[Esd-l] Anyone got a procmail signature for Klez?

Huba Leidenfrost huba at uidaho.edu
Wed May 1 10:51:00 PDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On another list (unisog at sans.org) I just saw this:

:0 B
* AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW
/local/virus/klez

This is found in the second line of some of the infected files.  Your
procmail recipe 

* ^TVqQAAMAAAAEAAAA

catches it on the first line and I haven't been able to find any that
don't have both.  Adding this other line probably would not hurt.

- -Huba at uidaho.edu

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPNApC0pG2S0cMeJwEQIB9QCgrijIiU8LBUjgGqlskrAkrFqeMGsAoMBi
kDUueXxPf25IQ+8+jAbCNDPd
=DAj0
-----END PGP SIGNATURE-----



More information about the esd-l mailing list