MyDoom.F

[Jon Carnes]

On Thu, 2004-02-26 at 09:18, Pete wrote:
> Seems like a new and nasty version of mydoom is loose.
>
> How do i work out if clamav has this covered, i get 'nagged' daily by
> the boss "are we covered by X virus" after he reads his watchguard
> updates - how do i easily get this info from MS or clamav? I have
> subscribed to the virusdb list but there is no easy way to see a list of
> known/'fixed' viruses ?
>
>
>
> Subject: LiveSecurity | Urgent: Virus Alert -- MyDoom.F
> *Contains a destructive payload.* MyDoom.F deletes a seemingly random
> selection of Word documents, image, audio and video files, and Excel
> spreadsheets. Specifically, it searches for files with the extensions
> .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp on the %System% folder on
> drives C to Z, whether the drive is a hard disk, remote drive, or RAM
> drive. It deletes some of the files; one source described it as
> "randomly deletes," another claimed, "40 percent of the time."

Check out the FAQ for ClamAV - it has an entry telling you how to dump
out the name of the virus signatures - though that isn't going to be as
helpful as you might think since they sometimes name them differently.

http://www.clamav.net/faq.html#pagestart

  8) If you are using a recent version of ClamAV just run:
       $ sigtool --list-sigs

===
I find it helpful to run two daily virus reports - one at noon that just
looks at that morning, the other at 6am and scans the whole week (so
far). The reports show the last time the AV dat files were updated and a
count of current viruses that have been stopped by MailScanner.

The time the DAT files were last updated is given by:
  ls -l --time-style="+%b %d %r" /usr/local/uvscan/datfiles/current \
    cut -c44-62

The virus count is given by:
  grep virus\ \! /var/log/maillog |cut -f7- "-d " |cut -f2 -d/ | \
    cut -f1 "-d " |sort |uniq -c |sort -nr

For the noon day one I do something like:
  TODAY=`date -d "today" "+%b %e" `
  grep "$TODAY" /var/log/maillog |grep virus\ \! |cut -f7- "-d " | \
    cut -f2 -d/ |cut -f1 "-d " |sort |uniq -c |sort -nr

The report will look something like this:

  Anti-Virus files last updated on: Feb 25 01:01:15 PM
  ===
  Morning Virus report:
     53 Netsky.b at MM!zip
     47 Netsky.b at MM
     17 Mydoom.f.zip
     15 Mydoom.f at MM
      4 Mimail.a at MM
      2 Bagle.b at MM
      1 Sober.c at MM
   ===

As you can see from the report, it shows you clearly that the MyDoom.f
virus is being correctly caught.

BTW: It's also a POC (Piece Of Cake) to publish this as a web page for
your organization, and is great PR for you and MailScanner.

Hope this is helpful - Jon Carnes