Seems like this virus/worm has a bug where it will occasionally send out 1
byte attachments rather than the correct worm payload. Since the virus is
not truly attached it tends to pass through e-mail virus scanners.
It's causing a fair amount of end user confusion today -- lots of 'why is
your/my virus scanner not working?' questions.
Mark Radabaugh
Amplex
(419) 720-3635
These are exim filters which catch the damn thing when the antivirus
software misses it. Hopefully it might be useful. It was taken from
http://pkierski.republika.pl/filtry.shtml.
Hello All ,
These are exim filters which catch the damn thing when the antivirus
software misses it. Hopefully it might be useful. It was taken from
http://pkierski.republika.pl/filtry.shtml.
...snipped nice exim filters...
Is there an example of a procmail filter for this bugger ?
Tia , JimL
You should be able to take the match parts of the exim filter and adapt them
to procmail. I'm not that familiar with procmail, so I'm not sure, but here
are the primary things the filters look for:
content type: multipart/mixed; boundary=.[a-z]{6}
message body: September 200[23], Cumulative Patch
and
content type: multipart/alternative;
content type: "boundary=.[a-z]{6}
message body: iframe src=3D.cid:.*height=3D0.* width=3D0.*/iframe
Maybe someone out there with procmail experience could post procmail rules
based on this?
This might be a little late, but here is one that works 100% for me:
# this is a virus. base64 encoded "ram cannot be run in DOS mo"
:0 B:
* cmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
/some/folder
"/some/folder" can of course be /dev/null, in which case you can take out
the trailing colon above since there is no need for locking.
Grisha