Re: [Exim] Generic VBS script detection - filter attached …

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Exim
Subject: Re: [Exim] Generic VBS script detection - filter attached (fwd)
rotman@??? said:
> why does it not match TEXT/PLAIN?


Because all the variants that had been seen were application/octet-strea
m and I did not realise that a particular OS/MUA could be stupid enough
to execute plan text documents :-(

New version now takes any content-type and filters on extension only.

[From BUGTRAQ - also quoted on this list by Dirk Koopman]
aleph1@??? said:
> Brian Moore <bem@???> reports seeing at least one variant where
> the VBS virus was not an attachment but it was instead uuencoded. This
> may fool antivirus products. Look out for the string "begin 600
> LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this be the result
> of some MTA rewriting the message?


I think its actually due to the way particular MUAs are setup, but they
are still reacting to the VB control - probably using MAPI with a
different underlying MUA. An MTA that converted MIME->uuencoding would
have been noticed and laughed out of court by now :-)

The exim filters *do* attempt to detect uuencoded messages.

> Sean Malloy <sean@???> is letting us known that changing the
> virus to use a WSF extension instead of VBS is just as affective. WSF
> stands for Windows Scripting File. Antivirus vendors that want to be
> proactive might want to add this extension to their signatures. The
> file contents would look something like this:


Such a list of extensions - wonder if .doc, .xls etc should be added
too :-)

WSF added to the filter's list of culprits....

    Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]