Re: [Exim] Generic VBS script detection - filter attached

Top Page

Reply to this message
Author: Dirk Koopman
To: Nigel Metheringham
CC: Exim
Subject: Re: [Exim] Generic VBS script detection - filter attached
On 05-May-2000 Nigel Metheringham wrote:
> I reverted to the original form for various reasons, some of which
> probably would not hold up past a rewritten version message_body that
> is more efficient :-)
> The filter is attached.
> Its also at:-

> so you can avoid the mangling that mailers are bound to apply :-)
> Seems to work on current tests, no guarantees. It does catch the forms
> I saw yesterday.

Sorry to add yet another one but (from bugtrak) :-

"Brian Moore <bem@???> reports seeing at least one variant where
the VBS virus was not an attachment but it was instead uuencoded.
This may fool antivirus products. Look out for the string
"begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this
be the result of some MTA rewriting the message?

Trend Micro has released pattern file number 695 which includes
definitions to detect the variants reported by Dan Simoes <dans@???>
(the tabs to spaces variant).

Sean Malloy <sean@???> is letting us known that changing the
virus to use a WSF extension instead of VBS is just as affective.
WSF stands for Windows Scripting File. Antivirus vendors that want to
be proactive might want to add this extension to their signatures.
The file contents would look something like this:

<job id="iloveyou">
<script language="VBScript">
        'insert code here

or as Sean points out you could encode it to obfuscate it by doing:

<job id="iloveyouencrypted">
<script language="VBScript.Encode">

where '#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded

At exactly what point is someone actually going to give up say: "Let's sue

Dirk-Jan Koopman, Tobit Computer Co Ltd
At the source of every error which is blamed on the computer you will find
at least two human errors, including the error of blaming it on the computer.