--- Regards, Richard Jackson Computer Center Lead Engineer, Central Systems & Dept. UNIX Consulting University Computing & Information Systems (UCIS) George Mason University, Fairfax, Virginia RESPONSES: ------------------------------------------------------------------------ Arrigo Triulzi <arrigo_at_albourne.com> Bruce Senn <sennb_at_union.edu> "William H. Magill" <magill_at_isc.upenn.edu> aordonez_at_datadec.co.cr "Larye D. Parkins" <larye_at_selway.umt.edu> patchkov_at_ucalgary.ca (Serguei Patchkovskii) "Sim Alam" <simjodie_at_hotmail.com> Ian Mortimer <ian_at_physics.uq.edu.au> Clyde Hoadley <hoadleyc_at_mscd.edu> ------------------------------------------------------------------------ QUESTION: ------------------------------------------------------------------------ What are the current safe solutions to scan and remove the worm from Digital UNIX mbox format files? I have over 60,000+ users with almost 50,000 inboxes alone on one DU box. We use Digital UNIX 4.0D, sendmail, Qualcomm popper, University of Washington's IMAP4rev1, elm, pine, mailx, Outlook, Netscape Communicator, Eudora, PC-Pine, etc. As of 2am EDT May 5, 2000 we have at least a couple hundred inboxes with the worm. There seems to be many good solutions and suggestions on how to filter the ILOVEYOU worm (e.g., via sendmail, procmail, and PostFix) and remove it from Microsoft Window systems. http://www.thepope.org/index.pl?node_id=140 NAI: http://download.mcafee.com/extrafiles/love-4.zip Datafellows: http://www.datafellows.com/download-purchase/updates.html TrendMicro: http://www.antivirus.com/download/pattern.asp Sophos: http://www.sophos.com/downloads/ide/index.html#loveleta F-secure:http://www.europe.f-secure.com/v-descs/love.htm CERT: http://www.cert.org/advisories/CA-2000-04.html etc. I don't manage our Groupwise systems but we support several thousand users with it. Does anyone have a safe solution to detect and remove the worm from this environment once it is in the mailstore? ------------------------------------------------------------------------ SELECTED RESPONSES: ------------------------------------------------------------------------ >From Bruce Senn <sennb_at_union.edu>: I was working on a method to remove the virus part of the message from a user's inbox in /var/spool/mail. Basically, it uses vi with redirected input from a file to find the subject line, the content type line and then deletes to the beginning of the next message. I did not have time to put a script around it to check the inbox with grep, copy the original file, then do the editting for each occurrance of the message. We decided not to do the editting, because it would probably mean keeping the pop server down all day. A couple of thoughts. Awk couldn't do the work because of a 99 field limit, although maybe changing the FS to \nl would get around that. A c or pascal program, which can read a line at a time, can probably do the job in a single sequential read of the inbox file. BUT, I'm not good at c, and we don't have pascal. Perl might work, but I'm worse at perl than c. Basically, the technique is to read until you find the line "Subject: ILOVEYOU", read until you find the "Content-type" line, then delete lines until the beginning of the next message, which begins with "From " and is preceded by a blank line. ------------------------------------------------------------------------ >From "William H. Magill" <magill_at_isc.upenn.edu>: If you are able (as in politically, legally) to scan users mail boxes, then you can use grep to find the offenders just look for the included file name, not the Subject line. Depending upon how many hits you get, then you either manually edit the mailbox via emacs or whatever or have to resort to some fairly sophisticated script in sed or perl to mechanically process them. We are not doing any scanning of that type because it is against University Privacy policies. Since we are Tru64 Unix based for our mail servers, the problem belongs to the clients (ie end users), not the servers. ELM, Eudora and Netcape users (our recommended email products) have no problems - on-line, in pop or Imap. Only the folks using Outlook, or the couple of departments on campus who use Exchange have problems. The one major Exchange user - the Wharton School - dues use a mail scanner and caught the problem very, very early on changed their filter and nailed it. We have seen no particular volume issues either, but then I'm running a pair of DS20Es for about 20K users, and our backbone connection is OC3. ------------------------------------------------------------------------ >From "Larye D. Parkins" <larye_at_selway.umt.edu>: We are currently cleaning 7500 mailboxes totalling over 2GB with a procmail script, but it is slow (20 mailboxes the first hour, but only about half actually have the virus, which we check for first). command line: find /usr/spool/mail -size +20 -exec ./script {} \; This only checks mailboxes large enough to contain the worm (10K+) script: #!/usr/bin/ksh if [ "`grep \^Subject:\ ILOVEYOU $1`" ]; then echo "Cleaning $1" ls -l $1 cp /dev/null cleanbox cp /dev/null bitbin cat $1 | formail -s procmail ${HOME}/virusclean/.procmailrc cp cleanbox $1 ls -l $1 fi The echos are for monitoring progress procmailrc file: SHELL=/usr/bin/ksh MAILDIR=${HOME}/virusclean LOGFILE=${MAILDIR}/procmail.log VERBOSE=no :0 * ^Subject:.*ILOVEYOU bitbin :0 cleanbox The .* unfortunately also removes any warnings sent by the systems people; we have been putting "LOVE bug" in the subject line of warnings, which will then not be cleaned. ------------------------------------------------------------------------ >From patchkov_at_ucalgary.ca (Serguei Patchkovskii): Well, mbox format files are quite simple, really. I attach a q'n'd Perl script which will do the trick (but make sure to check the trigger pattern before you try it!). Like all Perl scripts, it's memory-hungry; make sure you have at least four times as much real memory as the size of the largest mailbox you have. Cheers, /Serge.P -- home page: http://www.cobalt.chem.ucalgary.ca/ps/ #!/freeware/bin/perl -w $| = 1 ; $sum = 0 ; foreach $file (_at_ARGV){ print "Processinv $file: " ; $file =~ /.bad$|.save/ && print " skipped\n" && next ; _at_stat = lstat $file ; -l _ && print "is a link!\n" && next ; open(IN,"< $file") || ( print "read: _at_!\n" && next ) ; $mbox = join('',(<IN>)) ; close(IN) ; _at_mbox = split(/\n\nFrom /,$mbox) ; undef $mbox ; _at_cbox = grep(!/ILOVEYOU/,_at_mbox) ; _at_vbox = grep( /ILOVEYOU/,_at_mbox) ; print $#mbox + 1, " messages, ", $#vbox + 1, " virii " ; $sum += $#vbox + 1 ; undef _at_mbox ; if( $#vbox >= 0 ){ rename("$file","$file.save") || ( print "rename failed: _at_!\n" && next ) ; open(OUT,"> $file" ) || ( print "save: _at_!\n" && next ) ; chmod($stat[2],"$file" ) ; chown($stat[4],$stat[5],"$file") ; print OUT _at_cbox ; close(OUT) || print "close/save: _at_!\n" ; open(BUT,"> $file.bad") || ( print "reject: _at_!\n" && next ) ; chmod($stat[2],"$file.bad") ; chown($stat[4],$stat[5],"$file.bad" ) ; print BUT _at_vbox ; close(BUT) || print "close/reject: _at_!\n" ; } undef _at_cbox ; undef _at_vbox ; print "\n" ; } print "Total $sum virii found\n" ; ------------------------------------------------------------------------ >From "Sim Alam" <simjodie_at_hotmail.com>: I hope this gets to you as I have had to guess your email address. I am in a similar situation. My mail system is down (bloody MS exchange) so I can't read my Tru64 posts to get your real address and only found your message via the searchable archive. There is an anti-virus tool produced by sophos http://www.sophos.com that you can download and try for a month that works on Digital Unix. I downloaded this in the hope that it would scan the mailboxes but it doesn't work. I have contacted sophos support who were really helpful and said that a procmail + sophos + amavis (http://amavis.org) solution might work and they would look into it. When they get back with some info I'll forward it to you if you like? If this doesn't work then all I can think of is maybe cobbling together a perl (or similar) script to go and remove any message with a vbs attachment. This probably is out of the range of my abilites. Have you had any useful responses? Cheers, Sim Alam IMB Dept of Education, Tasmania, Australia. ------------------------------------------------------------------------ Ian Mortimer <ian_at_physics.uq.edu.au>: This is probably too late to be any use now but the script below is the one I use to remove messages from files in mbox format. You use the script by giving it either a space separated list of line numbers of messages to be deleted or a list of | separated patterns - messages with lines matching any of those patterns will be deleted. Patterns are in egrep format. For this particular worm I used: delmsg -p 'rem barok -loveletter(vbe)' _user_ since that pattern was present in all variants of the worm that I saw. You could use any pattern that is unique to the worm but most unlikely to be found in other messages. Using the subject 'ILOVEYOU' or 'fwd: joke' would not be a good idea since the subject varied a lot and those strings also appeared in messages warning about the worm. ------------------------------CUT--------------------------------------- #!