[Exim] IRC/Stages.worm and system_filter.exim

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Douglas Gray Stephens
Datum:  
To: exim-users
Betreff: [Exim] IRC/Stages.worm and system_filter.exim

Hi,

There is another Windows worm doing the rounds (see
http://vil.nai.com/villib/dispvirus.asp?virus_k=98668
) using an extension of SHS

I am not sure who is maintaining the system_filter.exim file, but the
current version (0.5)
ftp://ftp.exim.org/pub/filter/system_filter.exim
does not trap files with extension "SHS". I believe that the file
needs updating, with something similar to the attached file.

Cheers,

Douglas.

# Exim filter
## Version: 0.06

## If you haven't worked with exim filters before, read
## the install notes at the end of this file.

#
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have serveral delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
if error_message or not first_delivery
then
finish
endif

# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs))"
then
  fail text "This message has been rejected because it has\n\
         \tan apparently executable attachment $1\n\
         \tThis form of attachment has been used by\n\
             \trecent viruses such as that described in\n\
         \thttp://www.fsecure.com/v-descs/love.htm\n\
         \tIf you meant to send this file then please\n\
         \tpackage it up as a zip file and resend it."
  seen finish
endif


# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for 
# the ILOVEYOU virus and its variants
#
if $message_body matches "(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs))[\\\\s;]"
then
  fail text "This message has been rejected because it has\n\
         \tan apparently executable attachment $1\n\
         \tThis form of attachment has been used by\n\
             \trecent viruses such as that described in\n\
         \thttp://www.fsecure.com/v-descs/love.htm\n\
         \tIf you meant to send this file then please\n\
         \tpackage it up as a zip file and resend it."
  seen finish
endif


#### Version history
#
# 0.01 5 May 2000
#    Initial release
# 0.02 8 May 2000
#    Widened list of content-types accepted, added WSF extension
# 0.03 8 May 2000
#    Embedded the install notes in for those that don't do manuals
# 0.04 9 May 2000
#    Check global content-type header.  Efficiency mods to REs
# 0.05 9 May 2000
#    More minor efficiency mods, doc changes
# 0.06 19 June 2000
#       Add SHS extension
#
#### Install Notes
#
# Exim filters run the exim filter language - a very primitive
# scripting language - in place of a user .forward file, or on
# a per system basis (on all messages passing through).
# The filtering capability is documented in the main set of manuals
# a copy of which can be found on the exim web site
#    http://www.exim.org/
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
# at the top the line:-
#    message_filter = /etc/exim/system_filter.exim
#    message_body_visible = 5000
#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
#
# After install exim should be restarted - a kill -HUP to the
# daemon will do this.
#
#### LIMITATIONS
#
# This filter tries to parse MIME with a regexp... that doesn't
# work too well.  It will also only see the amount of the body
# specified in message_body_visible
#
#### BASIS
#
# The regexp that is used to pickup MIME/uuencoded parts is replicated
# below (in perl format).  You need to remember that exim converts
# newlines to spaces in the message_body variable.
#
# (?:Content-                    # start of content header
#  (?:Type: (?>\s*)                # rest of c/t header
#    [\w-]+/[\w-]+                # content-type (any)
#    |Disposition: (?>\s*)            # content-disposition hdr
#    attachment)                # content-disposition
#  ;(?>\s*)                    # ; space or newline
#  (?:file)?name=                # filename=/name= 
#  |begin (?>\s+) [0-7]{3,4} (?>\s+))         # begin octal-mode
#  (\"[^\"]+\.                    # quoted filename.
#    (?:vb[se]                # list of extns
#    |ws[fh]
#    |jse?
#    |exe
#    |com
#    |bat
#    |shs)
#    \"                    # end quote
#  |[\w.-]+\.                    # unquoted filename.ext
#    (?:vb[se]                # list of extns
#    |ws[fh]
#    |jse?
#    |exe
#    |com
#    |bat
#    |shs)
#  )                        # end of filename capture
#  [\s;]                    # trailing ;/space/newline
#
### [End]



--

================================
Dr. Douglas GRAY STEPHENS        
SL-IT Security (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND


Phone +44 1223 325295
Fax +44 1223 311830
Email DGrayStephens@???
================================