rotman@??? said:
> why does it not match TEXT/PLAIN?
Because all the variants that had been seen were application/octet-strea
m and I did not realise that a particular OS/MUA could be stupid enough
to execute plan text documents :-(
New version now takes any content-type and filters on extension only.
[From BUGTRAQ - also quoted on this list by Dirk Koopman]
aleph1@??? said:
> Brian Moore <bem@???> reports seeing at least one variant where
> the VBS virus was not an attachment but it was instead uuencoded. This
> may fool antivirus products. Look out for the string "begin 600
> LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this be the result
> of some MTA rewriting the message?
I think its actually due to the way particular MUAs are setup, but they
are still reacting to the VB control - probably using MAPI with a
different underlying MUA. An MTA that converted MIME->uuencoding would
have been noticed and laughed out of court by now :-)
The exim filters *do* attempt to detect uuencoded messages.
> Sean Malloy <sean@???> is letting us known that changing the
> virus to use a WSF extension instead of VBS is just as affective. WSF
> stands for Windows Scripting File. Antivirus vendors that want to be
> proactive might want to add this extension to their signatures. The
> file contents would look something like this:
Such a list of extensions - wonder if .doc, .xls etc should be added
too :-)
WSF added to the filter's list of culprits....
Nigel.
--
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
