Message.pm.4.26.5.patch
>>>service MailScanner restart
>>>
>>>If it still fails, set "Debug = yes" in MailScanner.conf, then
>>>
>>>service MailScanner stop
>>>sleep 15
>>>check_MailScanner
>>>
>>>and let me know what it says.
>>>
>>>At 23:38 11/02/2004, you wrote:
>>>
>>>>Looking at the log, I see that MailScanner failed to start.
>>>>Ken
>>>>
>>>>
>>>>Ken Anderson wrote:
>>>>
>>>>>I tried installing this Message.pm and restarted MailScanner, but I
>>>>>quickly built up a large incoming queue and all exploding in /incoming
>>>>>stopped happening. The directory stayed empty after restarting
>>>>>MailScanner. I'm not sure what caused it, but things went back to
>>>>>normal
>>>>>after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
>>>>>recent enough version?
>>>>>Thanks,
>>>>>Ken A
>>>>>Pacific.Net
>>>>>
>>>>>
>>>>>Julian Field wrote:
>>>>>
>>>>>>I have hopefully managed to make the MIME parser a lot more robust. It
>>>>>>certainly appears to solve the current problem. If you are running a
>>>>>>nice
>>>>>>recent version, backup your old Message.pm and replace it with this
>>>>>>one.
>>>>>>
>>>>>>Then please test it against the copies of MyDoom that are getting
>>>>>>through.
>>>>>>
>>>>>>The result of a fine evening spent wading through MIME-tools code and
>>>>>>deciding that it can't rewind :-(
>>>>>>
>>>>>>Let me know how it goes.
>>>>>>
>>>>>>At 20:37 11/02/2004, you wrote:
>>>>>>
>>>>>>>Daniel Kleinsinger wrote:
>>>>>>>
>>>>>>>>Julian Field wrote:
>>>>>>>>
>>>>>>>>>The message that contained the MyDoom that got through Sophos
>>>>>>>>>(before
>>>>>>>>>3.78d) was actually a bounce from another mail server that included
>>>>>>>>>the
>>>>>>>>>entire text of the original message.
>>>>>>>>>
>>>>>>>>>Fortunately it's not been a big problem so far, but I would quite
>>>>>>>>>like to fix it if I can.
>>>>>>>>I'm running Sophos in addition to Trend and F-Prot.  Using
>>>>>>>>MailWatch I
>>>>>>>>checked which virii got caught by which scanner and before
>>>>>>>>installing
>>>>>>>>3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>>>>>>>MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>>>>>>>(yesterday) Sophos is catching all that Trend and F-Prot are.  There
>>>>>>>>still seem to be some people having issues with 3.78d, but in my
>>>>>>>>case it
>>>>>>>>seems like it was a problem with Sophos, not MailScanner.
>>>>>>>>
>>>>>>>>Daniel
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>I would suggest that this as much an antivirus issue. I run F-prot
>>>>>>>and
>>>>>>>Antivir and until Antivir updated their engine about a week ago only
>>>>>>>F-prot was reliably catching the bounce messages with the original
>>>>>>>message attached. With the new engine, all is well again and both are
>>>>>>>catching them. Looks like F-Prot had a better message scanning engine
>>>>>>>than the others had at the time.
>>>>>>>
>>>>>>>Drew
>>>>>>>
>>>>>>>--
>>>>>>>In line with our policy, this message has
>>>>>>>been scanned for viruses and dangerous
>>>>>>>content by MailScanner, and is believed to be clean.
>>>>>>>www.themarshalls.co.uk/policy
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>--
>>>>>>Julian Field
>>>>>>www.MailScanner.info
>>>>>>Professional Support Services at www.MailScanner.biz
>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>
>>>>>
>>>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>MailScanner thanks transtec Computers for their support
>>>
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list