Nothing like viruses with bugs in them (Swen)
Seems like this virus/worm has a bug where it will occasionally send out 1 byte attachments rather than the correct worm payload. Since the virus is not truly attached it tends to pass through e-mail virus scanners. It's causing a fair amount of end user confusion today -- lots of 'why is your/my virus scanner not working?' questions. Mark Radabaugh Amplex (419) 720-3635
These are exim filters which catch the damn thing when the antivirus software misses it. Hopefully it might be useful. It was taken from http://pkierski.republika.pl/filtry.shtml. ######## # Swen # ######## if $h_content-type matches "multipart/mixed; boundary=.[a-z]{6}" and $message_body matches "September 200[23], Cumulative Patch" then logfile $home/filter.log 0644 logwrite "$tod_log - filter: *** Swen.1 *** - sender: $sender_address - subj$ seen finish endif ######## # Swen # ######## if $h_content-type contains "multipart/alternative;" and $h_content-type matches "boundary=.[a-z]{6}" and $message_body matches "iframe src=3D.cid:.*height=3D0.* width=3D0.*/iframe" then logfile $home/filter.log 0644 logwrite "$tod_log - filter: *** Swen.2 *** - sender: $sender_address - subj$ seen finish endif -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: "Mark Radabaugh" <mark@amplex.net> To: <nanog@merit.edu> Sent: Friday, September 19, 2003 12:03 PM Subject: Nothing like viruses with bugs in them (Swen)
Seems like this virus/worm has a bug where it will occasionally send out 1 byte attachments rather than the correct worm payload. Since the virus
is
not truly attached it tends to pass through e-mail virus scanners.
It's causing a fair amount of end user confusion today -- lots of 'why is your/my virus scanner not working?' questions.
Mark Radabaugh Amplex (419) 720-3635
Hello All , On Fri, 19 Sep 2003, Brian Bruns wrote:
These are exim filters which catch the damn thing when the antivirus software misses it. Hopefully it might be useful. It was taken from http://pkierski.republika.pl/filtry.shtml. ...snipped nice exim filters... Is there an example of a procmail filter for this bugger ? Tia , JimL
----- Original Message ----- From: "Mark Radabaugh" <mark@amplex.net> To: <nanog@merit.edu> Sent: Friday, September 19, 2003 12:03 PM Subject: Nothing like viruses with bugs in them (Swen)
Seems like this virus/worm has a bug where it will occasionally send out 1 byte attachments rather than the correct worm payload. Since the virus is not truly attached it tends to pass through e-mail virus scanners. It's causing a fair amount of end user confusion today -- lots of 'why is your/my virus scanner not working?' questions. -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
You should be able to take the match parts of the exim filter and adapt them to procmail. I'm not that familiar with procmail, so I'm not sure, but here are the primary things the filters look for: content type: multipart/mixed; boundary=.[a-z]{6} message body: September 200[23], Cumulative Patch and content type: multipart/alternative; content type: "boundary=.[a-z]{6} message body: iframe src=3D.cid:.*height=3D0.* width=3D0.*/iframe Maybe someone out there with procmail experience could post procmail rules based on this? -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: "Mr. James W. Laferriere" <babydr@baby-dragons.com> To: <nanog@merit.edu> Sent: Friday, September 19, 2003 1:07 PM Subject: Re: Nothing like viruses with bugs in them (Swen)
Hello All ,
On Fri, 19 Sep 2003, Brian Bruns wrote:
These are exim filters which catch the damn thing when the antivirus software misses it. Hopefully it might be useful. It was taken from http://pkierski.republika.pl/filtry.shtml. ...snipped nice exim filters... Is there an example of a procmail filter for this bugger ? Tia , JimL
----- Original Message ----- From: "Mark Radabaugh" <mark@amplex.net> To: <nanog@merit.edu> Sent: Friday, September 19, 2003 12:03 PM Subject: Nothing like viruses with bugs in them (Swen)
Seems like this virus/worm has a bug where it will occasionally send
out 1
byte attachments rather than the correct worm payload. Since the virus is not truly attached it tends to pass through e-mail virus scanners. It's causing a fair amount of end user confusion today -- lots of 'why is your/my virus scanner not working?' questions. --
+------------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS
|
| Network Engineer | P.O. Box 854 | Give me Linux
|
| babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP
|
+------------------------------------------------------------------+
In message <Pine.LNX.4.58.0309191305230.14904@filesrv1.baby-dragons.com>, "Mr. James W. Laferriere" writes:
Hello All ,
On Fri, 19 Sep 2003, Brian Bruns wrote:
These are exim filters which catch the damn thing when the antivirus software misses it. Hopefully it might be useful. It was taken from http://pkierski.republika.pl/filtry.shtml. ...snipped nice exim filters... Is there an example of a procmail filter for this bugger ? Tia , JimL
Here's what I use to eliminate trash on my personal incoming mail. (I run NetBSD; I'm not likely to find .exe's useful...) MIMEINFO=`/usr/pkg/bin/reformime -i` :0 * MIMEINFO ?? ^content-name:.+[~.](asd|bat|chm|cmd|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)$ /dev/null No warranties, expressed or implied. --Steve Bellovin, http://www.research.att.com/~smb
We are also filtering on the following content line: *Run attached file. Choose Yes on displayed dialog box.* (sigh) It does run counter to the sentiments expressed in the mail sig though... Related to Mr. Bellovin's latest note, how are operators (and abuse desks) dealing with the bizarre behavior of some recent mailers that send "forwards" as obviously W32-readable-only attachments? --chuck goolsbee -- ______________________________________________________ There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. -Bill, digital.forest tech support
On Fri, 19 Sep 2003, Mr. James W. Laferriere wrote:
Hello All ,
Is there an example of a procmail filter for this bugger ?
This might be a little late, but here is one that works 100% for me: # this is a virus. base64 encoded "ram cannot be run in DOS mo" :0 B: * cmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v /some/folder "/some/folder" can of course be /dev/null, in which case you can take out the trailing colon above since there is no need for locking. Grisha
participants (7)
-
bmanning@karoshi.com
-
Brian Bruns
-
chuck goolsbee
-
Gregory (Grisha) Trubetskoy
-
Mark Radabaugh
-
Mr. James W. Laferriere
-
Steven M. Bellovin