António José (ajose) wrote,
António José

What fun!.... :-)))

Yesterday it was a hard day's fight against W32/Myparty.A@MM virus.

I was completely caught unprepared.
Having the antivirus in the mail servers updating every night, I was thinking that it could be as actualized as possible; but I was wrong.
This virus came out in the wild and although the night version of the virus definition file didn't even recognized this virus, there was a new file by 13.21.

So I was seeing this virus apearing in some computers and being reported and yet, not seing anything being catched by the AV in the mail servers....
So I decided to run the live update again and !bingo! it started detecting it and cleaning it, ehrn detected

Yes, this is quite clever.
By not using a MIME attachment, can fool the antivirus and not be detected on the spot!
Its code cames in a UPX encoded form int the EMAIL BODY!
It took me a while to find out a common caracteristic but I found it. It is ALWAYS 41104 bytes in the /var/spool/mail directory (that I've found of) so I left a loop finding any file with that size and just deleting it.
And at the same time, another loop running the antivirus on the /var/spool/mail.

I know it's brute force but it seems to be holding...
This morning I couldn't see any traces of the virus.

Let's hope this holds up until it can be more effectivelly dealt with!

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded