[Esd-l] Revised SoBig-F local rule
John D. Hardin
jhardin at impsec.org
Thu Aug 21 09:58:51 PDT 2003
On Thu, 21 Aug 2003, Peter Warasin wrote:
> attention. i think this new rule is not correct.
> as you see in
> http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
> the new variant does not have .zip files anymore. the attachements are
> .pif or .scr files.
*blink* {reads it again} Dammit, I did misread the writeup.
This rule is an extension of the previous rule. It should still detect
the old .zip variant. I'll switch the sample local-rules back, since
this is essentially a pointless change.
Thanks. My only excuse is things have been a bit hectic.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
72 days until Matrix Revolutions
More information about the esd-l
mailing list