[Exim] Windows generic executable filter and W32MTX@mm

Top Page
Delete this message
Reply to this message
Author: Chris Sleep
Date:  
To: exim-users
Subject: [Exim] Windows generic executable filter and W32MTX@mm
Hi,

We've had a couple of machines hit over the past few days by W32MTX@mm
(http://vil.nai.com/vil/dispVirus.asp?virus_k=98797), some of them needing
complete rebuilds.Thus I've had to add a couple of extras to the win32
executable filter match - the beastie is a win32 portable executable, and
will come in as a screensaver (.scr) or .pif amongst other things. On the
bright side the others are already on the filter list.

As a result our global filter now reads (in parts):

if $header_content-type: matches
"(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs|scr|pif)\
"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs|scr|pif))"
[rest of rule matches the original]

and

if $message_body matches
"(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);
\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vb[se]|ws[
fh]|jse?|exe|com|bat|shs|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe
|com|bat|shs|scr|pif))[\\\\s;]"

cheers,

Chris