[ On Tuesday, January 20, 2004 at 11:19:14 (-0500), Jonathan Vanasco wrote: ]
> Subject: [Exim] needed: beagle/bagle pattern
>
> someone on the list was nice to share a string pattern that blocked
> sobig through exiscan a few months ago
If I'm not mistaken the very same regular expression that detects mail
bodies with sobig and many other viruses and worms will also detect this
new worm:
"^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"
Apparently this pattern matches all M$ Win32 executables when they've
been MIME encoded using BASE-64. So far it has accurately identified
every virus or worm any idiot has sent to me.
Whatever you do with this pattern, please DO NOT bounce any messages it
matches unless you are 1000% certain the sender is your own local user.
Don't forget to keep watch for uuencoded binaries too:
"^M35[GHIJK].`..`..*````"
And of course there's the old three-letter extension MIME attachment
name matching pattern (this rather string includes tabs and I currently
have my MUA configured to not do quoted printable encoding even with
such long lines so hopefully your own MUA won't munge it either :-):
"^[ ]*content-(disposition|type).*name[ ]*=[ ]*"?(.*\.(386|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[ ]*$"
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
