MyDoom.F

[Craig Daters]

I meant for this to go to the list, but Eudora always want to reply
to the original sender, sorry. Original message below....
--

This helped immensely, thank you very much! I didn't even know that
data could be manipulated like this. Can you think of any resources
that I might look into to learn more about all of this?

>On Thu, 2004-02-26 at 13:19, Craig Daters wrote:
>>  Looking at this, it looks like this is not for ClamAV. I would like
>>  to use these examples to produce similar reports for ClamAV and
>>  F-Prot.
>>
>>  I can sort of follow what is happening here, but I am not familiar
>>  with 'cut' so I am purusing the man page for cut, but can you kind of
>>  walk me through what's happening here with each of these examples?
>>
>>  >===
>>  >I find it helpful to run two daily virus reports - one at noon that just
>>  >looks at that morning, the other at 6am and scans the whole week (so
>>  >far). The reports show the last time the AV dat files were updated and a
>>  >count of current viruses that have been stopped by MailScanner.
>>  >
>>  >The time the DAT files were last updated is given by:
>>  >   ls -l --time-style="+%b %d %r" /usr/local/uvscan/datfiles/current \
>>  >     cut -c44-62
>
>For ClamAV (or at least the clients I have running it) you would use
>something like:
>   ls -ld --time-style="+%b %d %r" /usr/local/share/clamav |cut -c44-62
>
>The "cut -c44-62" cuts out all characters but the ones between 44th and
>62nd columns. On my systems these columns happen to be where the
>Date/Time shows up from the "ls" command.
>
>
>
>>  >
>>  >The virus count is given by:
>>  >   grep virus\ \! /var/log/maillog |cut -f7- "-d " |cut -f2 -d/ | \
>>  >     cut -f1 "-d " |sort |uniq -c |sort -nr
>>  >
>>  >For the noon day one I do something like:
>>  >   TODAY=`date -d "today" "+%b %e" `
>>  >   grep "$TODAY" /var/log/maillog |grep virus\ \! |cut -f7- "-d " | \
>>  >     cut -f2 -d/ |cut -f1 "-d " |sort |uniq -c |sort -nr
>>  >
>
>In the above, I find the date and assign it to the variable "TODAY". The
>format of the date is the same as that used in my maillog file.
>
>Next I "grep" for todays date in the maillog file, then I take that
>stream of information and look inside it for the word 'virus' followed
>by a space and then an exclamation point: "virus !".  This is a unique
>tag used by MailScanner to log when it has found a virus.  The actual
>tag is "virus !!!"
>
>Now I have a stream of information that contains all log entries from
>today with MailScanner virus declarations. I want to trim this down to
>just the virus names, so I use a series of "cut" commands - this is
>necessary since the log entry does not use a fixed record format and has
>a variable number of spaces in it (the file name for instance could have
>spaces in it).
>   cut -f7- "-d "
>      This cuts the first 6 fields of line, each field is separated
>      by a space (the "-d " means use spaces to separate fields on
>      the line). This gets rid of the file name section.
>   cut -f2 -d/
>      Now using "/" as a separator, only keep the second field
>      (the part of the line that comes after the "/")
>      This gets rid of anything left at the beginning of the line
>      up to the W32/....
>   cut -f1 "-d "
>      Now only the virus name remains as the first word, so lets
>      throw away anything after that first word on the line.
>
>Now I have a stream of information that contains virus names, one/line.
>I sort the names, then use "uniq -c" to count the number of times each
>virus occured.
>
>Lastly, I sort this numbered list (in reverse order since I want the
>higher numbers on top), and I'm done.
>
>
>>  >The report will look something like this:
>>  >
>>  >   Anti-Virus files last updated on: Feb 25 01:01:15 PM
>>  >   ===
>>  >   Morning Virus report:
>>  >      53 Netsky.b at MM!zip
>>  >      47 Netsky.b at MM
>>  >      17 Mydoom.f.zip
>>  >      15 Mydoom.f at MM
>>  >       4 Mimail.a at MM
>>  >       2 Bagle.b at MM
>>  >       1 Sober.c at MM
>>  >    ===
>>  >
>>  >As you can see from the report, it shows you clearly that the MyDoom.f
>>  >virus is being correctly caught.
>  > >
>>  >BTW: It's also a POC (Piece Of Cake) to publish this as a web page for
>>  >your organization, and is great PR for you and MailScanner.
>  > >
>>  >Hope this is helpful - Jon Carnes
>>
>
>I used to teach a class/seminar on scripting.  I hope this was helpful!
>
>Jon Carnes


--
--

Craig Daters (craig at westpress.com)
Systems Administrator
West Press Printing
1663 West Grant Road
Tucson, Arizona 85745-1433

Tel: 520-624-4939
Fax: 520-624-2715

www.westpress.com

--