[Esd-l] Worm warning: w32.Mypart@mm

Murray Crane mcrane at longbridge.com
Wed Jan 30 23:05:47 PST 2002


For those that want it, here is a very simple local.procmail recipe to catch the lovely yahoo party worm.  If anyone would like a sample of this beast to improve/tighten this recipe 
just ask.  I diff'ed the four copies we got overnight and the only differences (barring headers) was the random number the sanitizer put into the "filename" to mangle it.

As always, beware of word wrapping, particularly on the X-Content-Security REPORT line, which is necessarily quite long.

Murray Crane
Network Systems Administrator
Longbridge International Plc

# Trap Myparty? (Signature as of 2002-01-30)
#
:0
* ^Subject.*new photos from my party
{
        :0 B hfi
        * ^begin 666 www\.myparty\.yahoo\.com
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] QUARANTINE" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped Myparty worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.myparty.a@mm.html"
}



More information about the esd-l mailing list