[Esd-l] Palyh worm

Brett Glass brett at lariat.org
Tue May 20 22:07:00 PDT 2003


At 03:03 PM 5/20/2003, Andy Feldt wrote:

>All of the messages we have received had a Content-Type 'name' with the full
>'.pif' extension and a Content-Disposition 'filename' with the '.pi'
>extension. They were all caught by the Sanitizer.

John's sanitizer has been missing some copies of the worm. Here is the
text from one instance:

>Return-Path: <support at microsoft.com>
>Received: from SCIPIO (HSE-Toronto-ppp294990.sympatico.ca [64.231.31.146])
>        by lariat.org (8.9.3/8.9.3) with ESMTP id KAA18408
>        for <brett at lariat.org>; Tue, 20 May 2003 10:25:48 -0600 (MDT)
>From: support at microsoft.com
>Message-Id: <200305201625.KAA18408 at lariat.org>
>To: <brett at lariat.org>
>Subject: Cool screensaver
>Date: Tue, 20 May 2003 12:25:41 --0400
>Importance: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>X-MSMail-Priority: Normal
>X-Priority: 3 (Normal)
>MIME-Version: 1.0
>X-Security: Warning! Do not open files attached to e-mail if you do not
>        have an up-to-date virus protection program or did not expect to
>        receive them. Even if the message is from someone you know, an
>        attachment can contain a virus sent without his or her knowledge.
>Content-Type: multipart/mixed;
>        boundary="CSmtpMsgPart123X456_000_0024CFF3"
>X-UIDL: 1b0b8f169eb32654fe9dc6b16aaaa78f
>
>All information is in the attached file. 

The string "CSmtpMsgPart123X456_000_" in the boundary tag seems to be a
reliable signature. Anyone know how to write a Procmail recipe for this?

--Brett



More information about the esd-l mailing list