Fix for MyDoom-O problems

Rob Rooken rob at enem.nl
Tue Jul 27 22:13:21 IST 2004 

We run 4.31.6 on freebsd, I have applied  Mariano's 4.31.6 pacth (thanks
for that!)


Result:
-------------------------
|--- Message.pm.4.31.6.orig     Tue Jul 27 12:52:35 2004
|+++ Message.pm Tue Jul 27 12:48:55 2004
--------------------------
Patching file Message.pm using Plan A...
Hunk #1 succeeded at 878.
Hunk #2 succeeded at 1367.
Hunk #3 succeeded at 1383.
Hunk #4 succeeded at 1400.
Hunk #5 succeeded at 1410.
Hunk #6 succeeded at 1418.
Hunk #7 succeeded at 1427.
Hunk #8 succeeded at 1442.
Hunk #9 succeeded at 1456.
Hunk #10 succeeded at 2585.
Hunk #11 succeeded at 2733.
Hunk #12 succeeded at 3220.
Hunk #13 succeeded at 3740.
Done

That looks OK to me... I restarted MS, but there mydoom O is still
coming through! (I I resend an email, with one "layer" of the sip file
removed, fprot DOES find the forbidden file.

Anyone any idea what could be wrong?

rr

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Mariano Absatz
> Sent: dinsdag 27 juli 2004 22:30
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Fix for MyDoom-O problems
>
>
> Guys...
>
> Julian is off-site and with very bad connectivity, I know
> what it means trying to sort things out without access to
> your cvs, and all the stuff you keep around.
>
> FWIW, I didn't check if  4.32.whatever is already on line but:
>
> The patch Julian provided applies nicely and without any
> errors to the last (at the time) 4.32 beta which was 4.32.3.
>
> The patch I provided for 4.31.6 was just a plain diff between
> the original 4.31.6 Message.pm and the Message.pm that Julian
> had provided earlier. It, obviously, applies silently to 4.31.6.
>
> The patch I provided for 4.29.7 was a back-port of the patch for
> 4.31.6 that I did myself... it's the only one I tried and it
> works. I have 12 production servers running this version
> without a problem.
>
> For the versions 'in between' or 'just below 4.29.7', you
> should try the closest patch. If all you get is a message
> saying that a hunk succeeded applying 'fuzz' at a different
> offset, it 'should' be OK...
> give it a try, send yourself a message infected with one of
> these new viruses...
>
> At different places I have MS 4.29.7 with Message.pm already
> patched (for some other functionality I had added) and the
> patching only said that hunks succeeded at different offsets,
> everything's running fine.
>
> Obviously, your mileage may vary, but I want to really thank
> Julian for providing solutions in such a hurry under bad
> conditions (for him)... and to Larry Wall for 'patch' which
> is one of the best tools I've ever used... (and for Perl, also)
> :-)
>
> Jason... I answer your particular question down below...
>
> On Tue, 27 Jul 2004 13:08:05 -0700, Jason Williams
> <jwilliams at courtesymortgage.com> wrote:
> > >  Please note that Julian's patch was for (correct me if
> I'm wrong)
> > >the latest stable version of MailScanner or newer (the beta's).
> > >
> > >  The patch will fail (like it did for you) on earlier
> versions. Take
> > >a look at the post from Mariano Absatz. He posted the
> following URL
> > >which has patches that work against 4.29.7:
> > >
> > >  http://baby.com.ar/MailScanner/zipWzip/
> > >
> > >  The 4.29.7 patch also applied properly for 4.30.3. I haven't
> > >noticed any obvious problems with the patch, but I'm still
> testing it
> > >before I push it into production at my site. But initial testing
> > >appears that there aren't any obvious issues
> >
> > I appreciate the link, as I am running 4.29-7.
> >
> > Just out of curiosity, what happens if you attempt to patch
> Message.pm
> > and it fails? Since it fails, does it affect anything with MS? I'm
> > assuming no because the patch didn't work and nothing was
> changed for
> > that matter. I could be wrong though. :)
> Well, it depends... if it failed _completely_ (that is, no
> hunk succeeded), then yes, your Message.pm is unmodified and
> everything will work as before (you'll probably have a
> Message.pm.rej in the same directory with the rejections...
> since every hunk was rejected, this will look rather similar
> to the original patch).
>
> If every hunk succeeds 'silently', then the patch work fine,
> and you have a new Message.pm... after restarting (not
> reloading) MailScanner, it will be running.
>
> If every hunk succeeds but you see messages about 'fuzz' or
> 'different offset', then everything should be fine, your
> Message.pm is modified and you get a Message.pm.orig with a
> copy of the original file 'just in case' you want to revert.
>
> Now... if some hunks succeed and other don't, you're into trouble...
> the Message.pm is modified, but only in part... you'll also
> get the original file in Message.pm.orig and a file with the
> failed hunks (in patch format) named Message.pm.rej... you
> have to manually check this last file and see why it didn't
> apply and if you have to manually make changes or discard them...
>
> This last thing requires that you understand a bit of patch
> and diff (and Perl)...
> man patch
> man diff
> and get the camel book...
>
> but this is going out of the reach of this message...
>
> FWIW, the last scenario was what I got when applied the
> 4.31.6 patch to the plain stock 4.29.7 Message.pm... the 2
> hunks that hand't applied were harmless, but I had to
> manually check that, including making a diff between stock
> Message.pm files from 4.29.7 and 4.31.6...
>
> HTH
>
> --
> Mariano Absatz - El Baby
> el (dot) baby (AT) gmail (dot) com
> el (punto) baby (ARROBA:@) gmail (punto) com
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list