procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: badtrans again

2001-12-08 09:36:49
from [George Chelidze] [Permanent Link] 
Check this url for definition of badtransII worm

http://www.viruslist.com/eng/VirusList.asp?page=0&mode=1&id=4310&key=00001000130000100112

all badtransII viruses I have received came with the following format:

Content-Type: audio/x-wav;
        namme="<filename>.ext.pif" or

Content-Type: audio/x-wav;
        namme="<filename>.some_extention.scr"
Note that i wrote namme instead of name because my recipe will catch it as virus if i use name here:) so you can use the following recipe to block it:
# I use namme in condition recipe here instead of name so you should use # name 

:0 B
* ^Content-Type: audio/x-wav;
* .*namme=".*\..*\.(scr|pif)"
/var/spool/mail/VIRUS-BadTransII

Regards,

--
George Chelidze

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  badtrans again, Edward Bishop
Next by Date:  Re: badtrans again, Dallman Ross
Previous by Thread:  badtrans again, Edward Bishop
Next by Thread:  Re: badtrans again, Don Hammond
Indexes:  [Date] [Thread] [Top] [All Lists]