[Esa-l] Poisoning "from" and subject line?

[Brett Glass]

This particular worm is nasty in that it can use many subject lines
and attachment names. Some of the attachment names end in .EXE, meaning
that one has to poison all executables in order to stop it or look
for a VERY long list of file names. The most constant thing about this
one is the body text. I'm considering writing a Sendmail rule to search
the body, since the sanitizer really isn't suited for this task and
it's best to dispose of the message before invoking Procmail if possible.

--Brett

At 12:56 PM 11/30/2000, Dustin Ankeny wrote:
  
>I've been having some difficulty with the poisoned list, with viruses like
>hybris (which does not have a standard exe/scr name, it has a list of names
>randomly picked) so therefore hard to poison... but it always appears to be
>sent from...
>
>From: Hahaha <hahaha at sexyfun.net>
>
>Or it always has a standard subject line of
>
>Subject: Snowhite and the Seven Dwarfs - The REAL story!
>
>Anyway getting to my point, could there also be poisoned list for the
>subject line as well as the from field? (possibly others?)  I know this is
>getting a little out there, but I believe that attachment names will be
>getting a little more fluid or polymorphic as time goes on.  So any other
>standard keys that virus/trojan writers give us, we should use against them.
>
>Oh by the way, I have my current poisoned list here which has the hybris
>names in it.
>http://www.geocities.com/ankdom/poisoned.txt
>
>Thank you for your time,
>Dustin Ankeny
>SysAdmin
>Heritage
>
>Hybris
>http://www.symantec.com/avcenter/venc/data/w32.hybris.gen.html
>http://vil.nai.com/vil/virusSummary.asp?virus_k=98873
>
>_______________________________________________
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esa-l