Think this is mentioned previously on this list (see the archives):
YAVR catches a lot of worms (now updated with sobig.f).
see http://agriroot.aua.gr/~nikant/nkvir/ for more info
BTW: the recepie used for cathing sobig-worms are:
#for Sobig
:0BD
* -1000^0
* 200^0 ^TVqQAAM
* 200^0 K/cBHSx
* 200^0 rZVJizb
* 200^0 DrVitFc
* 200^0 rolkJrX
* 200^0 zt8P9pT
#Sobig-b
* 200^0 gHB/e2v
* 200^0 j1qLR/m
* 200^0 dAgyJY8
* 200^0 0SOIV7x
* 200^0 Gw47Qgh
#Sobig-c (by Fredrik Rodland)
* 200^0 BSj0hvF
* 200^0 HN8EMuX
* 200^0 LvRtJdz
* 200^0 MdFFlfN
* 200^0 oikgcxQ
#Sobig-gen
* 200^0 /HrcLhs
* 200^0 qfZjXLv
* 200^0 msFydo9
* 200^0 iJGZx/6
* 200^0 Gg7aCZs
#Sobig-gen (UPX packed and scrambled)
* 200^0 v0ibwKA
* 200^0 CDH2kTw
* 200^0 YBdt6zE
* 200^0 nblNbDU
* 200^0 jWqE0Z6
#Sobig-f
* 200^0 IOsT73k
* 200^0 eGYh2Eo
* 200^0 cb07glg
* 200^0 G\+Q1KAS
* 200^0 WaUYonD
{
LOG="---=== WORM-SOBIG $DATE ===---${NL}"
:0:
$VIRDIR/virus-Sobig
}
Fredrik
--
Fredrik Rodland Technical Architect, Stocknet, Oslo, Norway
Stocknet: http://www.stocknet.com phone: +47 23 28 40 17
Private: http://rodland.no phone: +47 99
21 98 17
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail