Well, 1.5 hours ago I sent the below, but it hasn't appeared.
I'm thinking that it was filtered based on the attachment. I
am resending, but leaving that part off.
DR
From: Philip Guenther <guenther(_at_)gac(_dot_)edu>
I've been
using the following recipe:
:0
* 9876543210^0 ^Content-[-a-z0-9_]+:.*="?[^"]*\.vbs
* 9876543210^0 B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*="?[^"]*\.vbs
$BOG/vbs/$DEST
That's a space and tab in the brackets on the second condition line.
I had implemented this. I didn't catch any worms, but I did catch
an administrative mailing from McAfee Tech Support with it!
procmail: Score: 0 0 "^Content-[-a-z0-9_]+:.*="?[^"]*\.vbs"
procmail: Score: 9876543210 9876543210
Content-[-a-z0-9_]+:.*($[ ].*)*=?[^]*\.vbs"
Here's the letter from them. I'm going to include the whole thing,
because it has some value to sysadmins who deal with Windows
machines. However, I will change "VBS" in the attachment names
to "VBX" so that this can make it through Philip's recipe into
his inbox. :-) If you want to use the McAfee patches, suggest
you download this straight from McAfee, rather than try to use
what I've pasted in here. Who knows whether it's been changed
by my cut-and-paste actions (besides the filename suffix, I mean).
From techsupport(_at_)mcafee(_dot_)com Fri May 5 15:38:53 2000
Return-Path: <techsupport(_at_)mcafee(_dot_)com>
Received: from exchange1.sento.com (exchange1.sento.com [208.31.156.18])
by ulysium.ulysium.net (8.9.3/8.9.3) with ESMTP id PAA29818
for <dman(_at_)nomotek(_dot_)com>; Fri, 5 May 2000 15:38:52 -0400 (EDT)
From: techsupport(_at_)mcafee(_dot_)com
Received: by exchange1.sento.com with Internet Mail Service (5.5.2650.21)
id <KKFWN6JY>; Fri, 5 May 2000 13:36:18 -0600
Message-ID:
<2529CB729AE7D211A5C80008C7F4536E04D2BEC5(_at_)exchange1(_dot_)sento(_dot_)com>
To: "'dman(_at_)nomotek(_dot_)com'" <dman(_at_)nomotek(_dot_)com>
Subject: RE: Request for Agent Assistance
Date: Fri, 5 May 2000 13:36:17 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01BFB6C9.2E916328"
Status: O
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01BFB6C9.2E916328
Content-Type: text/plain;
charset="iso-8859-1"
Thank you for contacting McAfee Technical Support.
You MUST have at least a Scan Engine 4.0.35 in order to detect this virus.
Version 5 has, by default 4.0.50. You will just need to install the
extra.dat.
To serve our customer's faster, we have temporarily streamlined our download
page to help accommodate the download of this file.
If you do not need to update your scan engine, I have included the
'extra.dat' as an attachment. Simply save the file in your VirusScan folder
as explained below.
If you cannot access the attachment, the file can be downloaded from
http://download.mcafee.com and then must be unzipped using an unzipping
utility. If you do not have one, you can get a free trial version of WinZip
at http://winzip.com.
To save the extra.dat to your VirusScan folder, navigate to C:\Program
Files\Network Associates\McAfee VirusScan and save or move the file there
Just to let you all know that the LoveLetter Virus can not spread through
the preview pane like previous vbs worms. The attachment actually has to be
opened first in order to infect. Then it propagates from there and resends
itself at different intervals.
We have found 3 variations of the Love Letter. All three are included in
the extra.dat. Please look at the following link for info on them.
http://vil.nai.com/villib/dispvirus.asp?virus_k=98617
<<extra.dat>>
[deletia]
--
Dallman Ross
U.S. Voicemail/FAX: +1 (415) 680-2388
Residence Telephone: +49 (0) 6122 / 98 04 46
Cellular Telephone: +49 (0) 177 / 515 34 69
<dman(_at_)netcom(_dot_)com> ? <dman(_at_)nomotek(_dot_)com> ?
<dman(_at_)oxon(_dot_)de>