RE: [Exim] badtrans virus

Top Page
Delete this message
Reply to this message
Author: Paul Walsh
Date:  
To: 'Todd Lattimer', exim-users
Subject: RE: [Exim] badtrans virus
I use a modified version of the generic system filter written by Nigel
Metheringham. As BadTrans II is carried in an attachment with double
extensions and the second extension is one of the ones the filter traps we
just bounce the messages.

In the original filter, the fail text is included in each "if $message_body
matches ... endif" block. I decided instead to use the internal variable n8
and add 99 to it if one of the conditions were true. I then check to see if
n8 is >0 and if so, fail the message. I did originally try checking content
for "TVqQAAMAAAAEAAAA" but it seemed to throw up false positives, claiming
"crimbo.exe" had the virus (the attachment would've been rejected anyway
because of the exe extension) so instead I thought I'd check the attachments
filename (as determined by the original filetr regex) for the double
extensions used by BadTrans. We log any messages failed because of
executable attachments in the file failed_attachments.log and any we suspect
of having a virus in virus.log (hence the two logfile/logwrites)

Paul Walsh

Senior Systems Administrator, IT Services,
University of Central England, BIRMINGHAM B42 2SU, UK
Tel: +44 (0)121 331 5708    Fax: +44 (0)121 356 2875



Here's an extract from the filter (with a few comments added to explain
what's happening:

# If the attachment has one of the "executable" file extensions then add 99
to n8
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)atta
chment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+
\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|ln
k|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
add 99 to n8
endif

# If n8 is >0 then we must've encountered an executable attachment
if ($n8 is above 0)
then
logfile /usr/exim/logs/failed_attachments.log 644
logwrite "$tod_log $message_id $sender_fullhost Subject: $h_subject From:
$sender_address To: $recipients rejected - executable attachment $1"

# Now see if the attachment has one of the double extensions used by
BadTrans B
  if $1 matches "(?:doc|mp3|zip)\\\\.(?:pif|scr)"
  then
# Log the fact we _may_ have seen BadTrans then fail the message
    logfile /usr/exim/logs/virus.log 644
    logwrite "$tod_log $message_id $sender_fullhost From: $sender_address
To: $recipients Possible BadTrans attachment"
    fail text "This message has been rejected because it has\n\
             a potentially executable attachment\n\
             and is believed to contain the BadTrans B virus.\n\
             For further details on this viruses capability\n\
             you are advises to consult the address\n\
             http://www.fsecure.com/v-descs/badtrs_b.shtml\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
    seen finish
  endif
# attachment doesn't have one of the double extensions but is executable
anyway, so fail the message


fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif




-----Original Message-----
From: Todd Lattimer [mailto:todd@lis.net.au]
Sent: 02 December 2001 22:46
To: exim-users@???
Subject: [Exim] badtrans virus


Hi Guys,

Just wondering is anyone has written a successful filter to block the
badtrans virus.
I've written a VERY crude one (shown below) which has very limited and
marginal success.

cheers
Todd

#Badtrans
if $message_body contains "TVqQAAMAAAAEAAAA//"
then fail text "Your machine appears to be affected with the
W32.Badtrans.B@mm worm."
endif
# End Badtrans

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##