bagle-i worm

Drew Marshall drew at THEMARSHALLS.CO.UK
Wed Mar 3 01:41:47 GMT 2004


Now I'm hoping that I've hacked the best answer I can for this. Postfix
can do header & body filtering so I've set up a load of discard rules
based on the Bagle-i subject lines (Just hope I've got them all :-) )
Some thing of a moral dilemma in so much as the options really are
discard, which deletes the message having given the sending server a 250
response (Breaks an RFC to two!) or reject but I just don't like the
idea of sending the virus laden message back to some poor innocent party.
Now just have to sit back and wait...

Drew

Marco Obaid wrote:

>I can confirm  that Bagle-I worm did make it through our MS gateways. I am
>running both Sophos and Command AV (up-to-date) and both let it slip through.
>We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it
>helps. Meanwhile, I have blocked zip files temporarily.
>
>
>Quoting Derek Winkler <dwinkler at ALGORITHMICS.COM>:
>
>
>
>>For Bagle-H Sophos included this note:
>>
>>"W32/Bagle-H sends itself as a password protected ZIP file that is not
>>detected by this identity. However, when unzipped by the user the worm will
>>be detected by Sophos Anti-Virus at the user's desktop."
>>
>>May be true of Bagle-I since it also uses password protected ZIP files as
>>well, although they didn't specifically say.
>>
>>
>>

--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy



More information about the MailScanner mailing list