[Esd-l] Palyh worm

Andy Feldt feldt at nhn.ou.edu
Wed May 21 09:08:19 PDT 2003

Brett Glass wrote:
> The string "CSmtpMsgPart123X456_000_" in the boundary tag seems to be a
> reliable signature. Anyone know how to write a Procmail recipe for this?

I like the more general approach used by Nikos K. Kantarakias in his
YAVR (Yet Another Virus Recipe).  See:


He chooses sets of seven character strings from the base64 text of the
attachment and uses the scoring technique available in procmail
recipes to (hopefully) uniquely identify various viruses.  He does not
yet have a recipe for SoBig.B (SoBig is another name for Palyh) and is
not currently updating his script until this fall.  I do not know the
technique he uses for choosing these, so I made up my own for this
variant by selecting a set from the part of the virus that appeared to
be invariant from a small sampling.  Here is the recipe that I have
been using in my local ruleset (run before the Sanitizer):

#for SoBig
* -1000^0
*   200^0 ^TVqQAAM
*   200^0 K/cBHSx
*   200^0 rZVJizb
*   200^0 DrVitFc
*   200^0 rolkJrX
*   200^0 zt8P9pT
#SoBig.B - locally derived
*   200^0 oZDbDKN
*   200^0 NywOODk
*   200^0 mWwUO/a
*   200^0 xwdpVwM
*   200^0 zySQUFx
  LOG="---=== WORM-SOBIG ===---${NL}"
  :0 hfi
  | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
            -A "X-Content-Security: [$HOST] DISCARD" \
            -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig"

I found the man page for procmailsc to be quite illuminating!

Also, I would welcome any suggestions about how to best choose a
set of strings from the base64 encoding for this (or, more generally,
for any) virus.


Andy Feldt
Senior System Support Programmer
Affiliate Assistant Professor
Department of Physics and Astronomy
The University of Oklahoma

More information about the esd-l mailing list