procmail
[Top] [All Lists]

badtrans variant, new signature trap

2001-12-04 00:10:22

A new badtrans variant has crossed my desk. Here's an updated trap
that should catch it:


# Trap BadTrans (signature as of 12/03/2001)
#
:0
* > 40000
* < 50000
* ^Subject: Re:
* 1^1 ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
* 1^1 ^Content-Type:.*multipart/.*multipart/
{
        :0 B hfi
        * ^Content-Type: audio/x-wav;
        * ^Content-ID: <EA4DMGBP9p>
        * ^Content-Transfer-Encoding: base64
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] QUARANTINE" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped
BadTrans worm - see
http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)badtrans(_dot_)b(_at_)mm(_dot_)html"
}



Again, if you're not using the sanitizer, change the action to
something appropriate.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin(_at_)impsec(_dot_)org                       pgpk -a 
jhardin(_at_)wolfenet(_dot_)com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
-----------------------------------------------------------------------
   1065 days until the Presidential Election

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>
  • badtrans variant, new signature trap, John D. Hardin <=