Fix -- Re: Mydoom Virus getting Through

Ken Anderson ka at PACIFIC.NET
Thu Feb 12 21:19:31 GMT 2004


Was I supposed to patch the patched version or the original 4.26.5
Version of Message.pm?

Well I patched the patched version and it is working now, only expanding
a few .txt files now and then in the incoming dir.

mailfilter# patch -p0 < Message.pm.4.26.5.patch
patching file Message.pm
mailfilter# patch -p0 < Message.pm.4.26.5.2nd.patch
patching file Message.pm
Hunk #1 succeeded at 1020 with fuzz 1 (offset -5 lines).
Hunk #2 succeeded at 1061 with fuzz 2.

Thanks,
Ken A
Pacific.Net


Julian Field wrote:

> Okay, I can guess exactly why that happened.
>
> Please apply this little patch to your Message.pm and get straight back to
> me to let me know if it worked.
>
> -----SNIP-----
> --- Message.pm.old 2004-02-11 21:31:07.000000000 +0000
> +++ Message.pm  2004-02-12 20:44:16.000000000 +0000
> @@ -1025,12 +1025,15 @@
>  sub ExplodePart {
>    my($this, $explodeinto) = @_;
>
> -  my($dir, $part);
> +  my($dir, $part, @parts);
>
>    $dir = new DirHandle;
>
>    $dir->open($explodeinto);
> -  while($part = $dir->read) {
> +  @parts = $dir->read();
> +  $dir->close();
> +
> +  foreach $part (@parts) {
>      #print STDERR "Reading $part\n";
>      next unless $part =~ /^msg.*txt/;
>
> @@ -1058,7 +1061,6 @@
>
>      unless ($foundheader) {
>        $file->close();
> -      $dir->close();
>        return;
>      }
>
> -----SNIP-----
>
> At 20:27 12/02/2004, you wrote:
>
>> oops, spoke too soon.  It's still broken.
>>
>> It runs for a minute then stops writing to the log silently. The
>> processes are still busy exploding thousands of identical copies of
>> *.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250
>> directories.
>> The messages are:
>> msg-12397-2166.txt
>> msg-12397-2167.txt
>> msg-12397-2168.txt
>> msg-12397-2169.txt
>> etc...
>>
>> ls | wc
>>    3213    3213   61044
>>
>> diff msg-12397-2166.txt msg-12397-2167.txt
>>
>> No diff.
>> Hope this helps,
>>
>> Ken A.
>> Pacific.Net
>>
>>
>>
>> Ken Anderson wrote:
>>
>>> patched and restarted with no problems.
>>> Thanks,
>>> Ken A.
>>> Pacific.Net
>>>
>>>
>>> Julian Field wrote:
>>>
>>>> Please try this patch instead of the new Message.pm.
>>>>
>>>> cd /usr/lib/MailScanner/MailScanner
>>>> cp Message.pm Message.pm.safe
>>>> patch -p0 < Message.pm.4.26.5.patch
>>>> service MailScanner restart
>>>>
>>>> If it still fails, set "Debug = yes" in MailScanner.conf, then
>>>>
>>>> service MailScanner stop
>>>> sleep 15
>>>> check_MailScanner
>>>>
>>>> and let me know what it says.
>>>>
>>>> At 23:38 11/02/2004, you wrote:
>>>>
>>>>> Looking at the log, I see that MailScanner failed to start.
>>>>> Ken
>>>>>
>>>>>
>>>>> Ken Anderson wrote:
>>>>>
>>>>>> I tried installing this Message.pm and restarted MailScanner, but I
>>>>>> quickly built up a large incoming queue and all exploding in
>>>>>> /incoming
>>>>>> stopped happening. The directory stayed empty after restarting
>>>>>> MailScanner. I'm not sure what caused it, but things went back to
>>>>>> normal
>>>>>> after I put the old Message.pm back. I'm running 4.26.5, perhaps
>>>>>> not a
>>>>>> recent enough version?
>>>>>> Thanks,
>>>>>> Ken A
>>>>>> Pacific.Net
>>>>>>
>>>>>>
>>>>>> Julian Field wrote:
>>>>>>
>>>>>>> I have hopefully managed to make the MIME parser a lot more
>>>>>>> robust. It
>>>>>>> certainly appears to solve the current problem. If you are running a
>>>>>>> nice
>>>>>>> recent version, backup your old Message.pm and replace it with this
>>>>>>> one.
>>>>>>>
>>>>>>> Then please test it against the copies of MyDoom that are getting
>>>>>>> through.
>>>>>>>
>>>>>>> The result of a fine evening spent wading through MIME-tools code
>>>>>>> and
>>>>>>> deciding that it can't rewind :-(
>>>>>>>
>>>>>>> Let me know how it goes.
>>>>>>>
>>>>>>> At 20:37 11/02/2004, you wrote:
>>>>>>>
>>>>>>>> Daniel Kleinsinger wrote:
>>>>>>>>
>>>>>>>>> Julian Field wrote:
>>>>>>>>>
>>>>>>>>>> The message that contained the MyDoom that got through Sophos
>>>>>>>>>> (before
>>>>>>>>>> 3.78d) was actually a bounce from another mail server that
>>>>>>>>>> included
>>>>>>>>>> the
>>>>>>>>>> entire text of the original message.
>>>>>>>>>>
>>>>>>>>>> Fortunately it's not been a big problem so far, but I would quite
>>>>>>>>>> like to fix it if I can.
>>>>>>>>>
>>>>>>>>> I'm running Sophos in addition to Trend and F-Prot.  Using
>>>>>>>>> MailWatch I
>>>>>>>>> checked which virii got caught by which scanner and before
>>>>>>>>> installing
>>>>>>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500
>>>>>>>>> total
>>>>>>>>> MyDoom.A slipped past Sophos everyday).  Since installing 3.78d
>>>>>>>>> (yesterday) Sophos is catching all that Trend and F-Prot are.
>>>>>>>>> There
>>>>>>>>> still seem to be some people having issues with 3.78d, but in my
>>>>>>>>> case it
>>>>>>>>> seems like it was a problem with Sophos, not MailScanner.
>>>>>>>>>
>>>>>>>>> Daniel
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I would suggest that this as much an antivirus issue. I run F-prot
>>>>>>>> and
>>>>>>>> Antivir and until Antivir updated their engine about a week ago
>>>>>>>> only
>>>>>>>> F-prot was reliably catching the bounce messages with the original
>>>>>>>> message attached. With the new engine, all is well again and
>>>>>>>> both are
>>>>>>>> catching them. Looks like F-Prot had a better message scanning
>>>>>>>> engine
>>>>>>>> than the others had at the time.
>>>>>>>>
>>>>>>>> Drew
>>>>>>>>
>>>>>>>> --
>>>>>>>> In line with our policy, this message has
>>>>>>>> been scanned for viruses and dangerous
>>>>>>>> content by MailScanner, and is believed to be clean.
>>>>>>>> www.themarshalls.co.uk/policy
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Julian Field
>>>>>>> www.MailScanner.info
>>>>>>> Professional Support Services at www.MailScanner.biz
>>>>>>> MailScanner thanks transtec Computers for their support
>>>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> --
>>>> Julian Field
>>>> www.MailScanner.info
>>>> MailScanner thanks transtec Computers for their support
>>>>
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>



More information about the MailScanner mailing list