procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: virus recipe for MyDoom

2004-01-30 09:54:57
from [multimedia-fan] [Permanent Link] 
On Mon, 26 Jan 2004 23:57:08 -0500, Lyle Evans 
<mlevans(_at_)blacksburg(_dot_)net>
wrote:


This is a first draft of a recipe to block the MyDoom (or SCO.A) virus
The signature I got off the net. Comments, test results or improvement
suggestion requested. I am not sure how well it works (or even if it
works).

:0 B
* > 20000
* < 36000
*^aHR0cDovL3ZpbC5uYWkuY29tL3ZpbC9jb250ZW50L3ZfMTAwOTgzLmh0bQ==
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr|zip|bat|cmd)"
{
LOG='MyDoom virus detected"
 :0
 /var/log/virusmail
}



I am late in this thread, but 2 things I noticed.

1. LOG='MyDoom virus detected" will cause a problem.
LOG="MyDoom virus detected" is the correct syntax, at least on my
sandbox.

2. For the MyDoom, I am getting this virus signature.

UEsDBAoAAAAAA



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hey newbie here., Dallman Ross
Next by Date:  Re: virus recipe for MyDoom, LuKreme
Previous by Thread:  Re: virus recipe for MyDoom, Chris Barnes
Next by Thread:  Re[2]: virus recipe for MyDoom, scott.list
Indexes:  [Date] [Thread] [Top] [All Lists]