[Esd-l] Re: Signature to trap Mimail.C (fwd)

John D. Hardin jhardin at impsec.org
Tue Nov 4 15:48:37 PST 2003

---------- Forwarded message ----------
Date: Tue,  4 Nov 2003 18:12:17 -0500
From: J Paul Keen <paulk at floridachristian.org>
To: John D. Hardin <jhardin at impsec.org>
Subject: Re: Signature to trap Mimail.C

Sorry I just realized I messed up the email .... I was trying to type on only
2hrs of sleep ... lol.  Anyway here is the correct info:

# Trap Mimail.C
* ^X-Mailer:.*The Bat
* ^Content-Type:.*multipart/mixed;
        :0 B hfi
        * ^Content-Type: application/x-zip-compressed;
        * ^Content-Transfer-Encoding: base64
        * ^Content-Disposition: attachment; filename=.*photos\.zip
        * ^UEsDBAoAAAAAA
        | formail -A "X-Content-Security: [$HOST] NOTIFY" \
                  -A "X-Content-Security: [$HOST] QUARANTINE" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped MiMail.C worm
- http://www.sarc.com/avcenter/venc/data/w32.mimail.c@mm.html"

--Paul Keen
  Technology Cordinator
  Florida Christian School

More information about the esd-l mailing list