Date: Tue, 27 Nov 2001 14:38:57 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: questions@FreeBSD.ORG Subject: Re: The Stupid Virus going arround (recipe results so far) Message-ID: <20011127193857.GN36710@keyslapper.org> In-Reply-To: <20011127155844.GD36710@keyslapper.org> References: <012101c17750$94e047e0$a50410ac@olmct.net> <20011127144157.GA12429@rhadamanth> <20011127155844.GD36710@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--mkHYMT4O8DyWoHkb
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 11/27/01 10:58 AM, Louis LeBlanc sat at the `puter and typed:
> On 11/27/01 02:41 PM, setantae sat at the `puter and typed:
> > On Tue, Nov 27, 2001 at 09:34:11AM -0500, Andre` Niel Cameron wrote:
> > > The next time I get this thing I am sending everyone a copy a Norton;)
> > > Everyone knows someone stuck a virus on the list, most of us have Ant=
i Virus
> > > software some do not I think those who do not need to goto download.c=
om and
> > > get some as you keep sending the virus to the list. Just a thought.
> >=20
> > Did anyone knock out a procmail recipe for it yet ?
> >=20
> > If so, could you share it please ?
> >=20
> > Thanks,
> >=20
> > Ceri
>=20
> This was recently shared on the procmail users list:
>=20
> # Trap BadTrans? (signature as of 11/26/2001)
> #
> :0
> * > 40000
> * < 50000
> * ^Subject:.*Re:
> *
> ^Content-Type:.*multipart/related;.*"multipart/alternative";.*boundary=3D=
"=3D=3D=3D=3D_ABC1234567890DEF_=3D=3D=3D=3D"
> {
> :0 B hfi
> * ^Content-Type: audio/x-wav;
> * ^Content-ID: <EA4DMGBP9p>
> * ^Content-Transfer-Encoding: base64
> | formail -Y -f -A "X-Content-Security: [$HOST] NOTIFY" \
> -A "X-Content-Security: [$HOST] QUARANTINE" \
> -A "X-Content-Security: [$HOST] REPORT: Trapped BadTrans worm - see h=
ttp://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.ht=
ml"
> }
> :0A
> { FOLDER=3Dspam }
>=20
> The first recipe will set headers to tell you that it is the worm, the
> second can be used to redirect it. I'm just dumping it into a spam
> folder with the other cr@p, but you may want to /dev/null or bounce
> it.
>=20
> The key is the Content-Type header. Apparently it always uses the same
> mime types and the same boundary - with the quotes.
Just thought you folks might want to know how I've fared with this
particular recipe so far today:
Infected messages caught: 14
Infected messages missed: 0
False positives: 0
This is what the attachments look like in mutt:
I 1 <no description> [multipa/alternativ, 7bit, 0.3K]
I 2 `-><no description> [text/html, quoted, iso-8859-1, 0.1K]
I 3 docs.DOC.pif [audio/x-wav, base64, 38K]
I 4 <no description> [text/plain, 7bit, us-ascii, 0.1K]
The .pif attachment is the actual virus, and can have various names. I
don't know if it's munged from an actual document on a hard drive it's
been on, but I've seen such titles as Humor.mp3.pif, me_naked.jpg.pif
(LOL) and various other names that don't look random.
Looks like it works, tho.
Lou
PS. You may need to use different formail flags in the pipe used in
that recipe. Forgot to mention that in the original post.
--=20
Louis LeBlanc leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org =D4=BF=D4=AC
A Law of Computer Programming:
Make it possible for programmers to write in English
and you will find that programmers cannot write in English.
--mkHYMT4O8DyWoHkb
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8A+vReAPWYrNkRWIRAqiMAJ9UQKqAZaqXaO8691g4h5G0mktoGACfb7su
H6N2a6Glqp6oN/ciHGOM4ms=
=mcxV
-----END PGP SIGNATURE-----
--mkHYMT4O8DyWoHkb--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011127193857.GN36710>