procmail
[Top] [All Lists]

Re: virus recipe for MyDoom

2004-01-27 10:58:43
On Tue, 27 Jan 2004 16:37:55 +0100, Dallman Ross <dman(_at_)nomotek(_dot_)com> 
wrote:
=> > > On 27 Jan 2004 Dallman Ross (dman(_at_)nomotek(_dot_)com) wrote:
=> > > > If someone using Virus Snaggers can state definitively
=> > > > that it continues to work on new viruses, that would be
=> > > > helpful.

        My modified version (previously posted here):
:0
* VIRUSPGM ?? ^^^^
 {
VIRUSPGM   = '[^"]+\.\
(asd|bat|cpl|chm|com|cmd|dbx|dll|dot|eml|exe|hlp|hta|jse?|key|lnk|ocx|\
mbx|mmf|nch|ocs|pif|reg|scr|sh[bs]|tbb|vb[se]?|ws[fhe]|{[-0-9a-f]+})'
 }

BLOCK_THIS  # unset initialization

# new generalized virus attachment capture
# ==============================================
TEMP = "^Content-${NONSPACETAB}+:${WS}[^;]+;(\>)*(file)?name${WS}=${WS}${DQ}?"
:0
* BLOCK_THIS ?? ^^^^
* $     $OR     ${TEMP}\/${VIRUSPGM}
* $     $STOP   ! CTYPE ?? (attachment|multipart)
* $ B ?? $OR    ${TEMP}\/${VIRUSPGM}
{  BLOCK_THIS="Active attachment trap: ${MATCH}"  }

        Continues to work well for me but did not capture all the "returned"
messages which still seemed to have active virri in this last mega-bloom.
However the next recipe (below, mind the wraps) did capture them:

# Generalized virus catcher - with body test
# ==============================================
TEMP =
"^Content-Type:${WS}application/octet-stream;(\>)*(file)?name${WS}=${WS}${DQ}?"
:0
* BLOCK_THIS ?? ^^^^
* > 30000
* $ B ?? ${TEMP}\/${VIRUSPGM}
{  BLOCK_THIS="Generalized octet-stream virus trap: ${MATCH}"  }

        I'm going to change the size limit to something more like 10k.

=> Hmm.  I am loathe to add ZIP to the list of bad extensions.

        As far as this latest bloom, the compromised machines sending from
their own newly stealth-installed SMTP servers seem to use the exact domain
name from the forged "From" header in the HELO sequence.  If that's available
to you (as it is for me), then one can use the combination of a zip attachment
and this match to be a pretty good indicator of this current virus.

        Too bad that no one has found a common stigmata for the zip files.

        Thanks again Dallman for all the stuff I've been able to lift from
your posts these past years.  Really helped out here.

        HTH,

        - Don

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>