[Exim] Regex for catching RAR flavour of Bagle/beagle

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\ 
MMBruce Richardson at ->
Delete this message
Reply to this message
Author: Marcin Owsiany
Date:  
To: Exim users mailing list
Subject: [Exim] Regex for catching RAR flavour of Bagle/beagle
Might be useful for someone... 

condition = ${if and{\
              {eq{${lookup{$h_subject:}lsearch{CONFDIR/lists/virus-subjects-beagle}{$value}}}{yes}}\
              {match{$message_body:}{  UmFyIRoHA[A-P]..c[wxyz0-9\+/]...............[HXn3][Q-T][EMUcks08]}}\
            }{yes}{no}}


My current list of subjects is: 

"Hokki =)"            yes
"Weah, hello! :-)" yes
"Weeeeee! ;)))" yes
"Hi! :-)" yes
"ello! =))" yes
"Hey, ya! =))" yes
"^_^ meay-meay!" yes
"^_^ meay-meay!" yes
"^_^ mew-mew (-:" yes
"E-mail account disabling warning." yes
"E-mail account security warning." yes
"Email account utilization warning." yes
"Important notify about your e-mail account." yes
"Notify about using the e-mail account." yes
"Notify about your e-mail account utilization." yes
"Warning about your e-mail account." yes
"Hey, dude, it's me ^_^ :P" yes
":-)" yes
":)" yes
"meay-meay!" yes
"Hi" yes
"Thank you!" yes
"E-mail technical support message." yes
"E-mail technical support warning." yes
"Account notify" yes
"E-mail warning" yes
"Email report" yes
"Encrypted document" yes
"Fax Message Received" yes
"Forum notify" yes
"Hidden message" yes
"Important notify" yes
"Important notify about your e-mail account." yes
"Incoming message" yes
"Notify about using the e-mail account." yes
"Notify about your e-mail account utilization." yes
"Notify from e-mail technical support." yes
"Protected message" yes
"RE: Protected message" yes
"RE: Text message" yes
"Re: Document" yes
"Re: Hello" yes
"Re: Hi" yes
"Re: Incoming Fax" yes
" Re: Incoming Message" yes
"Re: Msg reply" yes
"Re: Thank you!" yes
"Re: Thanks :)" yes
"Re: Yahoo!" yes
"Request response" yes
"Site changes" yes


But new ones appear almost daily..

Derivation based heavily on:
http://www.mail-archive.com/imgate@ns2.meiway.com/msg04438.html

RAR format:
http://www.bsdg.org/swag/FAQ/0037.PAS.html
http://datacompression.info/ArchiveFormats/RAR202.txt

BASE64 alphabet:
http://www.faqs.org/rfcs/rfc1521.html 

specimen in BASE64: UmFyIRoHAM+QcwAADQAAAAAAAABranREg
specimen:  52        61        72        21        1A        07        00         CF 90       73        00 00 0D 00 00 00 00 00 00 00 6B 6A  74        44
required:  52        61        72        21        1A        07        00         .. ..       73        .. .. .. .. .. .. .. .. .. .. .. ..  74        .[.100]
binary:    01010010  01100001  01110010  00100001  00011010  00000111  00000000   16x.        01110011  96x.                                 01110100  .....100
6 bits:    010100 100110  000101 110010  001000 010001  101000 000111  000000 00....  6x. 6x. 011100 11....            15x(6x.)          ..0111  0100..  ...100
decimal:       20     38       5     50       8     17      40      7       0   0-15    .   .     28  48-63            15x.          7,23,39,55   16-19  4,12,20,28,36,44,52,60
BASE64:         U      m       F      y       I      R       o      H       A    A-P    .   .      c  [wxyz0-9\+/]     15x.             H,X,n,3     Q-T  E,M,U,c,k,s,0,8
regex:
  UmFyIRoHA[A-P]..c[wxyz0-9\+/]...............[HXn3][Q-T][EMUcks08]


Marcin
--
Marcin Owsiany
porridge@???


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] nobody_user?Re: [Exim] Regex for catching RAR flavour of Bagle/beagle->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)