These are exim filters which catch the damn thing when the antivirus software misses it. Hopefully it might be useful. It was taken from http://pkierski.republika.pl/filtry.shtml. ######## # Swen # ######## if $h_content-type matches "multipart/mixed; boundary=.[a-z]{6}" and $message_body matches "September 200[23], Cumulative Patch" then logfile $home/filter.log 0644 logwrite "$tod_log - filter: *** Swen.1 *** - sender: $sender_address - subj$ seen finish endif ######## # Swen # ######## if $h_content-type contains "multipart/alternative;" and $h_content-type matches "boundary=.[a-z]{6}" and $message_body matches "iframe src=3D.cid:.*height=3D0.* width=3D0.*/iframe" then logfile $home/filter.log 0644 logwrite "$tod_log - filter: *** Swen.2 *** - sender: $sender_address - subj$ seen finish endif -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: "Mark Radabaugh" <mark@amplex.net> To: <nanog@merit.edu> Sent: Friday, September 19, 2003 12:03 PM Subject: Nothing like viruses with bugs in them (Swen)
Seems like this virus/worm has a bug where it will occasionally send out 1 byte attachments rather than the correct worm payload. Since the virus
is
not truly attached it tends to pass through e-mail virus scanners.
It's causing a fair amount of end user confusion today -- lots of 'why is your/my virus scanner not working?' questions.
Mark Radabaugh Amplex (419) 720-3635