On Tue, 20 Jan 2004, Greg A. Woods wrote:
| If I'm not mistaken the very same regular expression that detects mail
| bodies with sobig and many other viruses and worms will also detect this
| new worm:
|
| "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"
|
| Apparently this pattern matches all M$ Win32 executables when they've
| been MIME encoded using BASE-64.
Many of them, yes. However, the M$ gurus here tell me we can only rely
on the first two bytes being 4D 5A (MZ ascii). Base64-encoded this
corresponds to regexp:
TV[o-r]
If you use a longer expression its possible you may miss stuff.
In a MIME container this occurs at the start of a line after, one blank
line. Hence:
deny condition = ${if match{$message_body:}{ TV[o-r]}{yes}{no}}
Note the 2 spaces - the first matches the blank line, the second matches
the newline. Remember, newlines are converted into spaces in
$message_body. Without the spaces you'd get loads of FPs.
--
Chris Edwards, Glasgow University Computing Service
