Eskimo North  

Virus Alerts and Filtering

(Last updated Tuesday, 15-Apr-2008 22:50:41 PDT)

Viruses in email are becoming common as some software is distributed with the default settings that allow them to propogate, and many users trust email far too easily -- some of us have been caught at times in the past and have learned the lesson the "hard" way:

Of course, viruses keep mutating and evolving over the years (and sometimes days), much like the "live" versions going around such as the Flu. Often, people we do know are both the victims and the unknowing distributors of the newest strains.

The only way too keep updated about most of these newest viruses (virii?) is to install a virus-detection/removal program and keep it up to date with its latest detection databases, or at least visit anti-virus sites to learn of the latest infections being spread. One site that lists various free anti-virus utilities is:

http://www.thefreesite.com/Free_Software/Anti_virus_freeware/

Some people have found that free software is slower to update their databases than their commercial cousins. The alerts below are from commercial-software sites but often include free single-virus removal utilities as well.

Latest virus threats (that may not appear here right away) can always be found at the major commercial anti-virus developers, such as:

Symantec / Norton http://www.symantec.com/avcenter/
McAfee http://vil.mcafee.com/default.asp

For those familiar with procmail-based email filters here at Eskimo North, we have some filters here that can help delete these before reaching your mailbox. The filters here are methods of deleting the emails right away and should not catch "false-positives" -- we test them out in support's email box without deletions to test them out first. We actually run filters that bounce back a warning text to the sender, but as some viruses forge the sender's address, that doesn't always work, either.

Some introductory tips on using procmail on our servers can be found at http://www.eskimo.com/~jrp2/Unix/procmail.html.

The following filters save to a folder named "$VIRUSBOX", similar to how the public spam filters work. To set the name of the folder for you account, set the following above any of these recipes:

To save it for verificationVIRUSBOX=filename
To delete it uncheckedVIRUSBOX=/dev/null

A standard filter to catch any *.exe, *.bat, *.inf, *.pif, or *.scr filename should catch most of these:

:0 B:
* ^Content-Transfer-Encoding: base64
* name=.*\.(exe|bat|inf|pif|scr)
$VIRUSBOX

Blaster -- First seen August 11, 2003

This nasty creature not only propogates itself by using the File and Printer Sharing port on Windows XP and 2000 machines, but also places a time limit on dialup connections to force a reboot, making it difficult to find the correct removal tools and patch locations. Plus, after the 15th, it's coded to run a DoS (Denial of Service) attack on the Windows update site itself to make it even more difficult to patch.

Removal tools:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Microsoft's Critical Security Update patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Mimail -- First seen August 1, 2003

Another of the 'zip-file' viruses of late, this one forges the email to appear to be from 'admin' at the site it's sending to; the staff here does not use that address for any outgoing emails. The zip file ('message.zip' from an email with the subject "your account"), contains malicious code to spread the virus/worm to other users in similar emails. Links to removal information are here for those who may have been infected by this.

http://www.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100523

Sobig -- First seen mid-June 2003, many variants

Here's one that send itself not as the malicious code itself, but as a *.zip archived file (which many computers may be set to unzip automatically) in order to get around filters such as those listed here. Same sort of random "From" line, random "To" line, grabbing addresses from addressbooks and various text files. The following filter can be used to catch this, but it will also catch legitimate attachments of the *.zip nature; best to simply not accept attachments via email (there are many other ways to transfer files, such as FTP, downloading from the web, peer-to-peer sharing, etc.).

:0 B:
* ^Content-Transfer-Encoding: base64
* name=.*\.zip
$VIRUSBOX

http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html

Bugbear -- First seen September 30, 2002; variants in June 2003

Yet another nasty email-propogating virus that disables the various anti-virus software and firewall programs it finds running when it infects a computer, then opens a port on the infected computer to let the creator know which machines are compromised/hackable. Yet another example of why attachments -- especially the exectuable sort -- should be *disabled* by default in email software. The procmail recipe below that blocks all "*.exe", "*.scr", "*.pif", and "*.bat" files should work with this one, too.

http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html

Opaserv -- First seen September 30, 2002, updates in January 2003

Opaserv is a network worm that propogates across shared devices (such as conenctions with file and Internet sharing enabled). It uses a file named 'Scrsvr.exe' (supposed to look like a screensaver utility), yet the resulting network packets can be confused with Bugbear below. It should be catchable with filters that match on executables (like ".exe" extensions).

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html

Other removal links from previous alerts:



[Home]