+++ Odhiambo Washington [exim-users] <19/09/01 13:30 +0300>:
> I was wondering if anyone has been hit hard enough by this NIMDA worm and has
> come up with a filter for it.
> I've not quite seen it but it has so far crippled TWO machines on our network.
> I am trying this
> if $header_content-type: contains "audio/x-wav"
> which I've seen in one of the e-mails but I am not seeing results yet.
Try this ... from Catherine Hampton, who wrote the spambouncer: attached
nimda.txt
-suresh
--
Suresh Ramasubramanian <----> mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin
> Just dissected a couple of copies of this new worm. Here are the relevent
> email headers that is uses:
Here's a Procmail filter I just worked up, based on a rash of copies
of this virus I received this morning. Fortunately, they were all on
my Unix shell account, so I got to dissect the emails without
danger. ;>
Feel free to post or email improvements and suggestions.
--
Catherine Hampton <ariel@???>
The Spam Bouncer * <http://www.spambouncer.org/>
Personal Home Page * <http://www.hrweb.org/ariel/>
=-=-=-=-=-=-=-=-=-=
# Nimda.A
#
# New and extremely virulent virus, spreads as readme.exe.
#
:0 BH
* !^-----BEGIN PGP SIGNED MESSAGE-----
* -1000^0
* -200^1 ^[:;#>]
* 200^1 !^To:
* 500^1 ^X-Unsent: 1
* 500^1 ^Subject:.*servicebots
* 1100^0 name=\"readme\.exe\"
* 500^0 TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
* 500^0 AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
* 500^0 ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
* 500^0 PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAMx11goAAAB/UEUAAEwBBQB1Oqc7
* 500^0 AFNWVzP/aAwCAACNhbT8//9XUOjEYwAAg8QM/xVcgBc2gKW3/P//f2oBW2aJhbT8//9TiJ22/P//
* 500^0 /xU4rBc2V2aJhbj8////FTisFzZXZomFuvz///8VOKwXNldmiYW+/P///xU4rBc2/3UIZomFvPz/
* 500^0 /42FwPz//1DoAgIAAFk7x1kPjIgAAABqD420BcD8////FTisFzZmiQZGU0b/FTisFzZmiQaNhbT8
* 500^0 hAAAtoQAAMKEAADShAAA5IQAAPqEAAAIhQAAHoUAACqFAAA4hQAAQIUAAFCFAABkhQAAeIUAAIiF
* 500^0 mocAAAAAAADOgwAAWIMAABqEAAAmhAAA8oMAAASEAAD6gwAA1oMAAOiDAADegwAAxIMAALqDAACw
* 500^0 dmFuY2VkACVscwBcXCVzAAAAACVsZCAlbGQgJWxkACVsZCAlbGQASW1hZ2UgU3BhY2UgRXhlYyBX
* 500^0 rKysrNnZ06z09PTz8/MbG7wSCgoKCgqGkaDOrKz29vb29oWs6NnTrPb09PTz8/MbvBIKCgoKCqeG
{
:0
| (formail -rt \
-I"From: MAILER-DAEMON@${HOST} (Mail Delivery Subsystem)" \
-I"Subject: YOUR COMPUTER IS INFECTED BY THE NIMDA-A VIRUS!" \
echo "Your Microsoft Windows personal computer or server is";\
echo "infected by the Nimda-A virus, and your computer is ";\
echo "mailbombing my email server. I have therefore set up my ";\
echo "email server to filter out and delete the virus-infected";\
echo "emails.";\
echo "";\
echo "Please shut down your computer or disconnect it from the";\
echo "Internet until you can fix this problem.";\
echo "";\
echo "You can find information about this virus at this URL:";\
echo "";\
echo "http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html";\
echo "";\
echo "Thank you!") \
| ${SENDMAIL} -oi -t
:0
/dev/null
}
