From: Philip Guenther <guenther(_at_)gac(_dot_)edu>
I've been
using the following recipe:
:0
* 9876543210^0 ^Content-[-a-z0-9_]+:.*="?[^"]*\.vbs
* 9876543210^0 B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*="?[^"]*\.vbs
$BOG/vbs/$DEST
That's a space and tab in the brackets on the second condition line.
I had implemented this. I didn't catch any worms, but I did catch
an administrative mailing from McAfee Tech Support with it!
procmail: Score: 0 0 "^Content-[-a-z0-9_]+:.*="?[^"]*\.vbs"
procmail: Score: 9876543210 9876543210
Content-[-a-z0-9_]+:.*($[ ].*)*=?[^]*\.vbs"
Here's the letter from them. I'm going to include the whole thing,
because it has some value to sysadmins who deal with Windows
machines. However, I will change "VBS" in the attachment names
to "VBX" so that this can make it through Philip's recipe into
his inbox. :-) If you want to use the McAfee patches, suggest
you download this straight from McAfee, rather than try to use
what I've pasted in here. Who knows whether it's been changed
by my cut-and-paste actions (besides the filename suffix, I mean).
From techsupport(_at_)mcafee(_dot_)com Fri May 5 15:38:53 2000
Return-Path: <techsupport(_at_)mcafee(_dot_)com>
Received: from exchange1.sento.com (exchange1.sento.com [208.31.156.18])
by ulysium.ulysium.net (8.9.3/8.9.3) with ESMTP id PAA29818
for <dman(_at_)nomotek(_dot_)com>; Fri, 5 May 2000 15:38:52 -0400 (EDT)
From: techsupport(_at_)mcafee(_dot_)com
Received: by exchange1.sento.com with Internet Mail Service (5.5.2650.21)
id <KKFWN6JY>; Fri, 5 May 2000 13:36:18 -0600
Message-ID:
<2529CB729AE7D211A5C80008C7F4536E04D2BEC5(_at_)exchange1(_dot_)sento(_dot_)com>
To: "'dman(_at_)nomotek(_dot_)com'" <dman(_at_)nomotek(_dot_)com>
Subject: RE: Request for Agent Assistance
Date: Fri, 5 May 2000 13:36:17 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01BFB6C9.2E916328"
Status: O
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01BFB6C9.2E916328
Content-Type: text/plain;
charset="iso-8859-1"
Thank you for contacting McAfee Technical Support.
You MUST have at least a Scan Engine 4.0.35 in order to detect this virus.
Version 5 has, by default 4.0.50. You will just need to install the
extra.dat.
To serve our customer's faster, we have temporarily streamlined our download
page to help accommodate the download of this file.
If you do not need to update your scan engine, I have included the
'extra.dat' as an attachment. Simply save the file in your VirusScan folder
as explained below.
If you cannot access the attachment, the file can be downloaded from
http://download.mcafee.com and then must be unzipped using an unzipping
utility. If you do not have one, you can get a free trial version of WinZip
at http://winzip.com.
To save the extra.dat to your VirusScan folder, navigate to C:\Program
Files\Network Associates\McAfee VirusScan and save or move the file there
Just to let you all know that the LoveLetter Virus can not spread through
the preview pane like previous vbs worms. The attachment actually has to be
opened first in order to infect. Then it propagates from there and resends
itself at different intervals.
We have found 3 variations of the Love Letter. All three are included in
the extra.dat. Please look at the following link for info on them.
http://vil.nai.com/villib/dispvirus.asp?virus_k=98617
<<extra.dat>>
------_=_NextPart_000_01BFB6C9.2E916328
Content-Type: application/octet-stream;
name="extra.dat"
Content-Disposition: attachment;
filename="extra.dat"
134 178 156 177 9 51 219 241 94 28 193 220 123 86 193 214
121 71 232 193 178 50 157 76 9 177 143 178 13 152 153 147
13 55 142 176 95 118 192 176 73 122 192 177 66 125 137 143
69 103 192 199 235 49 141 163 196 63 6 85 231 198 113 62
236 223 122 69 241 197 249 6 35 204 141 183 13 56 193 252
91 118 160 255 72 103 217 246 95 59 223 246 74 97 216 253
94 27 136 251 89 126 193 155 3 96 221 225 72 114 201 231
66 118 192 242 68 127 165 190 143 57 136 157 122 92 255 222
13 51 140 179 25 125 138
10643 256 10425 VBX/LoveLetter
105 178 157 176 77 51 221 228 94 127 226 197 104 127 232 199
121 86 255 76 9 162 143 179 14 146 136 56 204 247 92 119
242 55 28 177 12 48 44 187 141 245 40 22 141 245 40 22
214 50 140 48 15 47 137 18 3 244 73 100 199 253 8 56
134 184 65 54 192 247 92 105 12 50 95 186 13 2 222 128
8 115 136 76 5 62 15 182 13 51 141 178 13 39 64 177
2 51 30 182 162 115 141 179 181 52
9899 256 10425 PWSLoveLetter
107 178 156 176 9 51 196 225 78 28 193 220 123 86 193 214
121 71 232 193 242 55 15 177 12 51 44 187 243 197 107 68
225 198 124 75 235 49 221 178 196 57 123 83 230 210 8 50
230 223 107 93 121 134 145 139 13 49 141 184 65 124 219 246
32 127 200 231 89 118 223 184 75 124 223 158 84 124 216 157
69 103 192 190 143 54 141 179 13 50 141 167 67 160 136 179
9 51 214 192 158 54 141 183 13 104 222 180
9593 256 10425 IRC/LoveLetter
--
Dallman Ross
U.S. Voicemail/FAX: +1 (415) 680-2388
Residence Telephone: +49 (0) 6122 / 98 04 46
Cellular Telephone: +49 (0) 177 / 515 34 69
<dman(_at_)netcom(_dot_)com> ? <dman(_at_)nomotek(_dot_)com> ?
<dman(_at_)oxon(_dot_)de>