Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MyDoom-M evades attachment filters

From: "Marek Isalski" <Marek.Isalski () smuht nwest nhs uk>
Date: Tue, 27 Jul 2004 11:45:10 +0100
"lsi" <stuart () cyberdelix net> 27/07/2004 11:14:20 >>>

My current thoughts are something like this:
U.*E.*s.*D.*B.*A.*o.*A.*A.*
Still got newline prob though.


Careful -- that (corrected) regexp will overoptimistically match strings like: 'United Arab Emirates branch seeks Data 
Base Administrator to work in providing supporting "Follow-Up" project in Alcoholics Anonymous.'

You probably want to use a regexp matcher that doesn't care about newlines -- i.e. it treats the while MIME attachment 
as one big string, and you just search for U[:white:]E[:white:]... Though it could be possible that other malformed 
MIME is accepted by mail clients' parsers but fails your regexp match.  Perhaps [:white:] should really be 
[^A-Za-z0-9./] (i.e. a regexp matching characters which aren't valid Base64.

Regards,
Marek





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: