On Tue, 24 Feb 2004, 23:27 GMT+01 (23:27 local time) Dallman Ross
wrote:
since you say you looked at Virus Snaggers a while ago, you may not
have noticed that the recent releases do have signatures for MyDoom and
NetSky, for looking in ZIPs.
Virus Snaggers 1.6.1 is working great in catching MyDoom and NetSky.A
but it fails in catching NetSky.B unfortunately. Since a few hours, I
have yet received 4 NetSky.B infected viruses, all within a .zip
attachment :-( This beast seems to have gotten wild now.
Currently, virussnag.rc is checking for the following signature to
identify NetSky:
UGLYSKY = 'UEsDBAoAAAAAA.....(BdbrAiAFYAAABWAAA|CR0AohIDIA)|TVqQAAMAAAAEAAA\
A//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
But, the virus mails I received and identified as NetSky.B by client
sided AV software, look like this:
Content-Type: multipart/mixed; boundary="87064257"
--87064257
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
that's funny
--87064257
Content-Type: application/x-zip-compressed; name="message.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="message.zip"
UEsDBAoAAAAAAFE9WTBdbrAiAFYAAABWAAALAAAAbWVzc2FnZS5jb21NWpAAAwAAAAQAAAD/
/wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6
Content-Type: multipart/mixed; boundary="37513525"
--37513525
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
here, the cheats
--37513525
Content-Type: application/x-zip-compressed; name="friend.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="friend.zip"
UEsDBAoAAAAAAOpAWTBdbrAiAFYAAABWAAAOAAAAZnJpZW5kLmh0bS5leGVNWpAAAwAAAAQA
AAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAA
Anyone has an idea on how to change $UGLYSKY to catch all those
variants?
thanks,
rob.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail