procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

virus classification: W32/Bagle

2004-03-03 04:04:02
from [Ruud H.G. van Tol] [Permanent Link] 
The W32/Bagle(_dot_)j(_at_)MM can have a passworded zip-file attached,
which means that the attachment is volatile.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101071


Beware: the below is based on 2 samples only.

  NL    = "
" SPACE = " "
  TAB   = "     "
  WS    = "$SPACE$TAB"

  W     = "[$WS]"
  Wn    = "$W+"
  D     = "[0-9]"
  Dn    = "$D+"

  az   = [a-z]
  az2  = $az$az
  az3  = ${az2}$az
  az4  = ${az3}$az
  az19 = ${az4}${az4}${az4}${az4}${az3}
  az20 = ${az19}${az}

  :0D
  *$ ^Message-ID: <${az19}@
  *$ ^Content-Type: multipart/mixed;${Wn}boundary=\"\/--------${az20}\"^
  {
    :0D
    * MATCH ?? ^^\/-+[a-z]+
    { Mime_Boundary = $MATCH }

    :0D
    *$ From: [a-z]+(_at_)\/[^$WS]*
    { From_Domain = $MATCH }
  }


  :0D
  *$ B ?? ^^--${Mime_Boundary}\
           ^Content-Type: text/plain; charset=\"us-ascii\"\
           ^Content-Transfer-Encoding: 7bit\
           ^()\
           ^\/(.*$)*UEsDBAoAAQAAA...Y.Cf4kJRDDAAAAAwAAA.AAAA
  {
    B_chunk = $MATCH

    :0
    *$ B_chunk ??
^^Dear${Wn}user${Wn}of${Wn}${From_Domain}${Wn}gateway${Wn}e-mail${Wn}serve
r,
    *$ B_chunk ?? assword${Wn}is${Wn}\"$D$D$D$D$D\"\.^
    { virus = "W32/Bagle(_dot_)j(_at_)MM" }
  }


-- 
Affijn, Ruud


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  system-wide Maildir delivery NOT in $HOME, Phil Hagen
Next by Date:  Re: virus classification: W32/Bagle, Ruud H.G. van Tol
Previous by Thread:  system-wide Maildir delivery NOT in $HOME, Phil Hagen
Next by Thread:  Re: virus classification: W32/Bagle, Ruud H.G. van Tol
Indexes:  [Date] [Thread] [Top] [All Lists]