On Fri, 11 Jun 1999 17:43:51 -0700 (PDT), cueman(_at_)cuenet(_dot_)com wrote:
You might consider just filtering for 'zipped_files.exe' and
Um, that would have matched on this message I'm quoting, and this one
too. (As would Jerry's original recipe, but I think the question was
how to improve it, not how to dilute it :-)
Also, I am not an expert at making recipes, perhaps yours are
a shorthand, but isn't there supposed to be a '^' or some such
indicating an action following the '*'?
No, the ^ stands for "beginning of line" but is certainly not required
for anything. It just constrains the match (man regex or what have you).
Enclosed CERT text:
"The ExploreZip Trojan horse has been propagated in the form of email
messages containing the file zipped_files.exe as an attachment. The
A Deja search on the file name brings up several threads in the virus
groups, which is probably a good place to find more information.
(Drats, I was hoping to find a copy of the actualy virus.) Microsoft's
page is unusually informative, but doesn't contain actual attachment
headers, which is what I'd focus on for filtering.
<http://www.microsoft.com/misc/data/emailvirusalert.htm>
Here's what appears to be a copy accurate enough for fingerprinting
purposes: <http://www.deja.com/getdoc.xp?AN=488518533>
Given this example, I'd try something like
:0B
* I received your email and I shall send you a reply ASAP\.($|[ ])*\
Till then, take a look at the attached zipped docs\.
* ($)($)--.*\
Content-Type:\<*application/.*;\<*name=zipped_files\.exe
| filter or whatever
The first line adds some additional constraints to the body text of
the message, so as to avoid matching on quoted material (hopefully).
The stuff after ASAP will match newlines, spaces, or tabs, but not
quote marks etc.
The second condition tries to look for an attachment boundary followed
by the MIME body part header used in the example I found on Deja.
Probably the Content-type: body part header will always be the first
body part header in a set of headers, but one could allow for
additional non-empty lines between the boundary and the header as a
precaution against mutations. (You could look for the corresponding
Content-disposition: header as well.)
Another message in the same thread from Deja warned against checking
for only application/octet-stream, so I changed that to application/.*
(which again is a bit lax for my taste, but not terribly. You could
even look for simply something like Content-Type:.*zipped_files
[shudder] and not expect too many false matches [and if people send
you attachments with file names such as zipped_files_exe.doc it serves
them right if they get filtered]). The same message also suggests to
look for attachments named prettypark.exe but I don't know if that's a
different virus or a variant of this one.
I have obviously not had the opportunity to test this on a large scale
(or indeed at all). Still, hope this helps,
/* era */
--
.obBotBait: It shouldn't even matter whether <http://www.iki.fi/era/>
I am a resident of the state of Washington. <http://members.xoom.com/procmail/>
* Sign the European spam petition! <http://www.politik-digital.de/spam/en/> *