/bin/ksh #_at_(#) delmsg v1.0 Delete messages from mbox file. Author: Ian Mort imer script=$(basename $0) usage="$script [-l line numbers| -p pattern] user" lines='' patt='' while getopts :l:p: opt do case $opt in l) lines="$OPTARG" # Messages including specified line numb ers ;; p) patt="$OPTARG" # Messages matching patterns ;; *) print -u2 "Unknown option: $OPTARG" print -u2 "$usage" exit 1;; esac done shift $(($OPTIND-1)) if [[ -n $lines && -n $patt ]] then print -u2 "Only one of -l or -p at a time\n$usage" exit 1 fi if [[ $# -ne 1 ]] then print -u2 "$usage" exit 2 fi user=$1 if [[ ! -f $user ]] then print -u2 "File $user not found\n$usage" exit 3 fi if [[ -f $user.lock ]] then print "$user has a lock file" exit 4 fi if [[ -n $patt ]] then if grep -qE "$patt" $user then : else print -u2 "Pattern '$patt' not found in file $user" exit 4 fi lines=$(grep -nE "$patt" $user | cut -d: -f1) elif [[ -z $lines ]] then print -u2 "Specify a list of line numbers (-l) or a pattern (-p)" print -u2 "$usage" exit 1 fi touch $user.lock integer nm nf np i ns ne set -A nf $(grep -n '^From ' $user | cut -d: -f1) nm=${#nf[*]} nf[nm]="$(wc -l < $user)+1" ns=0 ne=0 ed='' for np in $lines do (( np >= nf[nm] )) && break # Line number outside the range. (( np >= ns && np <= ne )) && continue # Multiple match i=0 while (( np >= nf[i] )) do i=i+1 done ns=nf[i-1] ne=nf[i]-1 ed="${ed}${ns},${ne}d;" done cp -p $user $user+ sed "$ed" $user >| $user+ { print "\n\nDifference $user+ $user:\n"; diff $user+ $user; } | more typeset -l1 ans print '\n' read ans?"Update $user [y|n]? " if [[ $ans = y ]] then mv $user $user- mv $user+ $user fi rm $user.lock ------------------------------------------------------------------------ Ian Mortimer <ian_at_physics.uq.edu.au> UPDATE: > For this particular worm I used: > > delmsg -p 'rem barok -loveletter(vbe)' _user_ In case you are thinking of using my script to clobber the worm I should warn you that the pattern above won't work. That was the pattern I was using last Friday and it worked fine but this morning I modified the script so it could use extended regular expression syntax (grep -E). In extended re's () are special so you should just use the pattern: delmsg -p 'rem barok -loveletter' _user_ This pattern is present in all the variants I've seen last week and today. ------------------------------------------------------------------------ Clyde Hoadley <hoadleyc_at_mscd.edu>: (Note from Richard Jackson, there were three revisions of the following script. I included only the last) I haven't tried to actually "remove" the virus but, I have been able to "disable" the virus. I run a find/grep script to identify infected mail files. Then, for each of those files found, I run another script the replace the first two lines of the script. This has been working for the "love" virus and the "funny" variant. Now I'm starting to find some other viruses that will require a different strategy; I'm still working on that. Note, I'm not on the List Server or News Group. Your message was forwarded to me by our Sys Admin. FindVirus: #!/bin/ksh export OURBASE=/your/script/directory rm -f $OURBASE/Virus.dat find /var/spool/mail -name '*' -exec grep -l -i CreateObject {} \; >> $OURBASE/Virus.dat echo "\n" >> $OURBASE/Virus.dat CleanVirus: #!/bin/ksh export OURBASE=/your/script/directory while read selection do (grep -i filename $selection | grep -q -i vbs) rv1=$? if [[ $rv1 = 0 ]] then $OURBASE/DisableVirus $selection echo Disabled VBS in $selection else echo $selection already cleaned fi done < $1 DisableVirus: /bin/ex - $1 <<EOF set ignorecase g/on error resume/c\\ stop\\ on error stop\\ exit\\ end w q EOF ------------------------------------------------------------------------Received on Tue May 09 2000 - 17:28:57 NZST
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:40 NZDT