[Exim] gibe worm

Top Page
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: exim-users
Subject: [Exim] gibe worm
Hi,

Another windoze-attacking worm on the go, spreading as an email claiming
to be a "microsoft security update"

http://www.symantec.com/avcenter/venc/data/w32.gibe@mm.html

Difference this time is, depsite coming with an attachment named
q216309.exe, it appears to go straight through our version of the popular
executable attachment filter. As far as I can tell, this is due to the
text part of the body containing a few NULL characters - in other words,
ascii code zero.

Anyone wishing to reproduce this needs a truly pristine copy of the worm,
as copies forwarded from a user have likely had the NULLs stripped.
Editing out the NULLs seems to make the filter catch it happily, so I'm
reasonably confident this is what's happening.

Latest exim I've seen this on is 3.33. For the moment we've got a filter
looking for the header:

        Subject: Internet Security Update


Chris