|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
The Snow White Virus
Members of the ISP-Tech list discuss blocking the Snow White virus. Veteran haters of viruses and spam share their ideas about what does and does not work, and share links to further information.
| [January 24, 2001] |
 |
On the ISP-Tech list in January, MS asked,
"Does anyone know of something I can put into my Sendmail config to block the Snow White virus?"
RL recommended blocking the sender:
"edit /etc/mail/access
add
hahaha@sexyfun.net<tab>550<tab>Go talk to Billie!
save exit
then rehash the access file."
A number of respondents countered that blocking the sender doesn't work:
[MS observed] "I already did that, and they can still send it. It seems that it sends it through the user's account and then puts a new 'From' line in."
[RS agreed] "The virus populates the SMTP 'Mail From' with a blank address. You cannot block it in the SMTP transmission; you have to receive it and then scan the headers."
[TW added] "I don't think that editing the access file in /etc/mail will work using the 'From' address. This virus sends itself with a NULL return path. I don't think you can add a NULL into the access file."
There were some alternate suggestions:
[BK suggested] "Why not scan for the text in the body of the message? 'Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter…'"
[SE advised] "We use the following rule to block the Snow White virus.
#
# Block Snowhite Virus
#
HSubject: $>Check_Subject
D{MPat}Snowhite and the Seven Dwarfs - The REAL story
D{MMsg}This message is infected with the W95.Hybris.gen virus. See http://www.symantec.com on how to remove it.
SCheck_Subject
R${MPat} $* $#error $: 553 ${MMsg}
RRe: ${MPat} $* $#error $: 553 ${MMsg}
RFwd: ${MPat} $* $#error $: 553 ${MMsg}
Just tack it to the bottom of your sendmail.cf file and restart Sendmail."
[WW added] "Check out the following: http://www.amavis.org/ You will need third party virus scanners, but there are links to them under section 2.1 at: http://www.amavis.org/amavis.html
McAfee works with it: http://www.nai.com/asp_set/buy_try/try/products_evals.asp
And Kaspersky also works well: http://www.kaspersky.com/products.asp"
[Ed. Note: Symantec has detailed information on the virus at http://service1.symantec.com/sarc/sarc.nsf/html/W95.Hybris.gen.html, and McAfee offers removal instructions at http://vil.nai.com/vil/virusRemovalInstructions.asp?virus_k=98873]
—End
| Related articles: | ||
| [Nov. 14, 2000] | Symantec Targets ISPs | |
| [Sep. 7, 2000] | myCIO.com | |
| Related links: | ||
| Symantec's Snow White virus info | ||
| McAfee's Snow White virus info | ||
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q3 2008 Top U.S. ISPs by Subscriber (Updated 12/02/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers