On Wed, 03 Mar 2004, 11:47 GMT+01 (11:47 local time) Ruud H.G. van Tol
wrote:
The W32/Bagle(_dot_)j(_at_)MM can have a passworded zip-file attached,
which means that the attachment is volatile.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101071
thanks for the note. I have yet not seen such a virus. Which does not
mean that there a not many viruses sent to my incoming mail server -
fortunately, having them all quarantened before they could reach my
mailbox, letting "Softlabs AntiVirus" doing all the work. I have
updated this tool to version 0.3 and released today (on 03/03). Now,
with EXTRACT_VIRUSES set to "on", all viruses will be extract out from
the messages and stored in a "viruses" directory. Mine already
contains:
ls ~roal/mail/TRASH/viruses
20040302_200403030209(_dot_)VAA03980(_at_)anet(_dot_)at_message(_dot_)zip
20040303_200403031415(_dot_)JAA08249(_at_)anet(_dot_)at_misc(_dot_)com
20040302_200403030418(_dot_)XAA04477(_at_)anet(_dot_)at_all_document(_dot_)pif
20040303_200403031437(_dot_)JAA08349(_at_)anet(_dot_)at_your_picture(_dot_)pif
20040302_200403030421(_dot_)XAA04504(_at_)anet(_dot_)at_your_document(_dot_)pif
20040303_200403031444(_dot_)JAA08452(_at_)anet(_dot_)at_yours(_dot_)pif
20040302_hejmiqejkuvfnnyqqbi(_at_)anet(_dot_)at_Readme(_dot_)zip
20040303_200403031606(_dot_)LAA08879(_at_)anet(_dot_)at_document_excel(_dot_)pif
200403031957(_dot_)OAA10599(_at_)anet(_dot_)at_document_excel(_dot_)pif
20040303_200403031623(_dot_)LAA09055(_at_)anet(_dot_)at_mp3music(_dot_)pif
20040303_200403030649(_dot_)BAA05106(_at_)anet(_dot_)at_your_archive(_dot_)pif
20040303_200403031650(_dot_)LAA09292(_at_)anet(_dot_)at_part2(_dot_)zip
20040303_200403030651(_dot_)BAA05133(_at_)anet(_dot_)at_your_file(_dot_)pif
20040303_200403031824(_dot_)NAA10026(_at_)anet(_dot_)at_your_file(_dot_)pif
20040303_200403030726(_dot_)CAA05349(_at_)anet(_dot_)at_your_website(_dot_)pif
20040303_200403031838(_dot_)NAA10135(_at_)anet(_dot_)at_your_letter(_dot_)pif
20040303_200403030732(_dot_)CAA05409(_at_)anet(_dot_)at_your_letter(_dot_)pif
20040303_200403031914(_dot_)OAA10300(_at_)anet(_dot_)at_privacy_myaunt(_dot_)zip
20040303_200403030741(_dot_)CAA05481(_at_)anet(_dot_)at_message_details(_dot_)pif
20040303_200403032010(_dot_)PAA10710(_at_)anet(_dot_)at_your_document(_dot_)pif
20040303_200403030823(_dot_)DAA05627(_at_)anet(_dot_)at_your_document(_dot_)pif
20040303_200403032028(_dot_)PAA10827(_at_)anet(_dot_)at_my_details(_dot_)pif
20040303_200403030903(_dot_)EAA06003(_at_)anet(_dot_)at_your_document(_dot_)pif
20040303_200403032036(_dot_)PAA10867(_at_)anet(_dot_)at_your_archive(_dot_)pif
20040303_200403030904(_dot_)EAA06025(_at_)anet(_dot_)at_document(_dot_)pif
20040303_200403032055(_dot_)PAA10966(_at_)anet(_dot_)at_product(_dot_)htm(_dot_)com
20040303_200403030937(_dot_)EAA06306(_at_)anet(_dot_)at_message_details(_dot_)pif
20040303_E1AySKq-0000Pc-00(_at_)mail(_dot_)hasch(_dot_)co(_dot_)at_topseller(_dot_)zip
20040303_200403030947(_dot_)EAA06389(_at_)anet(_dot_)at_nomoney(_dot_)zip
20040303_IQckbmPPH000001be(_at_)singms01(_dot_)HQ(_dot_)SINGULUS(_dot_)DE_your_document(_dot_)pif
20040303_200403031011(_dot_)FAA06612(_at_)anet(_dot_)at_mail2(_dot_)zip
