(Fwd) how to filter the Novarg virus

["lsi" <stuart () cyberdelix net>]

------- Forwarded message follows -------
From:                   lsi <stuart () cyberdelix net>
To:                     focus-virus () securityfocus com
Subject:                how to filter the Novarg virus
Send reply to:          stuart () cyberdelix net
Date sent:              Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter 
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many 
disguises.  However the program looks the same when encoded with 
MIME.  Therefore, the above are basically 'MIME sigs' which work just 
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are 
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me), 
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions 
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------
-- 
Stuart Udall
stuart at cyberdelix dot net - http://www.cyberdelix.net/
..revolution through evolution

want to make some cash? check out http://cyberdelix.net/affiliates.htm


---------------------------------------------------------------------------
----------------------------------------------------------------------------