Re: mymail worm
Incoming from Antony Gelberg:
>
> Anyone have a similar rule to nuke this new mymail worm? I have some
Last I heard, this one is morphing itself continuously, meaning
signatures aren't going to work. I found (something like) this in
comp.mail.misc a few days ago. There are a space and a TAB character
in the square brackets:
------------ snip -------------------------------
# mydoom - Message-ID: <3b6ef961.0401282000.9faa9c2@posting.google.com>
# comp.mail.misc, from helio@helio.com.br
#
M_SUBJECT=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
#
:0BH
* -4^0
* 1^0 > 31000
* 1^0 < 35000
* 1^0 ^Content-Transfer-Encoding: 7bit
# Put A TAB Character Between [] Brackets Below.
* 1^0 ^[ ]charset=.?Windows-1252.?
* 1^0 M_SUBJECT ?? (^$|test|hi|hello|Mail Delivery System|Mail Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document|file|body|jvlqhn)\.(cmd|exe|pif|bat|scr|zip).?
* 10^0 .*kPll1Ea7M64srTG4Qs9f8o
* 20^0 .*WXURrszriytMbhCz1/yiCG9XP6jS/b/
* 50^0 .*CmfHKpD5ZdRGuzOuLK0xuE
{
PATSCORE=$=
:0
* $ ? /usr/bin/test $PATSCORE -lt 60
{
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
IN.virus
}
}
------------ snip -------------------------------
I'm still working on another to catch all the moronic bounce mail from
virus scanner enabled idiots.
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: