Re: [Exim] the Klez virus -> fixing system_filter

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: Exim List
Subject: Re: [Exim] the Klez virus -> fixing system_filter
Silly me, I should probably damage the headers or I'm going to block the
post for everyone :-)
(extra '_' added)

On Thu, May 09, 2002 at 11:45:34PM -0500, dman wrote:
> if
>     "$message_body $message_body_end"
>         matches "Content-.*audio/x-wav.*\.(?:pif|exe)"
>     or
>     "$message_body $message_body_end"
>         matches "Content-.*audio/x-mid.*\.(?:scr|exe)"
>     or
>     "$message_body $message_body_end"
>         matches "<iframe.*</iframe>"
> then


I've been looking at my existing rules, because as mentionned before, I
don't like this solution: I don't want to get in the business of writing
custom and possibly imperfect filters for each new virus that comes out.

Klez sends:
--O1wI75YSucu4Fo4J6F4jxR6U6k78
Content_-_Type: audio/x-midi;
        name=Custom.s_c_r


If I modify it to say:
--O1wI75YSucu4Fo4J6F4jxR6U6k78
Content_-_Type: audio/x-midi; name=Custom.s_c_r

then it gets blocked by the existing system_filter
I have the flu right now, so I don't think it's the best time for me to mess
with my filter regexes, but it seems that it's only a matter of fixing this:

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"

I prefer a generic fix a _lot_ better.

Marc

--
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key