[Top] [All Lists]

Re: [Esd-l] Anyone got a procmail signature for Klez?

2002-04-26 22:39:36
On Fri, 26 Apr 2002, Brett Glass wrote:

I'm getting so many copies that it would be nice to identify them

Rev. 0.1:

# Trap Klez (signature as of 04/26/2002)
* > 100000
* ^Content-Type:.*multipart/alternative;
        :0 B hfi
        * <iframe +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
        * ^Content-Type:.*audio/
        * ^Content-ID:.*<
        * ^Content-Transfer-Encoding: base64
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped
possible Klez worm - see";

Note that this will not trap the non-automatically-executing variant.
If you want to trap both, copy this rule and delete the IFRAME regex
line. That rule might generate false positives, though, maybe if
someone actually does email an executable and a sound file together...

I'd like to be able to add an upper size limit, but it can grab just
about any file off the victim's system. I have one in my quarantine
that has a 500kb+ .DOC file attachment.

If this works well here this weekend, I'll post it on the website with
the others.

 John Hardin KA7OHZ    ICQ#15735746
 jhardin(_at_)impsec(_dot_)org                       pgpk -a 
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
   921 days until the Presidential Election

procmail mailing list

<Prev in Thread] Current Thread [Next in Thread>