« dear vagina, | Main | work »
September 19, 2003

new virus

blaster2 is supposed to show up this weekend, make sure you all are patched. w2k/wxp users go here and get your appropriate patch. also for the swen virus going around irght now, here is the procmail rule i came up with that seems to be working:

VERBOSE = YES
#change this to your preferrred log location, typically /var/log/foo.log
LOGFILE = /home/virus/virus.log
:0 H
*^Content-type: (multipart/mixed)
{
#
# Look at the body to find out if there is some .ocb or .vbs
# or... attached,
# if yes, send the mail to /dev/null

:0 B
*^Content-Disposition: (attachment|inline)
*filename=".*\.(ocx|vbs|wsf|shs|exe|com|bat|chm|pif|vbe|hta|scr)"
{
:0
#location to send viruses to typically /dev/null but i keep them around in case of false positive
/home/virus
}
#.... other rules
#w32.swen pattern/body matching
:0B
#body text to search for
*Cumulative Patch
{
:0
#modify virus/msg path
/home/virus
}

}

here is a great description of the virus, as you can see matching that part of the body was the easiest and less resource intensive. it will only scan multipart messages for Cumulative Patch (instead of every variation of the subject)plus you can replace cumulative patch with some body snippet of whatever else comes along. the first part of the recipe typically blocks all other hazardous attachments, but still makes them available (by sending them to /home/virus) incase there is a false positive.you can either put this in your /home/user/.procmailrc or if you are an admin /etc/procmailrc . if you are an admin please test first as i make no guarantee etc etc.

austin = homogay



Post a crit
Name:


Email Address:


URL:


crits:


Remember info?