procmail
[Top] [All Lists]

RE: virus recipe for MyDoom

2004-02-03 09:06:46


As a follow-up to this lengthy thread, I ended up using Robin's suggestion,
and it seems to work well:

#
# Scan for the MyDoom virus in the message body.
# Virus signature contributed by Robin Edgar - Tripany
# http://mailman.rwth-aachen.de/pipermail/procmail/2004-January/017764.html
#
#
:0 B
* ! VIRUS_FOUND ?? ^^TRUE^^
* > 20000
* < 60000
* ^((This|The) message contains Unicode characters and has been sent|\
The message cannot be represented in 7-bit ASCII encoding and|\
Mail transaction failed\. Partial message is available\.)|\
1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r|\
Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq|\
TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP|\
Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk|\
Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV|\
V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
{ VIRUS_FOUND = TRUE }

As a side note, those long strings of base64 encoded chars are each 70
chars.
long, and did _not_ appear at the beginning of the line in the sample I
looked
at. Therefore they are not protected by the initial ^(....) sub-pattern.

Since I've got these various virus scanning scripts in separate include
files,
they check at the beginning to see if VIRUS_FOUND has already been set, to
avoid extra work. I'm using Dallman's script to catch the bulk of the
dangerous
attachments, but agree with him, that eliminating .zip files is too severe.



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>
  • RE: virus recipe for MyDoom, Gary Funck <=