Nancy McGough writes:
I'm using Dallman Ross's Virus Snagger recipes and they are
catching a lot right now. Does anyone know if they catch
everything that's floating around right now? Does NASTYEXT need
to be expanded to catch everything in the latest onslaught?
:0 BD
* ^(T(24gRXJ|V(oAAAI|pQAAI|psAAE|qQAAM))|(UEsD))
{ POSSIBLE_VIRUS=true }
Seems to catch most, but the UEsD is the signature for a zipped file,
(and catches MyDoom and SoBig,) so *_any_* zipped file will be a false
positive-so be careful what you do with it. (Both MyDoom and SoBig are
polymorphic, and the stuff following the UEsD signature changes from
message to message.)
John
BTW, the series beginning with ^T is the Microsoft executable
loader/header information in base64; the UEsD is the PK zip signature
in base64. See /usr/share/misc/signature for particulars, and covert
the first characters to base64 as per RFC1521 where 3 bytes are mapped
into 4 printable characters.
--
John Conover, conover(_at_)rahul(_dot_)net, http://www.rahul.net/conover/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail