[Esd-l] URG: Updated novarg local rule for sanitizer

John D. Hardin jhardin at impsec.org
Tue Jan 27 06:08:05 PST 2004


Based on what made it through overnight I have updated the rule a bit.
See the attachment or grab the recommended rules file.

Unfortunately it seems to be using some random filenames, so I will be
looking for signature strings in the base64 attachment body. Keying
off the filename won't be enough.

You may wish to consider adding "zip" to your local non-whitelisted
mangle extensions list for a week or so until this starts to die down.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   67 days until the Slovakian Presidential Election
-------------- next part --------------

# Trap NovArg
# Signature as of 01/27/2004
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
* 9876543210^1 B ?? ^Content-Type:.*text/plain;.*charset *= *"?Windows-1252"?
* 9876543210^1 B ?? ^Content-Type:.*text/plain;.*$.*charset *= *"?Windows-1252"?
        :0 B hfi
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
        * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
        | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"

More information about the esd-l mailing list