[Esd-l] Anyone have an invariant signature for Goker?
Murray Crane
mcrane at longbridge.com
Mon Dec 17 08:06:01 PST 2001
On Mon, 17 Dec 2001 13:12:07, I wrote:
>Well, running a 'diff' against the two copies of this that we have quarantined so far I would suggest that the base64 encoded attachments are identical, certainly for the two
>examples I have gotten. It may be possible to fashion a local rule based on that base64 encoding, which I have seen done for another virus (hybris).
>
>A thought, surely. I'd be happy to pool quarantined examples to help move this along.
For those who like a quick fix, here's a recipe I threw together that correctly blocks the two examples I have in our quarantine. YMMV, as aways.
If anyone has further examples to test against this, I'd be grateful.
Kind regards
Murray Crane
Network Systems Administrator
Longbridge International Plc
===LOCAL.PROCMAIL RECIPE FOLLOWS===
# Trap Goker? (Signature as of 2001-12-17)
#
:0
* > 20000
* < 30000
* ^Content-Type: multipart/mixed;
{
:0 B hfi
* ^TVqQAAMAAAAEAAAA
* ^EEBIC15ZwxU4uJId22TbT3yB7KQPAG6
* ^h3d4ZUVIh2drW2uwe0v8iBOmeNjo
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Trapped Gokar worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.a@mm.html"
}
More information about the esd-l
mailing list