Full Disclosure mailing list archives

Re: Mydoom

From: "Geoincidents" <geoincidents () getinfo org>
Date: Tue, 27 Jan 2004 18:58:18 -0500

And, as I explained earlier, even the size of the .EXE can vary, adding
yet another inconstancy to the equation.


There is one consistancy that may help people build mail filters. The virus
codes the zip attachment as a mime type of application / octet-stream
(without the spaces) instead of application/x-zip-compressed. It's a
consistancy you can build a rwords/phrase filter around. Only drawback is
that octet stream is basically the default for unknown file types and
Windows98 for some reason uses this mime type for pdf and doc type files but
that's fixable too

You can fix Win98 by going into regedit on the client machine, to
HKEY_CLASSES_ROOT\.pdf and enter
a new string value of "Content Type" = "application/pdf" or for doc file go
to the \.doc key and enter "application/msword" or whatever extension you
find that fails when you try to send mail.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Mydoom Ferris, Robin (Jan 27)
- Re: Mydoom Thorolf (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom jsklein (Jan 27)
  - RE: Mydoom Nick FitzGerald (Jan 27)
    - RE: Mydoom madsaxon (Jan 27)
    - RE: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Brent J. Nordquist (Jan 27)
- Re: Mydoom Vlad Galu (Jan 27)
  - Re: Mydoom Nick FitzGerald (Jan 27)
    - Re: Mydoom Geoincidents (Jan 27)
- Re: Mydoom Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 28)
- Re: Mydoom Tal Kelrich (Jan 29)
- <Possible follow-ups>
- RE: Mydoom Remko Lodder (Jan 27)
  - RE: Mydoom Nick FitzGerald (Jan 28)