[Esd-l] Re: [Esa-l] ALERT: new .ZIP worm uses multiple obfuscation layers

John D. Hardin jhardin at impsec.org
Tue Mar 16 15:15:34 PST 2004


> John D. Hardin wrote:
> > 
> > You may want to add "*.html?" and "*.eml" and "*.msg" to your zipfile
> > poison list.

D'oh.

the filespec "*.html?" won't work in the poisoned list due to the
bastardized RE/fileglob syntax it uses...

You'll have to add two lines:

	*.htm
	*.html

I've fixed the sample file available via the website.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   18 days until the Slovakian Presidential Election


More information about the esd-l mailing list