Will MailScanner pickup the W32/Bagle-Q virus?
Eric Dantan Rzewnicki
rzewnickie at RFA.ORG
Thu Mar 18 22:30:10 GMT 2004
As of now the current stable release of mailscanner doesn't catch these
because the virus isn't actually in the message. It's just a link to the
virus hidden in an html tag.
Julian had a beta out this morning that does identifiy the tag. I'm
loathe to upgrade to a beta release, though. There have been some
spamassassin rules suggested that might catch it and tag it, but that
doesn't really help us since we deliver all spam and it's just a kluge
anyway.
We may want to block or at least log these ports ...
-Eric
On Thu, Mar 18, 2004 at 04:20:56PM -0500, DNSAdmin wrote:
> At 03:59 PM 3/18/2004, you wrote:
> >Eric Dantan Rzewnicki wrote:
> >>Just to be clear ... 4.28.6 will not catch these?
> >
> >Wouldn't it be possible to pick these up with an SA rule looking for the
> >"link"? Someone good at writing rules should give it a try and post here
> >for those who can't upgrade right now.
>
> Peter, and all those concerned,
>
> At the firewall, block outgoing port 81/tcp, which is how you get infected
> in the first place, and 2556/tcp incoming/outgoing. 2556 is the port used
> once you are compromised.
>
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q
>
> Cheers,
> Glenn
More information about the MailScanner
mailing list