RE: [Exim] needed: beagle/bagle pattern

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Rick Cooper
Date:  
À: Exim-users
Sujet: RE: [Exim] needed: beagle/bagle pattern

> -----Original Message-----
> From: exim-users-admin@???
> [mailto:exim-users-admin@exim.org]On
> Behalf Of Chris Edwards
> Sent: Tuesday, January 20, 2004 11:32 AM
> To: Jonathan Vanasco
> Cc: Exim-users
> Subject: Re: [Exim] needed: beagle/bagle pattern
>
>
> | someone on the list was nice to share a string
> pattern that blocked
> | sobig through exiscan a few months ago
> |
> | has anyone come up with one for the beagle/bagle threat?
>
> You don't need (1) a special string pattern, nor (2) a
> signature-based AV
> scanner.
>


This is not accurate. Rename notepad.exe to notepad.ddd and then
type notepadd.ddd at the windows command prompt. Windows attempts
to execute files based on the information in the header (load
point, etc) and not on the extension type, so it would be very
easy to virus attached as xyz.xxx and have it launched. The .exe
extension is a convention but is not required. I assume this is
why Exiscan will now identify a file by type, not just name, and
is why MailScanner has been doing it for some time.


> Like most email worms, this is an executable
> attachment. Assuming you
> have the exiscan patch applied, you can get rid of all
> executable
> attachments, past/present/future with e.g:
>
> deny demime =
> bat:cmd:com:exe:hta:js:jse:lnk:pif:scr:shs:vbe:vbs:wsf:wsh
>
> Some people would suggest a longer list of file
> extensions - see the list
> archives.
>
> Cheers
>
> --
> Chris Edwards, Glasgow University Computing Service
>
> --
>
> ## List details at

http://www.exim.org/mailman/listinfo/exim-users Exim details at
http://www.exim.org/ ##


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.