The W32/Bagle(_dot_)j(_at_)MM can have a passworded zip-file attached,
which means that the attachment is volatile.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101071
Beware: the below is based on 2 samples only.
NL = "
" SPACE = " "
TAB = " "
WS = "$SPACE$TAB"
W = "[$WS]"
Wn = "$W+"
D = "[0-9]"
Dn = "$D+"
az = [a-z]
az2 = $az$az
az3 = ${az2}$az
az4 = ${az3}$az
az19 = ${az4}${az4}${az4}${az4}${az3}
az20 = ${az19}${az}
:0D
*$ ^Message-ID: <${az19}@
*$ ^Content-Type: multipart/mixed;${Wn}boundary=\"\/--------${az20}\"^
{
:0D
* MATCH ?? ^^\/-+[a-z]+
{ Mime_Boundary = $MATCH }
:0D
*$ From: [a-z]+(_at_)\/[^$WS]*
{ From_Domain = $MATCH }
}
:0D
*$ B ?? ^^--${Mime_Boundary}\
^Content-Type: text/plain; charset=\"us-ascii\"\
^Content-Transfer-Encoding: 7bit\
^()\
^\/(.*$)*UEsDBAoAAQAAA...Y.Cf4kJRDDAAAAAwAAA.AAAA
{
B_chunk = $MATCH
:0
*$ B_chunk ??
^^Dear${Wn}user${Wn}of${Wn}${From_Domain}${Wn}gateway${Wn}e-mail${Wn}serve
r,
*$ B_chunk ?? assword${Wn}is${Wn}\"$D$D$D$D$D\"\.^
{ virus = "W32/Bagle(_dot_)j(_at_)MM" }
}
--
Affijn, Ruud
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail