[Esd-l] Revised SoBig-F local rule

Peter Warasin Peter.Warasin at darkrealms.org
Thu Aug 21 03:20:57 PDT 2003


hi

attention. i think this new rule is not correct.
as you see in
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
the new variant does not have .zip files anymore. the attachements are
.pif or .scr files.
the listed files are not compressed in a .zip file!

and then, the line in the body can be:
See the attached file for details  or
Please see the attached file for details.

so, the correct rule should look like this:
> :0
> * > 100000
> * < 120000
> * ^Content-Type:.*multipart/mixed;
> {
>         :0 B hfi
>         * ^ *(Please )?see the attached (zip )?file for details\.?
>         * ^Content-Disposition: attachment;
>         * ^Content-Transfer-Encoding: base64
>         * 9876543210^1 ^Content-(Type|Disposition):.*name *=
> *"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.(zip|pif|scr)"?
>         * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
> *"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.(zip|pif|scr)"?
>         | formail -A "X-Content-Security: [$HOST] NOTIFY" \
>                   -A "X-Content-Security: [$HOST] QUARANTINE" \
>                   -A "X-Content-Security: [$HOST] REPORT: Trapped
> SoBig worm -
> http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"
> }

it's tested and works for me, for the SoBig.F worm... i had no Sobig.E, so
i couldn't test, if it works for it, too.

peter


More information about the esd-l mailing list