[Esd-l] SWEN identifier: TO/FROM/SUBJECT

John D. Hardin jhardin at impsec.org
Wed Sep 24 05:51:57 PDT 2003


On Wed, 24 Sep 2003, Scott Taylor wrote:

> On Tue, 23 Sep 2003, John Downing wrote:
> 
> > 
> > The uppercase TO/FROM/SUBJECT headers are NOT an "if and only if" marker 
> > for the swen worm. I have quarantined email with swen attachments that have 
> > both normal and all uppercase headers.
> 
> Same here.  However, the attachment always starts with "TVqQAAMAAAAEAAAA".

Standard Windows Executable first few bytes.

> Although, I fail to see what difference it makes as John's Sanitizer rules 
> pick it up every time.

Yeah, but it'd be nice to have a local rule so that we can selectively
DISCARD NONOTIFY and stop being hounded by the alerts...

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   43 days until Matrix Revolutions



More information about the esd-l mailing list