[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mymail worm



Incoming from Antony Gelberg:
> 
> Anyone have a similar rule to nuke this new mymail worm?  I have some

Last I heard, this one is morphing itself continuously, meaning
signatures aren't going to work.  I found (something like) this in
comp.mail.misc a few days ago.  There are a space and a TAB character
in the square brackets:

  ------------  snip  -------------------------------
# mydoom - Message-ID: <3b6ef961.0401282000.9faa9c2@posting.google.com>
#          comp.mail.misc, from helio@helio.com.br
#
M_SUBJECT=`formail -xSubject: | expand | sed -e 's/^[	 ]*//g' -e 's/[ 	]*$//g'`
#
:0BH
* -4^0
*  1^0  > 31000
*  1^0  < 35000
*  1^0  ^Content-Transfer-Encoding: 7bit
   #  Put A TAB Character Between [] Brackets Below.
*  1^0  ^[	 ]charset=.?Windows-1252.?
*  1^0  M_SUBJECT ?? (^$|test|hi|hello|Mail Delivery System|Mail Transaction Failed|Server Report|Error|Status( Error)?)
*  1^0  .*filename=.?(data|readme|doc|test|text|message|document|file|body|jvlqhn)\.(cmd|exe|pif|bat|scr|zip).?
*  10^0 .*kPll1Ea7M64srTG4Qs9f8o
*  20^0 .*WXURrszriytMbhCz1/yiCG9XP6jS/b/
*  50^0 .*CmfHKpD5ZdRGuzOuLK0xuE
{
  PATSCORE=$=
  :0
  * $ ? /usr/bin/test $PATSCORE -lt 60
  { 
    LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
    :0
    IN.virus
  }
}
  ------------  snip  -------------------------------

I'm still working on another to catch all the moronic bounce mail from
virus scanner enabled idiots.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)               http://www.spots.ab.ca/~keeling 
- -



Reply to: