MyDoom.F

[Kyle Harris]

I would really like to run the reports you list below, but when I try them
from the command line I get "cut: command not found"?  It is in the /bin
directory as it should be and runs fine at any other time.  Anyone else try
to run these with success?

Kyle H.

On Thu, 26 Feb 2004 10:00:09 -0500, Jon Carnes <jonc at NC.RR.COM> wrote:

>On Thu, 2004-02-26 at 09:18, Pete wrote:
>> Seems like a new and nasty version of mydoom is loose.
>>
>> How do i work out if clamav has this covered, i get 'nagged' daily by
>> the boss "are we covered by X virus" after he reads his watchguard
>> updates - how do i easily get this info from MS or clamav? I have
>> subscribed to the virusdb list but there is no easy way to see a list of
>> known/'fixed' viruses ?
>>
>>
>>
>> Subject: LiveSecurity | Urgent: Virus Alert -- MyDoom.F
>> *Contains a destructive payload.* MyDoom.F deletes a seemingly random
>> selection of Word documents, image, audio and video files, and Excel
>> spreadsheets. Specifically, it searches for files with the extensions
>> .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp on the %System% folder on
>> drives C to Z, whether the drive is a hard disk, remote drive, or RAM
>> drive. It deletes some of the files; one source described it as
>> "randomly deletes," another claimed, "40 percent of the time."
>
>Check out the FAQ for ClamAV - it has an entry telling you how to dump
>out the name of the virus signatures - though that isn't going to be as
>helpful as you might think since they sometimes name them differently.
>
>http://www.clamav.net/faq.html#pagestart
>
>  8) If you are using a recent version of ClamAV just run:
>       $ sigtool --list-sigs
>
>===
>I find it helpful to run two daily virus reports - one at noon that just
>looks at that morning, the other at 6am and scans the whole week (so
>far). The reports show the last time the AV dat files were updated and a
>count of current viruses that have been stopped by MailScanner.
>
>The time the DAT files were last updated is given by:
>  ls -l --time-style="+%b %d %r" /usr/local/uvscan/datfiles/current \
>    cut -c44-62
>
>The virus count is given by:
>  grep virus\ \! /var/log/maillog |cut -f7- "-d " |cut -f2 -d/ | \
>    cut -f1 "-d " |sort |uniq -c |sort -nr
>
>For the noon day one I do something like:
>  TODAY=`date -d "today" "+%b %e" `
>  grep "$TODAY" /var/log/maillog |grep virus\ \! |cut -f7- "-d " | \
>    cut -f2 -d/ |cut -f1 "-d " |sort |uniq -c |sort -nr
>
>The report will look something like this:
>
>  Anti-Virus files last updated on: Feb 25 01:01:15 PM
>  ===
>  Morning Virus report:
>     53 Netsky.b at MM!zip
>     47 Netsky.b at MM
>     17 Mydoom.f.zip
>     15 Mydoom.f at MM
>      4 Mimail.a at MM
>      2 Bagle.b at MM
>      1 Sober.c at MM
>   ===
>
>As you can see from the report, it shows you clearly that the MyDoom.f
>virus is being correctly caught.
>
>BTW: It's also a POC (Piece Of Cake) to publish this as a web page for
>your organization, and is great PR for you and MailScanner.
>
>Hope this is helpful - Jon Carnes