Security Incidents mailing list archives

Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!!

From: Dan Riley <dsr () MAIL LNS CORNELL EDU>
Date: Tue, 13 Feb 2001 15:08:32 -0500

Daniel Martin <dtmartin24 () HOME COM> writes:

While this is all well and good (and will work for this virus), it is
worthless against those vbs virii that randomize their subject lines
(which happens).  Also, with this method one is constantly reacting to
virus outbreaks after they happen.  Is there any way to get a sendmail
rule to block based on the contents of a message - I'm thinking that a
useful pattern to block on would be the filename of an attachment; if
the filename matches the perl regexp

       \.\w{2,5}\.(vbs|exe|com|hta|pl|bat|wsh|js)$


If you're willing to install procmail as your mail delivery agent,

        http://www.impsec.org/email-tools/procmail-security.html

can do what you want.

--
Dan Riley                                         dsr () mail lns cornell edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"

Current thread:

NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Joseph, Lorne (Feb 12)
- Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! David Luyer (Feb 13)
  - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Daniel Martin (Feb 13)
    - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Dan Riley (Feb 13)
    - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Ron Johnson (Feb 13)
    - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Kevin van Haaren (Feb 13)
  - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Mark Lastdrager (Feb 13)