Re: Warning Worm/MyDoom.A1 spreading very fast!

Ralf Hildebrandt wrote:

> * Michael 'Moose' Dinn <dinn@blend.twistedpair.ca>:
>
>>I'm using this:
>>
>>/filename="(document|readme|doc|text|file|data|test |message|body).(pif|scr|exe|cmd|bat|zip)"/ REJECT
>>infected with W32.MyDoom.A
>
>
> Must of course be:
>
> /filename="?(document|readme|doc|text|file|data|tes t|message|body)\.(pif|scr|exe|cmd|bat|zip)"?/
> REJECT infected with W32.MyDoom.A

Is it always filename= ? I played it safe and used the following (nb:
this is in pcre format):

/\b(?:file)?name\s*=\s*"?(?:body|data|doc(?:ument)? |file|message|readme|te[sx]t)\.zip\b/
REJECT Suspected W32.MyDoom.A/W32.Novarg.A@mm worm in zip attachment

I'm already blocking the other extensions earlier on, so I wasn't
worried about them.

During the last virus outbreak delivered in .zip files, I had the
following rule active:

/\b(file)?name\s*=\s*"?[^.]+\.zip\b/ HOLD zip hold

It's usually commented out, but I reactivated it this morning.

What I was really hoping for though when I asked for a recipe was that
someone had found a reliable character string for a body check that
would allow the message to be discarded. IIRC, it was Victor Duchovni
who cooked up a regexp for safely discarding Sven; I was wondering if
anyone had anything for MyDoom. Right now I'm just spamming innocent
victims with REJECT.

David

--
Commercial OS breeds commerce, whereas free OS breeds freedom,
the only thing more dangerous and confusing than commerce.
-- Michael R. Jinks, redhat-list, circa 1997