20040303_klgjitoecfieqqvkeep(_at_)anet(_dot_)at_Message(_dot_)pif
20040303_200403031043(_dot_)FAA06786(_at_)anet(_dot_)at_mp3music(_dot_)pif
20040303_kuvlsvsynvflmdmxqxj(_at_)anet(_dot_)at_TextDocument(_dot_)pif
20040303_200403031047(_dot_)FAA06817(_at_)anet(_dot_)at_your_text(_dot_)pif
20040303_mixsqqnswvhvkovqvoi(_at_)anet(_dot_)at_Information(_dot_)zip
20040303_200403031057(_dot_)FAA06849(_at_)anet(_dot_)at_my_details(_dot_)pif
20040303_txewtwpuyuiotkoeogw(_at_)anet(_dot_)at_TextFile(_dot_)pif
20040303_200403031358(_dot_)IAA08098(_at_)anet(_dot_)at_your_document(_dot_)pif
20040303_unwdyymijgmtpppeyrw(_at_)anet(_dot_)at_Message(_dot_)pif
20040303_200403031400(_dot_)JAA08122(_at_)anet(_dot_)at_bill(_dot_)zip
20040303_xublskqkpvwsldvgjmf(_at_)anet(_dot_)at_Information(_dot_)zip
20040303_200403031413(_dot_)JAA08223(_at_)anet(_dot_)at_document_excel(_dot_)pif
These have all been coming in in one single day. Details are in the -
now separated - Configuration file - viewable at
http://www.softlabs.info/antivirus/SoftlabsAV/etc/procmailrcs/antivirus.conf
The new version is available at http://www.softlabs.info/antivirus/
ChangeLog:
____________________________________________________________________________
v0.3 (2004 03 03)
+ Viruses will now also be found in automatically generated report
messages sent back from the original target mailserver, returning the
entire infected message embedded.
+ Viruses will now also be found in returned messages that contain the
original mail directly in its body, in mbox format, including the
encoded virus.
+ (optional) configuration is now done in an own Configuration file
('/etc/procmailrcs/antivirus.conf'). There is no need to touch any of
the other distributed files.
+ a new EXTRACT_VIRUSES variable can be set to "on", to extract all
viruses and store them in a "viruses" sub directory of the TRASHDIR
directory. This sub directory will be created automatically if it does
not yet exist. In addition, the full path to the extracted virus file
will be assigned to the VIRUSFILE variable. This may be useful if you want
to run an external Virus Scanner (ClamAV comes in mind) to identify which
viruses you are receiving. This new setting has made the old KEEP_ZIPS
configuaration option obsolete.
+ all AntiVirus Include files (av_*.inc) now reside in an own sub
directory (/etc/procmailrcs/antivirus/) of the Main AntiVirus Run
Commands file.
+ Extracting base64 encoded attachments (using mimencode) has been
outsourced into an own, re-usable .inc file
+ the mimencode program is now executed without invoking an extra shell
layer
+ the lowercasing "sub routine" will only be called conditionally, when
needed, to avoid waste of resources.
+ the WS variable now stands for the constant it is known for on the
procmail mailing list, being WhiteSpace of only Space and Tab
characters. WhiteSpace that additionally contains NewLine characters is
now called WSB, used to check for WhiteSpace in the middle of strings
living in the Body. Thanks to Ruud H.G. van Tol.
+ the entries written into procmail's log file on detecting a Virus likely
EXE now span two lines, to avoid long one-liners.
greetings,
rob.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail