Full Disclosure mailing list archives
Re: Swen Really Sucks
From: christophe barbe <christophe () cattlegrid net>
Date: Wed, 24 Sep 2003 15:38:01 -0400
On Wed, Sep 24, 2003 at 12:31:08PM -0500, Brent J. Nordquist wrote:
On Wed, 24 Sep 2003, Peter Busser <peter () trusteddebian org> wrote:I use several procmail rules to filter out domains (microsoft.com, msdn.com, etc.) in From: and From, To: (e.g. microsoft.com) and certain words in the subject (e.g. Microsoft). Since the virus depends on looking like an authentic message, it can't do too much randomisation of the domains and subject lines. Of course the filtering is not perfect, but it still reduces the number of virus messages hitting the inbox.Someone pointed out yesterday that Swen has the header "SUBJECT: " in all upper-case, as opposed to the usual mixed-case "Subject: ". I looked at all the ones I've received, and sure enough, they're all upper-case. That might be another telltale you can use if you're taking the procmail approach.
From the debian mailing list, the best test you can use with procmail
seems to be to look for the uuencoded counter url used by the virus. b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv The following procmail rule has been proposed: :0 * > 140000 * < 165000 { :0 BD * b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv /dev/null } If you want to avoid the body search (B option), you can use the following regexp on the subject header: ^subject: (undeliverable|undelivered|returned)? ?(mail|message)(:? (returned to (mail|send)er|user unknown))? ^subject: (new(est)?|latest|last|current)? ?(net(work)?|microsoft|internet)? ?(critical|security)? ?(pack|patch|update|upgrade) ^subject: (abort|bug|error|failure)? ?(advice|announcement|letter|message|notice|report) The only missing subject is the empty one. Christophe -- Christophe Barb? <christophe.barbe () ufies org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E An empty stomach is not a good political advisor. -- Albert Einstein _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [Fwd: Last Critical Update], (continued)
- RE: [Fwd: Last Critical Update] Richard M. Smith (Sep 23)
- Re: [Fwd: Last Critical Update] Damian Gerow (Sep 23)
- Swen Really Sucks Jason Coombs (Sep 23)
- Re: Swen Really Sucks Jonathan A. Zdziarski (Sep 23)
- Re: Swen Really Sucks Nick Price (Sep 24)
- Re: Swen Really Sucks Peter Busser (Sep 24)
- Re: Swen Really Sucks Evan Borgstrom (Sep 24)
- Re: Swen Really Sucks Justin (Sep 24)
- Re: Swen Really Sucks Evan Borgstrom (Sep 25)
- RE: [Fwd: Last Critical Update] Richard M. Smith (Sep 23)
- Re: Swen Really Sucks Brent J. Nordquist (Sep 24)
- Re: Swen Really Sucks christophe barbe (Sep 24)
- Re: Swen Really Sucks Thamer Al-Harbash (Sep 24)
- Re: Swen Really Sucks Joe Stewart (Sep 24)