Generally, Dallman's script catches these, except for the .zip variants (I'm
not
a fan of blocking .zip files), but this should catch most of 'em:
### Netsky virus
:0 B
* ! VIRUS_FOUND ?? ^^TRUE^^
* > 20000
* < 60000
* H ?? ^Subject:[ ]*(hi|hello|read it immediately|\
something for you|warning|information|stolen|fake|unknown)$
* ^(anything ok\?|what does it mean?|ok|\
i'm waiting|read the details\.|here is the document\.|\
read it immediately\!|my hero|\
here|is that true?|is that your name?|is that your account?|\
i wait for a reply\!|is that from you?|you are a bad writer|\
I have your password\!|something about you\!|\
kill the writer of this document\!|i hope it is not true\!|\
your name is wrong|i found this document about you|\
yes, really\?|that is bad|here it is|see you|\
greetings|stuff about you\?|something is going wrong!|\
information about you|about me|from the chatter|\
here, the serials|here, the introduction|here, the cheats|\
that's funny|do you\?|reply|take it easy|why\?|\
thats wrong|misc|you earn money|you feel the same|\
you try to steal|you are bad|something is going wrong|\
something is fool)$
*
nt-Disposition:[ ]*attachment;)?[ ]*(file)?name="?(document|msg
|doc|talk|message|creditcard|\
details|attachment|me|stuff|posting|textfile|concert|\
information|note|bill|swimmingpool|product|\
topseller|ps|shower|aboutyou|nomoney| found|\
story|mails|website|friend|jokes|location|\
final|release|dinner|ranking|object|mail2|part2|\
disco|party|misc)\..*(zip|exe|scr|com|pif)"?$
{ VIRUS_FOUND = TRUE }
wher [ ]* is [<space><tab>]*
The script above has a lot of line wrapping, so I've attached the text file
version as well.
Reference:
http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)netsky(_dot_)b(_at_)mm(_dot_)html
netsky.rc
Description: Binary data
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail