procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: badtrans again

2001-12-08 10:03:40
from [Dallman Ross] [Permanent Link] 
From: George Chelidze <wrath(_at_)geo(_dot_)net(_dot_)ge>



Check this url for definition of badtransII worm

http://www.viruslist.com/eng/VirusList.asp?page=0&mode=1&id=4310&key=00001000130000100112

all badtransII viruses I have received came with the following format:

Content-Type: audio/x-wav;
      namme="<filename>.ext.[ ]pif" or

Content-Type: audio/x-wav;
      namme="<filename>.some_extention.[ ]scr"

Note that i wrote namme instead of name because my recipe will catch it 
as virus if i use name here:) so you can use the following recipe to 
block it:

# I use namme in condition recipe here instead of name so you should use 
# name

:0 B
* ^Content-Type: audio/x-wav;
* .*namme=".*\..*\.(scr|pif)"
/var/spool/mail/VIRUS-BadTransII


Well, George, my old virus snagger, originally suggested by Philip
Guenther two years ago, still works, and snagged your article despite
the attempted spoof.  I've reposted this three times now.  I haven't
found the need to write new virus snaggers every time a new virus
of this ilk gets coded.  (I've seen others repost it as well in
the intervening couple of years.)  Here it is again.

  #  #  #  #  #  #  #  #  #  #  #  #  #  #  #
  #  Virus/Worm Catchers!                   #
      # added `pif' on 21-Sep-2001
      # added `(doc|txt)\.' on 26-Jul-2001
      # (succeeded on "Homepage" virus 25-May-2001)
  :0  # conditions here came direct from Philip Guenther
  * 9876543210^0 ^Content-[-a-z0-9_]+:.*="?[^"]*\.(vb[se]|ws[fh]|hta|shs|\
                  pif|(doc|txt|xls)\.)
  * 9876543210^0 B ?? ^Content-[-a-z0-9_]+:.*($[        ].*)*=[  ]*\
                       ($[      ]+)*"?[^"]*\.(vb[se]|ws[fh]|hta|shs|pif|\
                       (doc|txt|xls)\.)
  { RECIPE = "${RECIPE:+$RECIPE }VIR_01" }


You can do something more personally meaningful with the action line.
For me, the recipe identities are appended and then written to the
log at the end, at which time a decision is made about what action
to take, depending.

You'll note that I edited your spoof so that this post would not
also fall into my virus snagger.

Dallman Ross

-- 
Netcom has imploded.  Please now use NOTnetcom.com for mail.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ex-Netcommies:  Mail "forwards" for free forwarding service!
NOT affiliated with EarthLink, Inc.'s Netcom brand identity.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: badtrans again, George Chelidze
Next by Date:  Re: badtrans again, Peter Pilsl
Previous by Thread:  Re: badtrans again, Peter Pilsl
Next by Thread:  Re: badtrans again, Dallman Ross
Indexes:  [Date] [Thread] [Top] [All Lists]