Re: [Exim] W32/Sircam worm

Pàgina inicial
Delete this message
Reply to this message
Autor: Mark Morley
Data:  
A: Justyn's Lists
CC: exim-users
Assumpte: Re: [Exim] W32/Sircam worm
>
> Gee, I if I had provided a little more info my post might have made more
> sense huh?  I was reading on the Mcafee site about the W32/Sircam worm
> and they said that it sends itself "using one of the following
> extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment
> names having double-extensions."    Sooo,  I was suggesting... you may
> want to add the .lnk extension to your system filters, and I was asking
> if anyone else had a better idea?

>
> Thanks,
> -jm
>


Personally I don't like using the generic filter for viruses (I see too
many false positives).

Yesterday I added this to my filter and in less than 24 hours it's
caught over 4,100 copies of the Sircam virus:

     if "$message_body" contains "Hi! How are you" and
        "$message_body" contains "See you later" and
        "$message_body" contains "TVpQAAIAAAAEAA8A" then
        seen finish
     endif


It's probably not foolproof, but it's working here with no false positives
so far (I was getting false positives until I added the third check, which
is just the first few bytes of the MIME encoded attachment).

Mark