Full Disclosure mailing list archives
Re: Mydoom
From: "Geoincidents" <geoincidents () getinfo org>
Date: Tue, 27 Jan 2004 18:58:18 -0500
And, as I explained earlier, even the size of the .EXE can vary, adding yet another inconstancy to the equation.
There is one consistancy that may help people build mail filters. The virus codes the zip attachment as a mime type of application / octet-stream (without the spaces) instead of application/x-zip-compressed. It's a consistancy you can build a rwords/phrase filter around. Only drawback is that octet stream is basically the default for unknown file types and Windows98 for some reason uses this mime type for pdf and doc type files but that's fixable too You can fix Win98 by going into regedit on the client machine, to HKEY_CLASSES_ROOT\.pdf and enter a new string value of "Content Type" = "application/pdf" or for doc file go to the \.doc key and enter "application/msword" or whatever extension you find that fails when you try to send mail. Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Mydoom Ferris, Robin (Jan 27)
- Re: Mydoom Thorolf (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom jsklein (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom madsaxon (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Brent J. Nordquist (Jan 27)
- Re: Mydoom Vlad Galu (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Geoincidents (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 28)
- Re: Mydoom Tal Kelrich (Jan 29)
- <Possible follow-ups>
- RE: Mydoom Remko Lodder (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 28)