[Esd-l] Anyone got a procmail signature for Klez?

John D. Hardin jhardin at impsec.org
Fri Apr 26 21:47:01 PDT 2002

On Fri, 26 Apr 2002, Brett Glass wrote:

> I'm getting so many copies that it would be nice to identify them
> separately.

Rev. 0.1:

# Trap Klez (signature as of 04/26/2002)
* > 100000
* ^Content-Type:.*multipart/alternative;
        :0 B hfi
        * <iframe +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
        * ^Content-Type:.*audio/
        * ^Content-ID:.*<
        * ^Content-Transfer-Encoding: base64
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped
possible Klez worm - see

Note that this will not trap the non-automatically-executing variant.
If you want to trap both, copy this rule and delete the IFRAME regex
line. That rule might generate false positives, though, maybe if
someone actually does email an executable and a sound file together...

I'd like to be able to add an upper size limit, but it can grab just
about any file off the victim's system. I have one in my quarantine
that has a 500kb+ .DOC file attachment.

If this works well here this weekend, I'll post it on the website with
the others.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                       pgpk -a jhardin at wolfenet.com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
   921 days until the Presidential Election

More information about the esd-l mailing list