Hi,
We've had a couple of machines hit over the past few days by W32MTX@mm
(
http://vil.nai.com/vil/dispVirus.asp?virus_k=98797), some of them needing
complete rebuilds.Thus I've had to add a couple of extras to the win32
executable filter match - the beastie is a win32 portable executable, and
will come in as a screensaver (.scr) or .pif amongst other things. On the
bright side the others are already on the filter list.
As a result our global filter now reads (in parts):
if $header_content-type: matches
"(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs|scr|pif)\
"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs|scr|pif))"
[rest of rule matches the original]
and
if $message_body matches
"(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);
\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vb[se]|ws[
fh]|jse?|exe|com|bat|shs|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe
|com|bat|shs|scr|pif))[\\\\s;]"
cheers,
Chris
