Re: Son of Swen?
On Fri, Sep 26, 2003 at 12:54:42PM -0400, Derrick 'dman' Hudson wrote:
> On Thu, Sep 25, 2003 at 11:39:08PM -0700, Ross Boylan wrote:
>
> | I just received a MS upgrade worm that appears to have a complete
> | executable that's 0.1k. So the whole message is quite brief.
>
> Are you sure there was really an executable in that message? I've
> received quite a few similar messages, except there is absolutely no
> content in the .exe mime part.
There was an .exe file that mutt said was .1k. I didn't try to
actually run it. I figured it probably connects to the net and
bootstraps the whole virus.
>
> BTW, a rule like this in your mail system's mime header checks is
> quite effective against certain forms of trash :
> /^Content-Type: .*x-(?:wav|midi);.*\.exe\b/ DISCARD LookOut! exploit
> /^Content-Type: .*x-wav;.*\.txt\b/ DISCARD LookOut! exploit
> (this particular syntax is a pcre map in postfix (>= 2.0) mime_header_checks)
Thanks. I'm still getting the hang of how far mailfilter can look
down in the message. I also wish it had a more sophisticated control
syntax with if's, and's, or's...
>
> -D
>
Reply to: