[Esd-l] Palyh worm
brett at lariat.org
Tue May 20 22:07:00 PDT 2003
At 03:03 PM 5/20/2003, Andy Feldt wrote:
>All of the messages we have received had a Content-Type 'name' with the full
>'.pif' extension and a Content-Disposition 'filename' with the '.pi'
>extension. They were all caught by the Sanitizer.
John's sanitizer has been missing some copies of the worm. Here is the
text from one instance:
>Return-Path: <support at microsoft.com>
>Received: from SCIPIO (HSE-Toronto-ppp294990.sympatico.ca [126.96.36.199])
> by lariat.org (8.9.3/8.9.3) with ESMTP id KAA18408
> for <brett at lariat.org>; Tue, 20 May 2003 10:25:48 -0600 (MDT)
>From: support at microsoft.com
>Message-Id: <200305201625.KAA18408 at lariat.org>
>To: <brett at lariat.org>
>Subject: Cool screensaver
>Date: Tue, 20 May 2003 12:25:41 --0400
>X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>X-Priority: 3 (Normal)
>X-Security: Warning! Do not open files attached to e-mail if you do not
> have an up-to-date virus protection program or did not expect to
> receive them. Even if the message is from someone you know, an
> attachment can contain a virus sent without his or her knowledge.
>All information is in the attached file.
The string "CSmtpMsgPart123X456_000_" in the boundary tag seems to be a
reliable signature. Anyone know how to write a Procmail recipe for this?
More information about the esd-l