Will MailScanner pickup the W32/Bagle-Q virus?

Eric Dantan Rzewnicki rzewnickie at RFA.ORG
Thu Mar 18 22:32:41 GMT 2004


<blush>
oops
sorry.
meant to forward .... ugh

On Thu, Mar 18, 2004 at 05:30:10PM -0500, Eric Dantan Rzewnicki wrote:
> As of now the current stable release of mailscanner doesn't catch these
> because the virus isn't actually in the message. It's just a link to the
> virus hidden in an html tag.
>
> Julian had a beta out this morning that does identifiy the tag. I'm
> loathe to upgrade to a beta release, though. There have been some
> spamassassin rules suggested that might catch it and tag it, but that
> doesn't really help us since we deliver all spam and it's just a kluge
> anyway.
>
> We may want to block or at least log these ports ...
>
> -Eric
>
> On Thu, Mar 18, 2004 at 04:20:56PM -0500, DNSAdmin wrote:
> > At 03:59 PM 3/18/2004, you wrote:
> > >Eric Dantan Rzewnicki wrote:
> > >>Just to be clear ... 4.28.6 will not catch these?
> > >
> > >Wouldn't it be possible to pick these up with an SA rule looking for the
> > >"link"? Someone good at writing rules should give it a try and post here
> > >for those who can't upgrade right now.
> >
> > Peter, and all those concerned,
> >
> > At the firewall, block outgoing port 81/tcp, which is how you get infected
> > in the first place, and 2556/tcp incoming/outgoing. 2556 is the port used
> > once you are compromised.
> >
> > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q
> >
> > Cheers,
> > Glenn



More information about the MailScanner mailing list