On Tue, 18 Sep 2001, Hermann Wecke wrote:
Not tested... to catch the latest worm stream, called Nimda (which is
"admin" backwards)
### nimda worm
:0 B
* ^Content-Type: audio/x-wav;
* readme.exe
nimdaworm
Zanshin just received a "sample" of this worm message. FYI here's a link
to the Symantec description for it:
http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)nimda(_dot_)a(_at_)mm(_dot_)html
The mail message comes in with Content-Type: multipart/related, which can
cause some unpatched versions of Outlook (and Express) to attempt to
display all the parts upon read or preview. One of the parts is in fact
an executable labeled as a WAV file, and so should match the recipe above
(that recipe matched the sample I have).
I'm actually using this right now:
:0H
* ^Content-Type:.*\<multipart/related
{
:0Bfib
* ^Content-Type: audio/x-wav
* readme.exe
| (echo 'content-type changed as a precaution -- probable nimda worm';\
echo ''; cat)
:0Afh
| formail -i"Content-Type: text/plain"
}
But if we start to get lots of copies I'll be changing that first pipe
to discard the body entirely.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail