Re: [Exim] W32/Sircam worm

Top Page
Delete this message
Reply to this message
Author: Jon Knight
Date:  
To: Mark Morley
CC: Justyn's Lists, exim-users
Subject: Re: [Exim] W32/Sircam worm
On Tue, 24 Jul 2001, Mark Morley wrote:
> Yesterday I added this to my filter and in less than 24 hours it's
> caught over 4,100 copies of the Sircam virus:
>
>      if "$message_body" contains "Hi! How are you" and
>         "$message_body" contains "See you later" and
>         "$message_body" contains "TVpQAAIAAAAEAA8A" then
>         seen finish
>      endif

>
> It's probably not foolproof, but it's working here with no false positives
> so far (I was getting false positives until I added the third check, which
> is just the first few bytes of the MIME encoded attachment).


For one thing it will let the Spanish varients of this virus through -
that openning/closing text is just the English varient. The virus decides
which to send based on the settings of the infected machine. I've
seen *plenty* of both in our frozen message pile today. :-)

Tatty bye,

Jim'll