[ On Tuesday, July 24, 2001 at 09:26:17 (-0700), Mark Morley wrote: ]
> Subject: Re: [Exim] W32/Sircam worm
>
> Personally I don't like using the generic filter for viruses (I see too
> many false positives).
>
> Yesterday I added this to my filter and in less than 24 hours it's
> caught over 4,100 copies of the Sircam virus:
>
> if "$message_body" contains "Hi! How are you" and
> "$message_body" contains "See you later" and
> "$message_body" contains "TVpQAAIAAAAEAA8A" then
> seen finish
> endif
>
> It's probably not foolproof, but it's working here with no false positives
> so far (I was getting false positives until I added the third check, which
> is just the first few bytes of the MIME encoded attachment).
That's because you didn't include the MIME encoded characters in the
first two lines.
Have you actually seen examples of the worm message without the "advice"
line I used in my test?
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <woods@???>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>