I've gotten four samples of the virus this morning, all of which had the
zipfile UEsD signature but *none* of which matched this signature.
*^aHR0cDovL3ZpbC5uYWkuY29tL3ZpbC9jb250ZW50L3ZfMTAwOTgzLmh0bQ==
Catherine Hampton posted an on-the-fly recipe yesterday to her
sb-viruses.rc @spambouncer.org that seems to work consistently with
the zip files at any rate. Instead of anchoring the signature at the
beginning of the line, she just created a scored recipe which scans
for nine character snippets of the base64 encoded attachment. I've
seen plenty of these that weren't zipped though, where the attachment
was .scr and .exe among others. I wrote another recipe to match those
versions, sticking to her initial model:
:0 BDE
* -1000^0
* 200^0 vXCCMD\+Cn
* 200^0 MiIR8pGma
* 200^0 RwDKnH5oY
* 200^0 TstLxCSBY
* 200^0 XeAuTxvh1
* 200^0 DuhyimZ58
{
VIRUS='YES'
TYPE='Novarg/Mydoom'
}
...I also wrote another which sticks to some of the common header
themes mostly:
:0 HBE
* -99^0
* 50^0 Mail transaction failed. Partial message is available
* 50^0 The message contains Unicode characters
* 50^0 The message cannot be represented in 7-bit ASCII encoding
* 25^0 X-Priority: 3
* 50^0 [ ]*charset="?Windows-1252
* 25^0 X-Msmail-Priority: Normal
* 25^0 Subject:.*(H(i|ello)|test|daga|Error|MAIL TRANSACTION FAILED|Server
Report)\>
* 50^0 UEsDBAoAA
{
VIRUS='YES'
TYPE='Novarg/Mydoom'
}
...although as John Conover pointed out, the thing is polymorphic, so
I wonder about the efficacy of either of these over a period of time.
It also now appears that the 'Subject:' seems to be more various and
random, and I've heard reports that some versions have surfaced
without the X-Priority or X-Msmail-Priority headers (headers so common
that I probably shouldn't have even bothered to look for them to begin
with) ....sigh
Regards,
Robert Arnold
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail