[Esd-l] URG: Preliminary NovArg worm local-rule
John D. Hardin
jhardin at impsec.org
Mon Jan 26 16:33:18 PST 2004
This has been added to the recommended local rules file. Comments
solicited.
#
# Trap NovArg
# Signature as of 01/26/2004
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
{
:0 B hfi
* ^Content-Type: text/plain; charset="Windows-1252"
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *=
*"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *=
*"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm -
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"
}
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
68 days until the Slovakian Presidential Election
More information about the esd-l
mailing list