I feel like we're in some sort of arms race against these virus writters. Since there's no attachment involved in the newest Bagle variants, aside from a somewhat unique OBJECT tag in the e-mail, I wrote a Regex scanner for QSQ thats similar to the File Format Scanner I put out last month. Same rules apply: if it breaks, sorry. Simply cat the appropriate version (yes I made 2 - one for v1.16 and earlier, and one for v1.20 and later) to the qmail-scanner-queue.pl file (make a backup first!) and add "regex_scanner" to the the @scanners array:
# cp /var/qmail/bin/qmail-scanner-queue.pl
/var/qmail/bin/qmail-scanner-queue.pl.bak
# cat regex_scanner-116.pl >> /var/qmail/bin/qmail-scanner-queue.pl
: edit /var/qmail/bin/qmail-scanner-queue.pl
my @scanner_array=("regex_scanner", "fileformat_scanner", ...etc.etc.);
You may be thinking to yourself: "self, this looks kinda like the FFS".
Well thats because it basically is the same thing, only set for regex
scanning of every file. Probably a bit inefficient to scan everything, so
if anyone wants to take it upon themselves to fix that, be my guest.
The current regex pattern that is included is:
(?i)\<OBJECT STYLE=\"display:none\".*DATA=\"http://.*:81/.*\"\>
The (?i) is to turn off case-sensitivity. To add a new rule, to block all
OBJECT tags for instance:
Change:
@FORMATS = (
{ Name => "W32/Bagle-Q/R(regex)",
Data => "(?i)\<OBJECT
STYLE=\"display:none\".*DATA=\"http://.*:81/.*\"\>"}
);
@FORMATS = (
{ Name => "W32/Bagle-Q/R(regex)",
Data => "(?i)\<OBJECT
STYLE=\"display:none\".*DATA=\"http://.*:81/.*\"\>"},
{ Name => "OBJECT tags not allowed",
Data => "(?i)\<OBJECT.*>"}
);
Enjoy, and if you have problems, you know where to find me (hiding under
yonder large boulder).
John Narron | "Sacrifice, they always say
Network Administration | Is a sign of nobility
CDS/CDSinet, LLC | But where does one draw the line
http://www.cdsinet.net | In the face of injury?"
(660) 886 4045 | - Queensryche
regex_scanner-120.pl
Description: Perl program
regex_scanner-116.pl
Description: Perl program
