Security Incidents mailing list archives
(Fwd) how to filter the Novarg virus
From: "lsi" <stuart () cyberdelix net>
Date: Wed, 28 Jan 2004 17:38:24 -0000
------- Forwarded message follows ------- From: lsi <stuart () cyberdelix net> To: focus-virus () securityfocus com Subject: how to filter the Novarg virus Send reply to: stuart () cyberdelix net Date sent: Wed, 28 Jan 2004 17:35:57 -0000 I have devised a near-bulletproof Novarg filter. The following regular expressions trap this virus dead, no matter what subject line, message body, or filename it uses: If expression body matches "UEsDBAoAAA*" Move [virus folder] If expression body matches "TVqQAAMAAA*" Move [virus folder] This is because the worm is in fact the same program with many disguises. However the program looks the same when encoded with MIME. Therefore, the above are basically 'MIME sigs' which work just like a virus signature in a regular virusscanner. So to find it we merely filter on the MIME strings above, which are the first 10 bytes of the MIME content section. For users without enterprise-class content filters (such as me), these two regexp's work like a silver bullet. (That two different sigs are required suggests there are two versions of the virus in circulation.) No silver bullet for auto-notification messages, unfortunately :( Stuart ------- End of forwarded message ------- -- Stuart Udall stuart at cyberdelix dot net - http://www.cyberdelix.net/ ..revolution through evolution want to make some cash? check out http://cyberdelix.net/affiliates.htm --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- (Fwd) how to filter the Novarg virus lsi (Jan 28)
- Re: (Fwd) how to filter the Novarg virus Damian Menscher (Jan 29)